doc: DNSSEC changes realted to new keystore support

doc/configuration.rst

@@ -304,13 +304,13 @@ default template, but the signing is explicitly disabled for zone
 DNSSEC KASP database
 --------------------
 
-The configuration for DNSSEC is stored in a :abbr:`KASP (Key And Signature
+The configuration for DNSSEC is stored in the :abbr:`KASP (Key And Signature
 Policy)` database. The database is simply a directory in the file-system
 containing files in the JSON format. The database contains
 
 - definitions of signing policies;
-- zones configuration; and
-- private key material.
+- private key stores configuration; and
+- zones configuration and signing metadata.
 
 The :doc:`keymgr <man_keymgr>` utility serves for the database maintenance.
 To initialize the database, run:
@@ -321,10 +321,15 @@ To initialize the database, run:
   $ cd /var/lib/knot/kasp
   $ keymgr init
 
+The *init* command initializes the database, defines a default signing policy
+named *default* with default signing parameters, and defines a default key
+store named *default* with file-backed key store within the KASP database
+directory.
+
 .. ATTENTION::
   Make sure to set the KASP database permissions correctly. For manual key
-  management, the database must be **readable** by the server process. For
-  automatic key management, it must be **writeable**. The database also
+  management, the database must be *readable* by the server process. For
+  automatic key management, it must be *writeable*. The database also
   contains private key material – don't set the permissions too loose.
 
 .. _dnssec-automatic-key-management:
@@ -336,12 +341,12 @@ For automatic key management, a signing policy has to be defined in the
 first place. This policy specifies how a zone is signed (i.e. signing
 algorithm, key size, signature lifetime, key lifetime, etc.).
 
-To create a new policy named *default_rsa* using *RSA-SHA-256* algorithm for
+To create a new policy named *rsa* using *RSA-SHA-256* algorithm for
 signing keys, 1024-bit long ZSK, and 2048-bit long KSK, run:
 
 .. code-block:: console
 
-  $ keymgr policy add default_rsa algorithm RSASHA256 zsk-size 1024 ksk-size 2048
+  $ keymgr policy add rsa algorithm RSASHA256 zsk-size 1024 ksk-size 2048
 
 The unspecified policy parameters are set to defaults. The complete definition
 of the policy will be printed after executing the command.
@@ -351,13 +356,13 @@ created policy:
 
 .. code-block:: console
 
-  $ keymgr zone add myzone.test policy default_rsa
+  $ keymgr zone add myzone.test policy rsa
 
 Make sure everything is set correctly:
 
 .. code-block:: console
 
-  $ keymgr policy show default_rsa
+  $ keymgr policy show rsa
   $ keymgr zone show myzone.test
 
 Add the zone into the server configuration and enable DNSSEC for that zone.
@@ -394,17 +399,23 @@ Manual key management
 ---------------------
 
 For automatic DNSSEC signing with manual key management, a signing policy
-need not be defined.
+with manual key management flag has to be set.
+
+Define a signing policy named *man* with disabled automatic key management:
+
+.. code-block:: console
+
+  $ keymgr policy add man manual true
 
-Create a zone entry for the zone *myzone.test* without a policy:
+Create a zone entry for the zone *myzone.test* with the created policy:
 
 .. code-block:: console
 
-  $ keymgr zone add myzone.test
+  $ keymgr zone add myzone.test policy man
 
 Generate signing keys for the zone. Let's use the Single-Type Signing scheme
-with two algorithms (this scheme is not supported in automatic key management).
-Run:
+with two algorithms, which is a scheme currently not supported by the automatic
+key management. Run:
 
 .. code-block:: console