doc: fix DNSSEC defaults in documentation and config

dbc1dae9 · Jan Včelák · 0fb88f69 · dbc1dae9 · dbc1dae9
Commit dbc1dae9 authored 11 years ago by Jan Včelák
--- a/doc/reference.texi
+++ b/doc/reference.texi
@@ -867,9 +867,11 @@ are 1 to INT_MAX and default value is 5.
 @subsubsection dnssec-enable
 @vindex dnssec-enable

-EXPERIMENTAL: Enable DNSSEC signing for the zone.
+EXPERIMENTAL: Enable online DNSSEC signing for the zone.

-Default value: inherited from global value set in @code{zones} section.
+Default value (in @code{zones} section): on if @code{dnssec-keydir} is set
+
+Default value (in @code{zone} config): inherited from @code{zones} section

 @node dnssec-keydir
 @subsubsection dnssec-keydir

--- a/samples/knot.full.conf
+++ b/samples/knot.full.conf
@@ -252,12 +252,12 @@ zones {

  # Enable DNSSEC online signing (EXPERIMENTAL)
  # Possible values: on | off;
-  # Default value: off
-  dnssec-enable off;
+  # Default value: on if dnssec-keydir is set
+  dnssec-enable on;

-  # Location of DNSSEC signing keys.
+  # Location of DNSSEC signing keys (relative to storage dir).
  # Default value: not set
-  # dnssec-keydir "some-secure-directory";
+  # dnssec-keydir "keys";

  # Validity period for DNSSEC signatures
  # Possible values: (7200..INT_MAX> (seconds)
@@ -318,8 +318,8 @@ zones {

    # Enable DNSSEC online signing (EXPERIMENTAL)
    # Possible values: on | off;
-    # Default value: off
-    dnssec-enable off;
+    # Default value: inherited from zones
+    # dnssec-enable on;

    # Validity period for DNSSEC signatures
    # Possible values: (7200..INT_MAX> (seconds)