Document automatic key management prerequisites

doc/configuration.rst

@@ -399,22 +399,21 @@ Automatic DNSSEC signing
 Knot DNS supports automatic DNSSEC signing of zones. The signing
 can operate in two modes:
 
-1. :ref:`Manual key management <dnssec-manual-key-management>`.
+1. :ref:`Manual key management <dnssec-manual-key-management>`:
    In this mode, the server maintains zone signatures (RRSIGs) only. The
    signatures are kept up-to-date and signing keys are rolled according to
-   timing parameters assigned to the keys. The keys must be generated and
+   the timing parameters assigned to the keys. The keys must be generated and
    timing parameters must be assigned by the zone operator.
 
-2. :ref:`Automatic key management <dnssec-automatic-zsk-management>`.
+2. :ref:`Automatic key management <dnssec-automatic-zsk-management>`:
    In this mode, the server maintains signing keys. New keys are generated
-   according to assigned policy and are rolled automatically in a safe manner.
-   No zone operator intervention is necessary.
+   according to the assigned policy and are rolled automatically in a safe manner.
+   No intervention from the zone operator is necessary.
 
-For automatic DNSSEC signing, :ref:`policy<Policy section>` has to
+For automatic DNSSEC signing, a :ref:`policy<Policy section>` must
 be configured and assigned to the zone. The policy specifies how the zone
 is signed (i.e. signing algorithm, key size, key lifetime, signature lifetime,
-etc.). If no policy is specified or the ``default`` one is assigned, the
-default signing parameters are used.
+etc.). If no policy is specified, the default signing parameters are used.
 
 The DNSSEC signing process maintains some metadata which is stored in the
 :abbr:`KASP (Key And Signature Policy)` database. This database is backed