Package: bind9 Version: 1:9.11.5.P4+dfsg-5.1 Severity: minor In the text of "man dnssec-signzone":
-R Remove signatures from keys that are no longer published. This option is similar to -Q, except it forces dnssec-signzone to signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.2 ("Double Signature Zone Signing Key There are clearly some words missing from "forces dnssec-signzone to signatures from". -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/12 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages bind9 depends on: ii adduser 3.118 ii bind9utils 1:9.11.5.P4+dfsg-5.1 ii debconf [debconf-2.0] 1.5.71 ii dns-root-data 2019031302 ii libbind9-161 1:9.11.5.P4+dfsg-5.1 ii libc6 2.28-10 ii libcap2 1:2.25-2 ii libcom-err2 1.44.5-1 ii libdns1104 1:9.11.5.P4+dfsg-5.1 ii libfstrm0 0.4.0-1 ii libgeoip1 1.6.12-1 ii libgssapi-krb5-2 1.17-3 ii libisc1100 1:9.11.5.P4+dfsg-5.1 ii libisccc161 1:9.11.5.P4+dfsg-5.1 ii libisccfg163 1:9.11.5.P4+dfsg-5.1 ii libjson-c3 0.12.1+ds-2 ii libk5crypto3 1.17-3 ii libkrb5-3 1.17-3 ii liblmdb0 0.9.22-1 ii liblwres161 1:9.11.5.P4+dfsg-5.1 ii libprotobuf-c1 1.3.1-1+b1 ii libssl1.1 1.1.1c-1 ii libxml2 2.9.4+dfsg1-7+b3 ii lsb-base 10.2019051400 ii net-tools 1.60+git20180626.aebd88e-1 ii netbase 5.6 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc <none> ii dnsutils 1:9.11.5.P4+dfsg-5.1 pn resolvconf <none> pn ufw <none> -- Configuration Files: /etc/bind/named.conf changed [not included] /etc/bind/named.conf.local changed [not included] /etc/bind/named.conf.options changed [not included] -- debconf information: bind9/different-configuration-file: bind9/run-resolvconf: false bind9/start-as-user: bind