add direct-dnskey to doc

diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index b639cbbb040117ee932adc57cc3181e8fb51a0bf..48182f50b3e0c43f1d41ad94de87b1bb9f7f146a 100644 (file)
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -13237,6 +13237,14 @@ $ pdnssec rectify-zone powerdnssec.org
   </para>
   </section>
 </section>
+  <section id="dnssec-transfers"><title>Secure transfers</title>
+  <para>
+    From 3.3.1. and up, PowerDNS support secure DNSSEC transfers as described in <ulink
+    url="https://ietf.org/doc/draft-koch-dnsop-dnssec-operator-change/">draft-koch-dnsop-dnssec-operator-change-05</ulink>.
+    If the direct-dnskey option is enabled the foreign DNSKEY records stored in the database are added to the keyset and signed
+    with the KSK. Without the direct-dnskey option DNSKEY records in the database are silently ignored.
+  </para>
+  </section>
   <section id="dnssec-security"><title>Security</title>
   <para>
     During typical PowerDNSSEC operation, the private part of the signing keys are 'online', which can be compared
@@ -15880,6 +15888,10 @@ To enable a Lua script for a particular slave zone, determine the domain_id for
            <listitem><para>
                TTL to use when none is provided.
              </para></listitem></varlistentry>
+         <varlistentry><term>direct-dnskey=...</term>
+           <listitem><para>
+               Read additional ZSKs from the records table/your BIND zonefile
+             </para></listitem></varlistentry>
          <varlistentry><term>disable-axfr=...</term>
            <listitem><para>
                Do not allow zone transfers. Before 2.9.10, this could be overridden by allow-axfr-ips.