[deployment-guide/comm-rel: 434/727] Updated the DNS Security Extensions (DNSSEC) section.

[Jaromir Hradilek]

commit ea551011f25f01c832eef663f02098b9d27fc761
Author: Jaromir Hradilek <jhradile at redhat.com>
Date:   Thu Aug 19 11:41:35 2010 +0200

    Updated the DNS Security Extensions (DNSSEC) section.

 en-US/The_BIND_DNS_Server.xml |   36 +++++++++---------------------------
 1 files changed, 9 insertions(+), 27 deletions(-)
---
diff --git a/en-US/The_BIND_DNS_Server.xml b/en-US/The_BIND_DNS_Server.xml
index 8199512..976ff5b 100644
--- a/en-US/The_BIND_DNS_Server.xml
+++ b/en-US/The_BIND_DNS_Server.xml
@@ -1957,41 +1957,23 @@ ns.icann.org.           12884   IN      A       192.0.34.126
       </important>
     </section>
     <section id="s2-bind-features-dnssec">
-      <title>DNSSEC</title>
+      <title>DNS Security Extensions (DNSSEC)</title>
       <indexterm>
         <primary>BIND</primary>
         <secondary>features</secondary>
-        <tertiary>DNSSEC</tertiary>
+        <tertiary>DNS Security Extensions (DNSSEC)</tertiary>
       </indexterm>
       <para>
-        DNSSEC (DNS SECurity extensions) is an extension to DNS that provides origin authentication of DNS data, authenticated denial of existence and data integrity. DNSSEC is backward compatible with the "plain" DNS. When a particular domain is marked as secure then validating resolver returns SERFVAIL responses for all RRs which fail validating process.
+        <firstterm>Domain Name System Security Extensions</firstterm> (<firstterm>DNSSEC</firstterm>) provide origin authentication of DNS data, authenticated denial of existence, and data integrity. When a particular domain is marked as secure, the <literal>SERFVAIL</literal> response is returned for each resource record that fails the validation.
       </para>
+      <indexterm>
+        <primary>BIND</primary>
+        <secondary>utilities</secondary>
+        <tertiary><command>dig</command></tertiary>
+      </indexterm>
       <para>
-        For detailed information how to setup DNSSEC-signed zone and DNSSEC validating resolver please refer to <citetitle>BIND 9 Administrator Reference Manual</citetitle> referenced in <xref linkend="s2-bind-installed-docs"/>, sections called <command>DNSSEC</command>, <command>DNSSEC, dynamic zones, and automatic signing</command> and <command>Dynamic trust anchor management</command>.
+        Note that to debug a DNSSEC-signed domain or a DNSSEC-aware resolver, you can use the <command>dig</command> utility as described in <xref linkend="s1-bind-dig" />. Useful options are <option>+dnssec</option> (requests DNSSEC-related resource records by setting the DNSSEC OK bit), <option>+cd</option> (tells recursive nameserver not to validate the response), and <option>+bufsize=512</option> (changes the packet size to 512B to get through some firewalls).
       </para>
-      <note>
-        <title>Troubleshooting</title>
-        <para>
-          When troubleshooting issues with the DNSSEC-signed domain or the DNSSEC-aware resolver, use the <command>dig</command> utility. Useful options are:
-        </para>
-        <itemizedlist><!-- atkac at redhat.com: This list doesn't look so nice, does it? -->
-          <listitem>
-            <para>
-              +dnssec - Requests DNSSEC related RRs by setting the DNSSEC OK (DO) bit in the query.
-            </para>
-          </listitem>
-          <listitem>
-            <para>
-              +cd - Requests the recursive server to not perform validation of the response.
-            </para>
-          </listitem>
-          <listitem>
-            <para>
-              +bufsize=512 - Decrease size of the DNS packet to 512B to try to go through misconfigured firewalls
-            </para>
-          </listitem>
-        </itemizedlist>
-      </note>
     </section>
     <section id="s2-bind-features-ipv6">
       <title>IP version 6</title>