summaryrefslogtreecommitdiffstats
path: root/doc/man
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:02:36 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:02:36 +0000
commit07978ec28369b472f255fd7dde9085f42509e153 (patch)
treeb6614badfed18e6417673cf106d36d9d2dd6fff0 /doc/man
parentAdding upstream version 3.3.4. (diff)
downloadknot-07978ec28369b472f255fd7dde9085f42509e153.tar.xz
knot-07978ec28369b472f255fd7dde9085f42509e153.zip
Adding upstream version 3.3.5.upstream/3.3.5
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--doc/man/knot.conf.5in20
-rw-r--r--doc/man/kzonecheck.1in3
-rw-r--r--doc/man_kzonecheck.rst3
3 files changed, 22 insertions, 4 deletions
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
index 72f0a4a..a951b7c 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -67,9 +67,10 @@ the following symbols:
.UNINDENT
.sp
The configuration consists of several fixed sections and optional module
-sections. There are 16 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP,
+sections. There are 17 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP,
\fBlog\fP, \fBstatistics\fP, \fBdatabase\fP, \fBkeystore\fP, \fBkey\fP, \fBremote\fP,
-\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBpolicy\fP, \fBtemplate\fP, \fBzone\fP).
+\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBdnskey\-sync\fP, \fBpolicy\fP, \fBtemplate\fP,
+\fBzone\fP).
Module sections are prefixed with the \fBmod\-\fP prefix (e.g. \fBmod\-stats\fP).
.sp
Most of the sections (e.g. \fBzone\fP) are sequences of settings blocks. Each
@@ -964,7 +965,7 @@ Minimum severity level for messages related to QUIC to be logged.
Minimum severity level for all message types, except \fBquic\fP, to be logged.
.sp
\fIDefault:\fP not set
-.SH STATS SECTION
+.SH STATISTICS SECTION
.sp
Periodic server statistics dumping.
.INDENT 0.0
@@ -1871,7 +1872,8 @@ More exactly, this period is measured since a ZSK is activated,
and after this, a new ZSK is generated to replace it within
following roll\-over.
.sp
-ZSK key lifetime is also influenced by propagation\-delay and dnskey\-ttl
+As a consequence, in normal operation, this results in the period
+of ZSK generation being \fIzsk\-lifetime + propagation\-delay + dnskey_ttl\fP\&.
.sp
Zero (aka infinity) value causes no ZSK rollover as a result.
.UNINDENT
@@ -2032,6 +2034,14 @@ Module \fI\%Onlinesign\fP doesn\(aqt support DS push.
.UNINDENT
.UNINDENT
.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+When turning this feature on while a KSK roll\-over is already running, it might
+not take effect for the already\-running roll\-over.
+.UNINDENT
+.UNINDENT
+.sp
\fIDefault:\fP not set
.SS dnskey\-sync
.sp
@@ -2567,6 +2577,8 @@ List of DNSSEC checks:
.IP \(bu 2
Every zone RRSet is correctly signed by at least one present DNSKEY.
.IP \(bu 2
+For every RRSIG there are at most 3 non\-matching DNSKEYs with the same keytag.
+.IP \(bu 2
DNSKEY RRSet is signed by KSK.
.IP \(bu 2
NSEC(3) RR exists for each name (unless opt\-out) with correct bitmap.
diff --git a/doc/man/kzonecheck.1in b/doc/man/kzonecheck.1in
index 380c41f..a73b66e 100644
--- a/doc/man/kzonecheck.1in
+++ b/doc/man/kzonecheck.1in
@@ -59,6 +59,9 @@ Zone origin. If not specified, the origin is determined from the file name
Also check DNSSEC\-related records. The default is to decide based on the
existence of a RRSIG for SOA.
.TP
+\fB\-z\fP, \fB\-\-zonemd\fP
+Also check the zone hash against a ZONEMD record, which is required to exist.
+.TP
\fB\-t\fP, \fB\-\-time\fP \fItime\fP
Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS
format, or [+/\-]\fItime\fP[unit] format, where unit can be \fBY\fP, \fBM\fP,
diff --git a/doc/man_kzonecheck.rst b/doc/man_kzonecheck.rst
index 4a815a4..3a10863 100644
--- a/doc/man_kzonecheck.rst
+++ b/doc/man_kzonecheck.rst
@@ -36,6 +36,9 @@ Options
Also check DNSSEC-related records. The default is to decide based on the
existence of a RRSIG for SOA.
+**-z**, **--zonemd**
+ Also check the zone hash against a ZONEMD record, which is required to exist.
+
**-t**, **--time** *time*
Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS
format, or [+/-]\ *time*\ [unit] format, where unit can be **Y**, **M**,