summaryrefslogtreecommitdiffstats
path: root/doc/man
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:02:46 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:02:46 +0000
commite4e8d437fe47a4d97ab469fc9116e50ab1601c54 (patch)
treed573aafc30201b68be84aba1a44a8f5f2fc30d4e /doc/man
parentAdding debian version 3.3.4-1.1. (diff)
downloadknot-e4e8d437fe47a4d97ab469fc9116e50ab1601c54.tar.xz
knot-e4e8d437fe47a4d97ab469fc9116e50ab1601c54.zip
Merging upstream version 3.3.5.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/man')
-rw-r--r--doc/man/knot.conf.5in20
-rw-r--r--doc/man/kzonecheck.1in3
2 files changed, 19 insertions, 4 deletions
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
index 72f0a4a..a951b7c 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -67,9 +67,10 @@ the following symbols:
.UNINDENT
.sp
The configuration consists of several fixed sections and optional module
-sections. There are 16 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP,
+sections. There are 17 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP,
\fBlog\fP, \fBstatistics\fP, \fBdatabase\fP, \fBkeystore\fP, \fBkey\fP, \fBremote\fP,
-\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBpolicy\fP, \fBtemplate\fP, \fBzone\fP).
+\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBdnskey\-sync\fP, \fBpolicy\fP, \fBtemplate\fP,
+\fBzone\fP).
Module sections are prefixed with the \fBmod\-\fP prefix (e.g. \fBmod\-stats\fP).
.sp
Most of the sections (e.g. \fBzone\fP) are sequences of settings blocks. Each
@@ -964,7 +965,7 @@ Minimum severity level for messages related to QUIC to be logged.
Minimum severity level for all message types, except \fBquic\fP, to be logged.
.sp
\fIDefault:\fP not set
-.SH STATS SECTION
+.SH STATISTICS SECTION
.sp
Periodic server statistics dumping.
.INDENT 0.0
@@ -1871,7 +1872,8 @@ More exactly, this period is measured since a ZSK is activated,
and after this, a new ZSK is generated to replace it within
following roll\-over.
.sp
-ZSK key lifetime is also influenced by propagation\-delay and dnskey\-ttl
+As a consequence, in normal operation, this results in the period
+of ZSK generation being \fIzsk\-lifetime + propagation\-delay + dnskey_ttl\fP\&.
.sp
Zero (aka infinity) value causes no ZSK rollover as a result.
.UNINDENT
@@ -2032,6 +2034,14 @@ Module \fI\%Onlinesign\fP doesn\(aqt support DS push.
.UNINDENT
.UNINDENT
.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+When turning this feature on while a KSK roll\-over is already running, it might
+not take effect for the already\-running roll\-over.
+.UNINDENT
+.UNINDENT
+.sp
\fIDefault:\fP not set
.SS dnskey\-sync
.sp
@@ -2567,6 +2577,8 @@ List of DNSSEC checks:
.IP \(bu 2
Every zone RRSet is correctly signed by at least one present DNSKEY.
.IP \(bu 2
+For every RRSIG there are at most 3 non\-matching DNSKEYs with the same keytag.
+.IP \(bu 2
DNSKEY RRSet is signed by KSK.
.IP \(bu 2
NSEC(3) RR exists for each name (unless opt\-out) with correct bitmap.
diff --git a/doc/man/kzonecheck.1in b/doc/man/kzonecheck.1in
index 380c41f..a73b66e 100644
--- a/doc/man/kzonecheck.1in
+++ b/doc/man/kzonecheck.1in
@@ -59,6 +59,9 @@ Zone origin. If not specified, the origin is determined from the file name
Also check DNSSEC\-related records. The default is to decide based on the
existence of a RRSIG for SOA.
.TP
+\fB\-z\fP, \fB\-\-zonemd\fP
+Also check the zone hash against a ZONEMD record, which is required to exist.
+.TP
\fB\-t\fP, \fB\-\-time\fP \fItime\fP
Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS
format, or [+/\-]\fItime\fP[unit] format, where unit can be \fBY\fP, \fBM\fP,