diff options
Diffstat (limited to '')
-rw-r--r-- | doc/man/knot.conf.5in | 111 |
1 files changed, 71 insertions, 40 deletions
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in index a951b7c..a9b175e 100644 --- a/doc/man/knot.conf.5in +++ b/doc/man/knot.conf.5in @@ -253,7 +253,7 @@ server: quic\-idle\-close\-timeout: TIME remote\-pool\-limit: INT remote\-pool\-timeout: TIME - remote\-retry\-delay: TIME + remote\-retry\-delay: INT socket\-affinity: BOOL udp\-max\-payload: SIZE udp\-max\-payload\-ipv4: SIZE @@ -809,7 +809,7 @@ Time in seconds, after which any idle connection is forcibly closed. .SS tcp\-resend\-timeout .sp Resend outgoing data packets (with DNS response payload) if not ACKed -before this timeout. +before this timeout (in seconds). .sp \fIMinimum:\fP \fB1\fP .sp @@ -859,6 +859,7 @@ Configuration of the server control interface. .ft C control: listen: STR + backlog: INT timeout: TIME .ft P .fi @@ -869,7 +870,16 @@ control: A UNIX socket \fI\%path\fP where the server listens for control commands. .sp +Change of this parameter requires restart of the Knot server to take effect. +.sp \fIDefault:\fP \fI\%rundir\fP\fB/knot.sock\fP +.SS backlog +.sp +The control UNIX socket listen backlog size. +.sp +Change of this parameter requires restart of the Knot server to take effect. +.sp +\fIDefault:\fP \fB5\fP .SS timeout .sp Maximum time (in seconds) the control socket operations can take. @@ -1436,8 +1446,9 @@ An ordered list of \fI\%references\fP to remote server definitions. .SH ACL SECTION .sp Access control list rule definitions. An ACL rule is a description of one -or more authorized operations (zone transfer request, zone change notification, -and dynamic DNS update) which are allowed to be processed or denied. +or more authorized actions (zone transfer request, zone change notification, +and dynamic DNS update) which are allowed to be processed or denied. Normal +DNS queries are always allowed. .INDENT 0.0 .INDENT 3.5 .sp @@ -1506,7 +1517,7 @@ This option cannot be specified along with the \fI\%address\fP or \fIDefault:\fP not set .SS action .sp -An ordered list of allowed (or denied) actions. +An ordered list of allowed, or denied, actions (request types). .sp Possible values: .INDENT 0.0 @@ -1626,8 +1637,8 @@ A DNSSEC\-validating resolver can be set as a parent. .UNINDENT .SS check\-interval .sp -Interval for periodic checks of DS presence on parent\(aqs DNS servers, in the -case of the KSK submission. +Interval (in seconds) for periodic checks of DS presence on parent\(aqs DNS +servers, in the case of the KSK submission. .sp \fIDefault:\fP \fB1h\fP (1 hour) .SS timeout @@ -1639,14 +1650,14 @@ Set to 0 for infinity. \fIDefault:\fP \fB0\fP .SS parent\-delay .sp -After successful parent DS check, wait for this period before continuing the next -key roll\-over step. This delay shall cover the propagation delay of update in the -parent zone. +After successful parent DS check, wait for this period (in seconds) before +continuing the next key roll\-over step. This delay shall cover the propagation +delay of update in the parent zone. .sp \fIDefault:\fP \fB0\fP .SH DNSKEY-SYNC SECTION .sp -Parameters of DNSKEY dynamic\-update synchrnization. +Parameters of DNSKEY dynamic\-update synchronization. .INDENT 0.0 .INDENT 3.5 .sp @@ -1673,7 +1684,7 @@ DNSKEY/CDNSKEY/CDS records shall be sent to. .SS check\-interval .sp If the last DNSKEY sync failed or resulted in any change, re\-check -the consistence after this interval and re\-try if needed. +the consistence after this interval (in seconds) and re\-try if needed. .sp \fIDefault:\fP \fB60\fP (1 minute) .SH POLICY SECTION @@ -1695,6 +1706,7 @@ policy: ksk\-shared: BOOL dnskey\-ttl: TIME zone\-max\-ttl: TIME + keytag\-modulo: INT/INT ksk\-lifetime: TIME zsk\-lifetime: TIME delete\-delay: TIME @@ -1844,9 +1856,26 @@ really reasonable when records are generated dynamically .UNINDENT .sp \fIDefault:\fP computed after zone is loaded +.SS keytag\-modulo +.sp +Specifies that the keytags of any generated keys shall be congruent by specified modulo. +The option value must be a string in the format \fBR/M\fP, where \fBR < M <= 256\fP are +positive integers. Whenever a DNSSEC key is generated, it is ensured +that \fBkeytag % M == R\fP\&. This prevents keytag conflict in \fI\%DNSSEC Offline KSK\fP +or \fI\%DNSSEC multi\-signer\fP (and possibly other) setups. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This only applies to newly generated keys when they are generated. Keys from +before this option and keys imported from elsewhere might not fulfill the policy. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP \fB0/1\fP .SS ksk\-lifetime .sp -A period between KSK generation and the next rollover initiation. +A period (in seconds) between KSK generation and the next rollover initiation. .sp \fBNOTE:\fP .INDENT 0.0 @@ -1860,10 +1889,10 @@ This applies for CSK lifetime if single\-type\-signing is enabled. .UNINDENT .UNINDENT .sp -\fIDefault:\fP \fB0\fP +\fIDefault:\fP \fB0\fP (infinity) .SS zsk\-lifetime .sp -A period between ZSK activation and the next rollover initiation. +A period (in seconds) between ZSK activation and the next rollover initiation. .sp \fBNOTE:\fP .INDENT 0.0 @@ -1883,20 +1912,20 @@ Zero (aka infinity) value causes no ZSK rollover as a result. .SS delete\-delay .sp Once a key (KSK or ZSK) is rolled\-over and removed from the zone, -keep it in the KASP database for at least this period before deleting it completely. -This might be useful in some troubleshooting cases when resurrection +keep it in the KASP database for at least this period (in seconds) before deleting +it completely. This might be useful in some troubleshooting cases when resurrection is needed. .sp \fIDefault:\fP \fB0\fP .SS propagation\-delay .sp -An extra delay added for each key rollover step. This value should be high -enough to cover propagation of data from the primary server to all -secondary servers, as well as the duration of signing routine itself and -possible outages in signing and propagation infrastructure. In other words, -this delay should ensure that within this period of time after planned -change of the key set, all public\-facing secondaries will already serve -new DNSKEY RRSet for sure. +An extra delay added for each key rollover step. This value (in seconds) +should be high enough to cover propagation of data from the primary server +to all secondary servers, as well as the duration of signing routine itself +and possible outages in signing and propagation infrastructure. In other +words, this delay should ensure that within this period of time after +planned change of the key set, all public\-facing secondaries will already +serve new DNSKEY RRSet for sure. .sp \fBNOTE:\fP .INDENT 0.0 @@ -1908,7 +1937,7 @@ Has influence over ZSK key lifetime. \fIDefault:\fP \fB1h\fP (1 hour) .SS rrsig\-lifetime .sp -A validity period of newly issued signatures. +A validity period (in seconds) of newly issued signatures. .sp \fBNOTE:\fP .INDENT 0.0 @@ -1921,15 +1950,16 @@ time period is not counted to the signature lifetime. \fIDefault:\fP \fB14d\fP (14 days) .SS rrsig\-refresh .sp -A period how long at least before a signature expiration the signature will be refreshed, -in order to prevent expired RRSIGs on secondary servers or resolvers\(aq caches. +A period (in seconds) how long at least before a signature expiration the signature +will be refreshed, in order to prevent expired RRSIGs on secondary servers or +resolvers\(aq caches. .sp \fIDefault:\fP 0.1 * \fI\%rrsig\-lifetime\fP + \fI\%propagation\-delay\fP + \fI\%zone\-max\-ttl\fP .SS rrsig\-pre\-refresh .sp -A period how long at most before a signature refresh time the signature might be refreshed, -in order to refresh RRSIGs in bigger batches on a frequently updated zone -(avoid re\-sign event too often). +A period (in seconds) how long at most before a signature refresh time the signature +might be refreshed, in order to refresh RRSIGs in bigger batches on a frequently updated +zone (avoid re\-sign event too often). .sp \fIDefault:\fP \fB1h\fP (1 hour) .SS reproducible\-signing @@ -1972,7 +2002,7 @@ name before hashing. \fIDefault:\fP \fB8\fP .SS nsec3\-salt\-lifetime .sp -A validity period of newly issued salt field. +A validity period (in seconds) of newly issued salt field. .sp Zero value means infinity. .sp @@ -2308,6 +2338,7 @@ where DDD is corresponding decimal ASCII code. An ordered list of references \fI\%remote\fP and \fI\%remotes\fP to zone primary servers (formerly known as master servers). +Empty value is allowed for template value overriding. .sp \fIDefault:\fP not set .SS ddns\-master @@ -2326,6 +2357,7 @@ combination with \fI\%dnssec\-signing\fP enabled. An ordered list of references \fI\%remote\fP and \fI\%remotes\fP to secondary servers to which notify message is sent if the zone changes. +Empty value is allowed for template value overriding. .sp \fIDefault:\fP not set .SS acl @@ -2339,13 +2371,13 @@ or disallow zone transfers, updates or incoming notifies. If set to a nonzero value on a secondary, always request AXFR/IXFR from the same primary as the last time, effectively pinning one primary. Only when another primary is updated and the current one lags behind for the specified amount of time -(defined by this option), change to the updated primary and force AXFR. +(defined by this option in seconds), change to the updated primary and force AXFR. .sp This option is useful when multiple primaries may have different zone history in their journals, making it unsafe to combine interchanged IXFR from different primaries. .sp -\fIDefault:\fP 0 +\fIDefault:\fP \fB0\fP (disabled) .SS provide\-ixfr .sp If disabled, the server is forced to respond with AXFR to IXFR queries. @@ -2412,8 +2444,8 @@ query (malformed message) and triggers a zone bootstrap instead. \fIDefault:\fP \fBoff\fP .SS zonefile\-sync .sp -The time after which the current zone in memory will be synced with a zone file -on the disk (see \fI\%file\fP). The server will serve the latest +The time in seconds after which the current zone in memory will be synced with +a zone file on the disk (see \fI\%file\fP). The server will serve the latest zone even after a restart using zone journal, but the zone file on the disk will only be synced after \fBzonefile\-sync\fP time has expired (or after manual zone flush). This is applicable when the zone is updated via IXFR, DDNS or automatic @@ -2520,7 +2552,7 @@ Zone\-in\-journal changeset isn\(aqt counted to the limit. If enabled, incoming IXFR is applied even when it contains removals of non\-existing or additions of existing records. .sp -\fIDefault:\fP off +\fIDefault:\fP \fBoff\fP .SS ixfr\-by\-one .sp Within incoming IXFR, process only one changeset at a time, not multiple together. @@ -2615,7 +2647,7 @@ A configured policy called \(dqdefault\(dq won\(aqt be used unless explicitly re .SS ds\-push .sp Per zone configuration of \fI\%ds\-push\fP\&. This option overrides possible -per policy option. +per policy option. Empty value is allowed for template value overriding. .sp \fIDefault:\fP not set .SS zonemd\-verify @@ -2791,9 +2823,8 @@ has the \fIgroup\fP property defined, matching another catalog template. .INDENT 3.5 This option must be set if and only if \fI\%catalog\-role\fP is \fIinterpret\fP\&. .sp -Nested catalog zones aren\(aqt supported. Therefore catalog templates can\(aqt use -\fI\%catalog\-template\fP, \fI\%catalog\-role\fP, \fI\%catalog\-zone\fP, -and \fI\%catalog\-group\fP options. +Nested catalog zones aren\(aqt supported. Therefore catalog templates can\(aqt +contain \fI\%catalog\-role\fP set to \fBinterpret\fP or \fBgenerate\fP\&. .UNINDENT .UNINDENT .sp |