summaryrefslogtreecommitdiffstats
path: root/doc/man/knot.conf.5in
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/knot.conf.5in')
-rw-r--r--doc/man/knot.conf.5in20
1 files changed, 16 insertions, 4 deletions
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
index 72f0a4a..a951b7c 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -67,9 +67,10 @@ the following symbols:
.UNINDENT
.sp
The configuration consists of several fixed sections and optional module
-sections. There are 16 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP,
+sections. There are 17 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP,
\fBlog\fP, \fBstatistics\fP, \fBdatabase\fP, \fBkeystore\fP, \fBkey\fP, \fBremote\fP,
-\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBpolicy\fP, \fBtemplate\fP, \fBzone\fP).
+\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBdnskey\-sync\fP, \fBpolicy\fP, \fBtemplate\fP,
+\fBzone\fP).
Module sections are prefixed with the \fBmod\-\fP prefix (e.g. \fBmod\-stats\fP).
.sp
Most of the sections (e.g. \fBzone\fP) are sequences of settings blocks. Each
@@ -964,7 +965,7 @@ Minimum severity level for messages related to QUIC to be logged.
Minimum severity level for all message types, except \fBquic\fP, to be logged.
.sp
\fIDefault:\fP not set
-.SH STATS SECTION
+.SH STATISTICS SECTION
.sp
Periodic server statistics dumping.
.INDENT 0.0
@@ -1871,7 +1872,8 @@ More exactly, this period is measured since a ZSK is activated,
and after this, a new ZSK is generated to replace it within
following roll\-over.
.sp
-ZSK key lifetime is also influenced by propagation\-delay and dnskey\-ttl
+As a consequence, in normal operation, this results in the period
+of ZSK generation being \fIzsk\-lifetime + propagation\-delay + dnskey_ttl\fP\&.
.sp
Zero (aka infinity) value causes no ZSK rollover as a result.
.UNINDENT
@@ -2032,6 +2034,14 @@ Module \fI\%Onlinesign\fP doesn\(aqt support DS push.
.UNINDENT
.UNINDENT
.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+When turning this feature on while a KSK roll\-over is already running, it might
+not take effect for the already\-running roll\-over.
+.UNINDENT
+.UNINDENT
+.sp
\fIDefault:\fP not set
.SS dnskey\-sync
.sp
@@ -2567,6 +2577,8 @@ List of DNSSEC checks:
.IP \(bu 2
Every zone RRSet is correctly signed by at least one present DNSKEY.
.IP \(bu 2
+For every RRSIG there are at most 3 non\-matching DNSKEYs with the same keytag.
+.IP \(bu 2
DNSKEY RRSet is signed by KSK.
.IP \(bu 2
NSEC(3) RR exists for each name (unless opt\-out) with correct bitmap.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-10 12:49:29 +0000