diff options
Diffstat (limited to '')
-rw-r--r-- | doc/man/knot.conf.5in | 111 | ||||
-rw-r--r-- | doc/man/knotc.8in | 22 | ||||
-rw-r--r-- | doc/man/kxdpgun.8in | 6 | ||||
-rw-r--r-- | doc/man_knotc.rst | 22 | ||||
-rw-r--r-- | doc/man_kxdpgun.rst | 6 |
5 files changed, 101 insertions, 66 deletions
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in index a951b7c..a9b175e 100644 --- a/doc/man/knot.conf.5in +++ b/doc/man/knot.conf.5in @@ -253,7 +253,7 @@ server: quic\-idle\-close\-timeout: TIME remote\-pool\-limit: INT remote\-pool\-timeout: TIME - remote\-retry\-delay: TIME + remote\-retry\-delay: INT socket\-affinity: BOOL udp\-max\-payload: SIZE udp\-max\-payload\-ipv4: SIZE @@ -809,7 +809,7 @@ Time in seconds, after which any idle connection is forcibly closed. .SS tcp\-resend\-timeout .sp Resend outgoing data packets (with DNS response payload) if not ACKed -before this timeout. +before this timeout (in seconds). .sp \fIMinimum:\fP \fB1\fP .sp @@ -859,6 +859,7 @@ Configuration of the server control interface. .ft C control: listen: STR + backlog: INT timeout: TIME .ft P .fi @@ -869,7 +870,16 @@ control: A UNIX socket \fI\%path\fP where the server listens for control commands. .sp +Change of this parameter requires restart of the Knot server to take effect. +.sp \fIDefault:\fP \fI\%rundir\fP\fB/knot.sock\fP +.SS backlog +.sp +The control UNIX socket listen backlog size. +.sp +Change of this parameter requires restart of the Knot server to take effect. +.sp +\fIDefault:\fP \fB5\fP .SS timeout .sp Maximum time (in seconds) the control socket operations can take. @@ -1436,8 +1446,9 @@ An ordered list of \fI\%references\fP to remote server definitions. .SH ACL SECTION .sp Access control list rule definitions. An ACL rule is a description of one -or more authorized operations (zone transfer request, zone change notification, -and dynamic DNS update) which are allowed to be processed or denied. +or more authorized actions (zone transfer request, zone change notification, +and dynamic DNS update) which are allowed to be processed or denied. Normal +DNS queries are always allowed. .INDENT 0.0 .INDENT 3.5 .sp @@ -1506,7 +1517,7 @@ This option cannot be specified along with the \fI\%address\fP or \fIDefault:\fP not set .SS action .sp -An ordered list of allowed (or denied) actions. +An ordered list of allowed, or denied, actions (request types). .sp Possible values: .INDENT 0.0 @@ -1626,8 +1637,8 @@ A DNSSEC\-validating resolver can be set as a parent. .UNINDENT .SS check\-interval .sp -Interval for periodic checks of DS presence on parent\(aqs DNS servers, in the -case of the KSK submission. +Interval (in seconds) for periodic checks of DS presence on parent\(aqs DNS +servers, in the case of the KSK submission. .sp \fIDefault:\fP \fB1h\fP (1 hour) .SS timeout @@ -1639,14 +1650,14 @@ Set to 0 for infinity. \fIDefault:\fP \fB0\fP .SS parent\-delay .sp -After successful parent DS check, wait for this period before continuing the next -key roll\-over step. This delay shall cover the propagation delay of update in the -parent zone. +After successful parent DS check, wait for this period (in seconds) before +continuing the next key roll\-over step. This delay shall cover the propagation +delay of update in the parent zone. .sp \fIDefault:\fP \fB0\fP .SH DNSKEY-SYNC SECTION .sp -Parameters of DNSKEY dynamic\-update synchrnization. +Parameters of DNSKEY dynamic\-update synchronization. .INDENT 0.0 .INDENT 3.5 .sp @@ -1673,7 +1684,7 @@ DNSKEY/CDNSKEY/CDS records shall be sent to. .SS check\-interval .sp If the last DNSKEY sync failed or resulted in any change, re\-check -the consistence after this interval and re\-try if needed. +the consistence after this interval (in seconds) and re\-try if needed. .sp \fIDefault:\fP \fB60\fP (1 minute) .SH POLICY SECTION @@ -1695,6 +1706,7 @@ policy: ksk\-shared: BOOL dnskey\-ttl: TIME zone\-max\-ttl: TIME + keytag\-modulo: INT/INT ksk\-lifetime: TIME zsk\-lifetime: TIME delete\-delay: TIME @@ -1844,9 +1856,26 @@ really reasonable when records are generated dynamically .UNINDENT .sp \fIDefault:\fP computed after zone is loaded +.SS keytag\-modulo +.sp +Specifies that the keytags of any generated keys shall be congruent by specified modulo. +The option value must be a string in the format \fBR/M\fP, where \fBR < M <= 256\fP are +positive integers. Whenever a DNSSEC key is generated, it is ensured +that \fBkeytag % M == R\fP\&. This prevents keytag conflict in \fI\%DNSSEC Offline KSK\fP +or \fI\%DNSSEC multi\-signer\fP (and possibly other) setups. +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +This only applies to newly generated keys when they are generated. Keys from +before this option and keys imported from elsewhere might not fulfill the policy. +.UNINDENT +.UNINDENT +.sp +\fIDefault:\fP \fB0/1\fP .SS ksk\-lifetime .sp -A period between KSK generation and the next rollover initiation. +A period (in seconds) between KSK generation and the next rollover initiation. .sp \fBNOTE:\fP .INDENT 0.0 @@ -1860,10 +1889,10 @@ This applies for CSK lifetime if single\-type\-signing is enabled. .UNINDENT .UNINDENT .sp -\fIDefault:\fP \fB0\fP +\fIDefault:\fP \fB0\fP (infinity) .SS zsk\-lifetime .sp -A period between ZSK activation and the next rollover initiation. +A period (in seconds) between ZSK activation and the next rollover initiation. .sp \fBNOTE:\fP .INDENT 0.0 @@ -1883,20 +1912,20 @@ Zero (aka infinity) value causes no ZSK rollover as a result. .SS delete\-delay .sp Once a key (KSK or ZSK) is rolled\-over and removed from the zone, -keep it in the KASP database for at least this period before deleting it completely. -This might be useful in some troubleshooting cases when resurrection +keep it in the KASP database for at least this period (in seconds) before deleting +it completely. This might be useful in some troubleshooting cases when resurrection is needed. .sp \fIDefault:\fP \fB0\fP .SS propagation\-delay .sp -An extra delay added for each key rollover step. This value should be high -enough to cover propagation of data from the primary server to all -secondary servers, as well as the duration of signing routine itself and -possible outages in signing and propagation infrastructure. In other words, -this delay should ensure that within this period of time after planned -change of the key set, all public\-facing secondaries will already serve -new DNSKEY RRSet for sure. +An extra delay added for each key rollover step. This value (in seconds) +should be high enough to cover propagation of data from the primary server +to all secondary servers, as well as the duration of signing routine itself +and possible outages in signing and propagation infrastructure. In other +words, this delay should ensure that within this period of time after +planned change of the key set, all public\-facing secondaries will already +serve new DNSKEY RRSet for sure. .sp \fBNOTE:\fP .INDENT 0.0 @@ -1908,7 +1937,7 @@ Has influence over ZSK key lifetime. \fIDefault:\fP \fB1h\fP (1 hour) .SS rrsig\-lifetime .sp -A validity period of newly issued signatures. +A validity period (in seconds) of newly issued signatures. .sp \fBNOTE:\fP .INDENT 0.0 @@ -1921,15 +1950,16 @@ time period is not counted to the signature lifetime. \fIDefault:\fP \fB14d\fP (14 days) .SS rrsig\-refresh .sp -A period how long at least before a signature expiration the signature will be refreshed, -in order to prevent expired RRSIGs on secondary servers or resolvers\(aq caches. +A period (in seconds) how long at least before a signature expiration the signature +will be refreshed, in order to prevent expired RRSIGs on secondary servers or +resolvers\(aq caches. .sp \fIDefault:\fP 0.1 * \fI\%rrsig\-lifetime\fP + \fI\%propagation\-delay\fP + \fI\%zone\-max\-ttl\fP .SS rrsig\-pre\-refresh .sp -A period how long at most before a signature refresh time the signature might be refreshed, -in order to refresh RRSIGs in bigger batches on a frequently updated zone -(avoid re\-sign event too often). +A period (in seconds) how long at most before a signature refresh time the signature +might be refreshed, in order to refresh RRSIGs in bigger batches on a frequently updated +zone (avoid re\-sign event too often). .sp \fIDefault:\fP \fB1h\fP (1 hour) .SS reproducible\-signing @@ -1972,7 +2002,7 @@ name before hashing. \fIDefault:\fP \fB8\fP .SS nsec3\-salt\-lifetime .sp -A validity period of newly issued salt field. +A validity period (in seconds) of newly issued salt field. .sp Zero value means infinity. .sp @@ -2308,6 +2338,7 @@ where DDD is corresponding decimal ASCII code. An ordered list of references \fI\%remote\fP and \fI\%remotes\fP to zone primary servers (formerly known as master servers). +Empty value is allowed for template value overriding. .sp \fIDefault:\fP not set .SS ddns\-master @@ -2326,6 +2357,7 @@ combination with \fI\%dnssec\-signing\fP enabled. An ordered list of references \fI\%remote\fP and \fI\%remotes\fP to secondary servers to which notify message is sent if the zone changes. +Empty value is allowed for template value overriding. .sp \fIDefault:\fP not set .SS acl @@ -2339,13 +2371,13 @@ or disallow zone transfers, updates or incoming notifies. If set to a nonzero value on a secondary, always request AXFR/IXFR from the same primary as the last time, effectively pinning one primary. Only when another primary is updated and the current one lags behind for the specified amount of time -(defined by this option), change to the updated primary and force AXFR. +(defined by this option in seconds), change to the updated primary and force AXFR. .sp This option is useful when multiple primaries may have different zone history in their journals, making it unsafe to combine interchanged IXFR from different primaries. .sp -\fIDefault:\fP 0 +\fIDefault:\fP \fB0\fP (disabled) .SS provide\-ixfr .sp If disabled, the server is forced to respond with AXFR to IXFR queries. @@ -2412,8 +2444,8 @@ query (malformed message) and triggers a zone bootstrap instead. \fIDefault:\fP \fBoff\fP .SS zonefile\-sync .sp -The time after which the current zone in memory will be synced with a zone file -on the disk (see \fI\%file\fP). The server will serve the latest +The time in seconds after which the current zone in memory will be synced with +a zone file on the disk (see \fI\%file\fP). The server will serve the latest zone even after a restart using zone journal, but the zone file on the disk will only be synced after \fBzonefile\-sync\fP time has expired (or after manual zone flush). This is applicable when the zone is updated via IXFR, DDNS or automatic @@ -2520,7 +2552,7 @@ Zone\-in\-journal changeset isn\(aqt counted to the limit. If enabled, incoming IXFR is applied even when it contains removals of non\-existing or additions of existing records. .sp -\fIDefault:\fP off +\fIDefault:\fP \fBoff\fP .SS ixfr\-by\-one .sp Within incoming IXFR, process only one changeset at a time, not multiple together. @@ -2615,7 +2647,7 @@ A configured policy called \(dqdefault\(dq won\(aqt be used unless explicitly re .SS ds\-push .sp Per zone configuration of \fI\%ds\-push\fP\&. This option overrides possible -per policy option. +per policy option. Empty value is allowed for template value overriding. .sp \fIDefault:\fP not set .SS zonemd\-verify @@ -2791,9 +2823,8 @@ has the \fIgroup\fP property defined, matching another catalog template. .INDENT 3.5 This option must be set if and only if \fI\%catalog\-role\fP is \fIinterpret\fP\&. .sp -Nested catalog zones aren\(aqt supported. Therefore catalog templates can\(aqt use -\fI\%catalog\-template\fP, \fI\%catalog\-role\fP, \fI\%catalog\-zone\fP, -and \fI\%catalog\-group\fP options. +Nested catalog zones aren\(aqt supported. Therefore catalog templates can\(aqt +contain \fI\%catalog\-role\fP set to \fBinterpret\fP or \fBgenerate\fP\&. .UNINDENT .UNINDENT .sp diff --git a/doc/man/knotc.8in b/doc/man/knotc.8in index 36e7c98..01bfc95 100644 --- a/doc/man/knotc.8in +++ b/doc/man/knotc.8in @@ -103,8 +103,8 @@ public key pin of the currently used certificate. Stop the server if running. .TP \fBreload\fP -Reload the server configuration and modified zone files. All open zone -transactions will be aborted! +Reload the server configuration and modified zone files, and reopen the log files +if they are configured. All open zone transactions will be aborted! .TP \fBstats\fP [\fImodule\fP[\fB\&.\fP\fIcounter\fP]] Show global statistics counter(s). To print also counters with value 0, use @@ -165,13 +165,15 @@ zone\(aqs journal, zone\-related timers, zone\-related data in the KASP database together with keys (or keys without the KASP database), zone\(aqs catalog, and the server QUIC key and certificate, respectively, are backed up, or omitted from the backup. By default, filters \fB+zonefile\fP, \fB+timers\fP, -\fB+kaspdb\fP, \fB+nokeysonly\fP, \fB+catalog\fP, \fB+quic\fP, and \fB+nojournal\fP +\fB+kaspdb\fP, \fB+catalog\fP, \fB+quic\fP, \fB+nojournal\fP, and \fB+nokeysonly\fP are set for backup. The same defaults are set for restore, with the only -difference being \fB+noquic\fP\&. Setting a filter for an item doesn\(aqt change -default settings for other items. If zone flushing is disabled, the original -zone file is backed up instead of writing out zone contents to a file. -When backing\-up a catalog zone, it is recommended to prevent ongoing changes -to it by use of \fBzone\-freeze\fP\&. +difference being \fB+noquic\fP\&. Setting a filter for an item doesn\(aqt change the +default settings for other items. The only exception is \fB+keysonly\fP, which +disables all other filters by default, but they can still be turned on +explicitly. If zone flushing is disabled, the original zone file is backed +up instead of writing out zone contents to a file. When backing\-up a catalog +zone, it is recommended to prevent ongoing changes to it by use of +\fBzone\-freeze\fP\&. See \fI\%Notes\fP below about the directory permissions. (#) .TP \fBzone\-restore\fP [\fIzone\fP\&...] \fB+backupdir\fP \fIdirectory\fP [\fIfilter\fP\&...] @@ -271,8 +273,8 @@ An optional filter \fB+nopurge\fP prevents possibly existing configuration database from purging before the import itself. Also ensure the server is not using the configuration database at the same time! (*) .TP -\fBconf\-export\fP [\fIfilename\fP] -Export the configuration database into a config file or stdout. (*) +\fBconf\-export\fP [\fIfilename\fP] [+schema] +Export the configuration database (or JSON schema) into a file or stdout. (*) .TP \fBconf\-list\fP [\fIitem\fP] List the configuration database sections or section items. diff --git a/doc/man/kxdpgun.8in b/doc/man/kxdpgun.8in index 243f4f4..f93872b 100644 --- a/doc/man/kxdpgun.8in +++ b/doc/man/kxdpgun.8in @@ -32,7 +32,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] kxdpgun \- XDP-powered DNS benchmarking tool .SH SYNOPSIS .sp -\fBkxdpgun\fP [\fIoptions\fP] \fB\-i\fP \fIfilename\fP \fItarget_IP\fP +\fBkxdpgun\fP [\fIoptions\fP] \fB\-i\fP \fIfilename\fP \fItarget\fP .SH DESCRIPTION .sp Powerful generator of DNS traffic, sending and receiving packets through XDP. @@ -50,8 +50,8 @@ configured for the network interface. \fIfilename\fP Path to the queries file. See the description below regarding the file format. .TP -\fItarget_IP\fP -The IPv4 or IPv6 address of remote destination. +\fItarget\fP +Either the domain name, IPv4 or IPv6 address of a remote target. .UNINDENT .SS Options .INDENT 0.0 diff --git a/doc/man_knotc.rst b/doc/man_knotc.rst index f9a5509..d03bc77 100644 --- a/doc/man_knotc.rst +++ b/doc/man_knotc.rst @@ -80,8 +80,8 @@ Actions Stop the server if running. **reload** - Reload the server configuration and modified zone files. All open zone - transactions will be aborted! + Reload the server configuration and modified zone files, and reopen the log files + if they are configured. All open zone transactions will be aborted! **stats** [*module*\ [\ **.**\ *counter*\ ]] Show global statistics counter(s). To print also counters with value 0, use @@ -142,13 +142,15 @@ Actions together with keys (or keys without the KASP database), zone's catalog, and the server QUIC key and certificate, respectively, are backed up, or omitted from the backup. By default, filters **+zonefile**, **+timers**, - **+kaspdb**, **+nokeysonly**, **+catalog**, **+quic**, and **+nojournal** + **+kaspdb**, **+catalog**, **+quic**, **+nojournal**, and **+nokeysonly** are set for backup. The same defaults are set for restore, with the only - difference being **+noquic**. Setting a filter for an item doesn't change - default settings for other items. If zone flushing is disabled, the original - zone file is backed up instead of writing out zone contents to a file. - When backing-up a catalog zone, it is recommended to prevent ongoing changes - to it by use of **zone-freeze**. + difference being **+noquic**. Setting a filter for an item doesn't change the + default settings for other items. The only exception is **+keysonly**, which + disables all other filters by default, but they can still be turned on + explicitly. If zone flushing is disabled, the original zone file is backed + up instead of writing out zone contents to a file. When backing-up a catalog + zone, it is recommended to prevent ongoing changes to it by use of + **zone-freeze**. See :ref:`Notes<notes>` below about the directory permissions. (#) **zone-restore** [*zone*...] **+backupdir** *directory* [*filter*...] @@ -248,8 +250,8 @@ Actions database from purging before the import itself. Also ensure the server is not using the configuration database at the same time! (*) -**conf-export** [*filename*] - Export the configuration database into a config file or stdout. (*) +**conf-export** [*filename*] [+schema] + Export the configuration database (or JSON schema) into a file or stdout. (*) **conf-list** [*item*] List the configuration database sections or section items. diff --git a/doc/man_kxdpgun.rst b/doc/man_kxdpgun.rst index 4664a1e..28713ba 100644 --- a/doc/man_kxdpgun.rst +++ b/doc/man_kxdpgun.rst @@ -6,7 +6,7 @@ Synopsis -------- -:program:`kxdpgun` [*options*] **-i** *filename* *target_IP* +:program:`kxdpgun` [*options*] **-i** *filename* *target* Description ----------- @@ -27,8 +27,8 @@ Parameters *filename* Path to the queries file. See the description below regarding the file format. -*target_IP* - The IPv4 or IPv6 address of remote destination. +*target* + Either the domain name, IPv4 or IPv6 address of a remote target. Options ....... |