diff options
Diffstat (limited to 'doc/man')
-rw-r--r-- | doc/man/knot.conf.5in | 20 | ||||
-rw-r--r-- | doc/man/kzonecheck.1in | 3 |
2 files changed, 19 insertions, 4 deletions
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in index 72f0a4a..a951b7c 100644 --- a/doc/man/knot.conf.5in +++ b/doc/man/knot.conf.5in @@ -67,9 +67,10 @@ the following symbols: .UNINDENT .sp The configuration consists of several fixed sections and optional module -sections. There are 16 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP, +sections. There are 17 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP, \fBlog\fP, \fBstatistics\fP, \fBdatabase\fP, \fBkeystore\fP, \fBkey\fP, \fBremote\fP, -\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBpolicy\fP, \fBtemplate\fP, \fBzone\fP). +\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBdnskey\-sync\fP, \fBpolicy\fP, \fBtemplate\fP, +\fBzone\fP). Module sections are prefixed with the \fBmod\-\fP prefix (e.g. \fBmod\-stats\fP). .sp Most of the sections (e.g. \fBzone\fP) are sequences of settings blocks. Each @@ -964,7 +965,7 @@ Minimum severity level for messages related to QUIC to be logged. Minimum severity level for all message types, except \fBquic\fP, to be logged. .sp \fIDefault:\fP not set -.SH STATS SECTION +.SH STATISTICS SECTION .sp Periodic server statistics dumping. .INDENT 0.0 @@ -1871,7 +1872,8 @@ More exactly, this period is measured since a ZSK is activated, and after this, a new ZSK is generated to replace it within following roll\-over. .sp -ZSK key lifetime is also influenced by propagation\-delay and dnskey\-ttl +As a consequence, in normal operation, this results in the period +of ZSK generation being \fIzsk\-lifetime + propagation\-delay + dnskey_ttl\fP\&. .sp Zero (aka infinity) value causes no ZSK rollover as a result. .UNINDENT @@ -2032,6 +2034,14 @@ Module \fI\%Onlinesign\fP doesn\(aqt support DS push. .UNINDENT .UNINDENT .sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +When turning this feature on while a KSK roll\-over is already running, it might +not take effect for the already\-running roll\-over. +.UNINDENT +.UNINDENT +.sp \fIDefault:\fP not set .SS dnskey\-sync .sp @@ -2567,6 +2577,8 @@ List of DNSSEC checks: .IP \(bu 2 Every zone RRSet is correctly signed by at least one present DNSKEY. .IP \(bu 2 +For every RRSIG there are at most 3 non\-matching DNSKEYs with the same keytag. +.IP \(bu 2 DNSKEY RRSet is signed by KSK. .IP \(bu 2 NSEC(3) RR exists for each name (unless opt\-out) with correct bitmap. diff --git a/doc/man/kzonecheck.1in b/doc/man/kzonecheck.1in index 380c41f..a73b66e 100644 --- a/doc/man/kzonecheck.1in +++ b/doc/man/kzonecheck.1in @@ -59,6 +59,9 @@ Zone origin. If not specified, the origin is determined from the file name Also check DNSSEC\-related records. The default is to decide based on the existence of a RRSIG for SOA. .TP +\fB\-z\fP, \fB\-\-zonemd\fP +Also check the zone hash against a ZONEMD record, which is required to exist. +.TP \fB\-t\fP, \fB\-\-time\fP \fItime\fP Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS format, or [+/\-]\fItime\fP[unit] format, where unit can be \fBY\fP, \fBM\fP, |