diff options
Diffstat (limited to 'doc/operation.rst')
-rw-r--r-- | doc/operation.rst | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/doc/operation.rst b/doc/operation.rst index 43e13ff..5754147 100644 --- a/doc/operation.rst +++ b/doc/operation.rst @@ -831,6 +831,7 @@ For the ZSK side (i.e. the operator of the DNS server), the zone has to be confi - Enabled :ref:`policy_offline-ksk` - Explicit :ref:`policy_dnskey-ttl` - Explicit :ref:`policy_zone-max-ttl` + - Recommended :ref:`policy_keytag-modulo` setting to ``0/2`` to prevent keytag conflicts - Other options are optional - KASP DB may contain a ZSK (the present or some previous one(s)) @@ -841,6 +842,7 @@ For the KSK side (i.e. the operator of the KSK signer), the zone has to be confi - Enabled :ref:`policy_manual` - Enabled :ref:`policy_offline-ksk` - Explicit :ref:`policy_rrsig-refresh` + - Recommended :ref:`policy_keytag-modulo` setting to ``1/2`` to prevent keytag conflicts - Optional :ref:`policy_rrsig-lifetime`, :ref:`policy_rrsig-pre-refresh`, :ref:`policy_algorithm`, :ref:`policy_reproducible-signing`, and :ref:`policy_cds-cdnskey-publish` @@ -957,7 +959,6 @@ within an organization. For multi-signer operations involving multiple "DNSSEC providers" and the ability to switch between them, you can also refer to `MUSIC <https://github.com/DNSSEC-Provisioning/music>`_. - Regardless of the chosen mode from the following options, any secondary that has multiple signers configured as primaries must prevent interchanged IXFR from them. This can be achieved either by setting :ref:`master pinning <zone_master-pin-tolerance>` on every secondary or @@ -965,6 +966,11 @@ by setting distinct :ref:`zone_serial-modulo` on each signer. It is recommended both approaches. Alternatively, if any of the secondaries is not Knot DNS, :ref:`zone_provide-ixfr` can be disabled on the signers. +In order to prevent keytag conflicts, it is recommended that the keytags of keys +generated by each signer are from distinct subset of possible values. With Knot DNS, this +can be achieved using :ref:`policy_keytag-modulo` option (e.g. for three signers, setting +``0/3`` on the first one, ``1/3`` on the second, and ``2/3`` on the third of them). + Sharing private keys, manual policy ----------------------------------- @@ -1170,6 +1176,21 @@ If you want to refresh the secondary zones, you can do this with:: $ knotc zone-refresh +.. _Logging: + +Logging +======= + +Knot DNS supports :ref:`logging<log section>` to ``syslog`` or ``systemd-journald`` +facility, to a specified file, to standard output, or to standard error output. +Several different logging targets may be used in parallel. + +If ``syslog`` or ``systemd-journald`` is used for logging, log rotation is handled +by that logging facility. When logging to a specified file, log rotation should +be done by moving the current log file followed by reopening of the log file with +either ``knotc -b reload`` or by sending ``SIGHUP`` to the ``knotd`` process (see the +:ref:`server_pidfile`). + .. _Data and metadata backup: Data and metadata backup |