summaryrefslogtreecommitdiffstats
path: root/doc/reference.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/reference.rst')
-rw-r--r--doc/reference.rst17
1 files changed, 12 insertions, 5 deletions
diff --git a/doc/reference.rst b/doc/reference.rst
index ad4feb9..45574dc 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -32,9 +32,10 @@ the following symbols:
- ``|`` – Choice
The configuration consists of several fixed sections and optional module
-sections. There are 16 fixed sections (``module``, ``server``, ``xdp``, ``control``,
+sections. There are 17 fixed sections (``module``, ``server``, ``xdp``, ``control``,
``log``, ``statistics``, ``database``, ``keystore``, ``key``, ``remote``,
-``remotes``, ``acl``, ``submission``, ``policy``, ``template``, ``zone``).
+``remotes``, ``acl``, ``submission``, ``dnskey-sync``, ``policy``, ``template``,
+``zone``).
Module sections are prefixed with the ``mod-`` prefix (e.g. ``mod-stats``).
Most of the sections (e.g. ``zone``) are sequences of settings blocks. Each
@@ -1045,8 +1046,8 @@ Minimum severity level for all message types, except ``quic``, to be logged.
.. _stats section:
-``stats`` section
-=================
+``statistics`` section
+======================
Periodic server statistics dumping.
@@ -2039,7 +2040,8 @@ A period between ZSK activation and the next rollover initiation.
and after this, a new ZSK is generated to replace it within
following roll-over.
- ZSK key lifetime is also influenced by propagation-delay and dnskey-ttl
+ As a consequence, in normal operation, this results in the period
+ of ZSK generation being `zsk-lifetime + propagation-delay + dnskey_ttl`.
Zero (aka infinity) value causes no ZSK rollover as a result.
@@ -2226,6 +2228,10 @@ It's possible to manage both child and parent zones by the same Knot DNS server.
.. NOTE::
Module :ref:`Onlinesign<mod-onlinesign>` doesn't support DS push.
+.. NOTE::
+ When turning this feature on while a KSK roll-over is already running, it might
+ not take effect for the already-running roll-over.
+
*Default:* not set
.. _policy_dnskey-sync:
@@ -2780,6 +2786,7 @@ is cancelled with an error, and either none or previous zone state is published.
List of DNSSEC checks:
- Every zone RRSet is correctly signed by at least one present DNSKEY.
+- For every RRSIG there are at most 3 non-matching DNSKEYs with the same keytag.
- DNSKEY RRSet is signed by KSK.
- NSEC(3) RR exists for each name (unless opt-out) with correct bitmap.
- Every NSEC(3) RR is linked to the lexicographically next one.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-10 10:18:45 +0000