From 07978ec28369b472f255fd7dde9085f42509e153 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 10:02:36 +0200 Subject: Adding upstream version 3.3.5. Signed-off-by: Daniel Baumann --- doc/reference.rst | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'doc/reference.rst') diff --git a/doc/reference.rst b/doc/reference.rst index ad4feb9..45574dc 100644 --- a/doc/reference.rst +++ b/doc/reference.rst @@ -32,9 +32,10 @@ the following symbols: - ``|`` – Choice The configuration consists of several fixed sections and optional module -sections. There are 16 fixed sections (``module``, ``server``, ``xdp``, ``control``, +sections. There are 17 fixed sections (``module``, ``server``, ``xdp``, ``control``, ``log``, ``statistics``, ``database``, ``keystore``, ``key``, ``remote``, -``remotes``, ``acl``, ``submission``, ``policy``, ``template``, ``zone``). +``remotes``, ``acl``, ``submission``, ``dnskey-sync``, ``policy``, ``template``, +``zone``). Module sections are prefixed with the ``mod-`` prefix (e.g. ``mod-stats``). Most of the sections (e.g. ``zone``) are sequences of settings blocks. Each @@ -1045,8 +1046,8 @@ Minimum severity level for all message types, except ``quic``, to be logged. .. _stats section: -``stats`` section -================= +``statistics`` section +====================== Periodic server statistics dumping. @@ -2039,7 +2040,8 @@ A period between ZSK activation and the next rollover initiation. and after this, a new ZSK is generated to replace it within following roll-over. - ZSK key lifetime is also influenced by propagation-delay and dnskey-ttl + As a consequence, in normal operation, this results in the period + of ZSK generation being `zsk-lifetime + propagation-delay + dnskey_ttl`. Zero (aka infinity) value causes no ZSK rollover as a result. @@ -2226,6 +2228,10 @@ It's possible to manage both child and parent zones by the same Knot DNS server. .. NOTE:: Module :ref:`Onlinesign` doesn't support DS push. +.. NOTE:: + When turning this feature on while a KSK roll-over is already running, it might + not take effect for the already-running roll-over. + *Default:* not set .. _policy_dnskey-sync: @@ -2780,6 +2786,7 @@ is cancelled with an error, and either none or previous zone state is published. List of DNSSEC checks: - Every zone RRSet is correctly signed by at least one present DNSKEY. +- For every RRSIG there are at most 3 non-matching DNSKEYs with the same keytag. - DNSKEY RRSet is signed by KSK. - NSEC(3) RR exists for each name (unless opt-out) with correct bitmap. - Every NSEC(3) RR is linked to the lexicographically next one. -- cgit v1.2.3