Commit 4e061863 authored by Daniel Salzman's avatar Daniel Salzman

doc: update migration, fix knotc command names

parent d36c1b88
......@@ -30,16 +30,16 @@ server configuration:
$ rndc freeze example.com
2. Copy the fresh zone file into the zones storage directory of Knot
DNS. Its default location is ``/var/lib/knot``.
2. Copy the fresh zone file into the zones :ref:`storage<zone_storage>`
directory of Knot DNS.
3. Initialize DNSSEC KASP database (default location is ``/var/lib/knot/keys``
and create a dedicated signing policy for the imported zones with manual
key management::
3. Import all existing zone keys into the KASP database. Make sure that all
the keys were imported correctly::
$ cd /var/lib/knot/keys
$ keymgr init
$ keymgr policy add bind manual true
$ keymgr zone key import example.com path/to/Kexample.com.+013+11111
$ keymgr zone key import example.com path/to/Kexample.com.+013+22222
$ ...
$ keymgr zone key list example.com
.. NOTE::
The server can be run under a dedicated user account, usually ``knot``.
......@@ -49,30 +49,4 @@ server configuration:
$ sudo -u knot keymgr ...
4. For each imported zone, create an entry in the KASP database and import
all existing keys. Make sure that all keys were configured correctly::
$ keymgr zone add example.com policy bind
$ keymgr zone key import example.com path/to/Kexample.com.+013+11111
$ keymgr zone key import example.com path/to/Kexample.com.+013+22222
$ ...
$ keymgr zone key list example.com
5. Add the zone into the Knot DNS configuration. Zone configuration must
include correct zone file path (option :ref:`file<zone_file>`) and KASP
database location (option :ref:`kasp-db<zone_kasp-db>`). You can follow
this configuration file snippet::
zone:
- domain: example.com
storage: /var/lib/knot
kasp-db: /var/lib/knot/keys
file: example.com.zone
dnssec-signing: on
6. Start Knot DNS and check the log files to verify that everything went right.
7. Optionally, review the used KASP policy and enable automatic key management::
$ keymgr policy set bind manual false
$ sudo knotc reload
4. Follow :ref:`Automatic DNSSEC signing` steps to configure DNSSEC signing.
......@@ -212,15 +212,15 @@ command has the same syntax as ```zone-read```.
Within the transaction, you can add a record to a specific zone or to all
zones with an open transaction::
$ knotc zone-add example.com ns1 3600 A 192.168.0.1
$ knotc zone-add -- ns1 3600 A 192.168.0.1
$ knotc zone-set example.com ns1 3600 A 192.168.0.1
$ knotc zone-set -- ns1 3600 A 192.168.0.1
To remove all records with a specific owner, or a specific rrset, or a
specific record data::
$ knotc zone-remove example.com ns1
$ knotc zone-remove example.com ns1 A
$ knotc zone-remove example.com ns1 A 192.168.0.2
$ knotc zone-unset example.com ns1
$ knotc zone-unset example.com ns1 A
$ knotc zone-unset example.com ns1 A 192.168.0.2
To see the difference between the original zone and the current version::
......@@ -237,9 +237,9 @@ A full example of setting up a completely new zone from scratch::
$ knotc conf-set zone.domain example.com
$ knotc conf-commit
$ knotc zone-begin example.com
$ knotc zone-add example.com @ 7200 SOA ns hostmaster 1 86400 900 691200 3600
$ knotc zone-add example.com ns 3600 A 192.168.0.1
$ knotc zone-add example.com www 3600 A 192.168.0.100
$ knotc zone-set example.com @ 7200 SOA ns hostmaster 1 86400 900 691200 3600
$ knotc zone-set example.com ns 3600 A 192.168.0.1
$ knotc zone-set example.com www 3600 A 192.168.0.100
$ knotc zone-commit example.com
.. _Controlling running daemon:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment