Commit 6681f86e authored by Daniel Salzman's avatar Daniel Salzman

doc: update dnssec configuration

parent 5c0d3db5
This diff is collapsed.
......@@ -59,13 +59,45 @@ a name must be unique amongst the other names.
.SS Global options
.INDENT 0.0
.TP
\fB\-\-dir\fP \fIpath\fP
The location of the KASP database to work with. Defaults to current working
directory or \fBKEYMGR_DIR\fP environment variable (if set).
\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
Use a textual configuration file to get KASP database location (default is
\fB@config_dir@/knot.conf\fP).
.TP
\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
Use a binary configuration database directory to get KASP database location
(default is \fB@storage_dir@/confdb\fP).
The default configuration database, if exists, has a preference to the default
configuration file.
.TP
\fB\-d\fP, \fB\-\-dir\fP \fIpath\fP
Use a specified KASP database path to work with. Defaults to current working
directory (if no configuration is used) or \fBKEYMGR_DIR\fP environment
variable (if set). This option also overides \fB\-\-config\fP and \fB\-\-confdb\fP
options.
.TP
\fB\-h\fP, \fB\-\-help\fP
Print the program help.
.TP
\fB\-l\fP, \fB\-\-legacy\fP
Enable legacy mode. Zone, policy, and keystore configuration is stored
in KASP database (not in server configuration).
.TP
\fB\-V\fP, \fB\-\-version\fP
Print the program version.
.UNINDENT
.SS Main commands
.INDENT 0.0
.TP
\fBtsig\fP ...
Operations with TSIG keys.
.TP
\fBzone\fP ...
Operations with zones in the database. A zone holds assigned signing
configuration and signing metadata.
.UNINDENT
.SS Main commands (legacy)
.INDENT 0.0
.TP
\fBinit\fP
Initialize new KASP database or upgrade existing one. The command is
idempotent and therefore it is safe to be run multiple times.
......@@ -74,10 +106,6 @@ The command creates a default policy and default key store (both named
\fIdefault\fP). In case of upgrade, existing objects are checked and any missing
attributes are filled in.
.TP
\fBzone\fP ...
Operations with zones in the database. A zone holds assigned signing
configuration and signing metadata.
.TP
\fBpolicy\fP ...
Operations with KASP policies. A policy holds parameters that define the
way how a zone is signed.
......@@ -86,29 +114,23 @@ way how a zone is signed.
Operations with key stores configured for the KASP database. A private key
store holds private key material for zone signing separately from the zone
metadata.
.UNINDENT
.SS tsig commands
.INDENT 0.0
.TP
\fBtsig\fP ...
Operations with TSIG keys.
\fBtsig\fP \fBgenerate\fP \fIname\fP [\fBalgorithm\fP \fIid\fP] [\fBsize\fP \fIbits\fP]
Generate new TSIG key and print it on the standard output. The algorithm
defaults to \fIhmac\-sha256\fP\&. The default key size is determined optimally based
on the selected algorithm.
.sp
The generated key is printed out in the server configuration format to allow
direct inclusion into the server configuration. The first line of the output
contains a comment with the key in the one\-line key format accepted by client
utilities.
.UNINDENT
.SS zone commands
.INDENT 0.0
.TP
\fBzone\fP \fBadd\fP \fIzone\-name\fP [\fBpolicy\fP \fIpolicy\-name\fP]
Add a zone into the database. The policy defaults to \(aqdefault\(aq.
.TP
\fBzone\fP \fBlist\fP [\fIpattern\fP]
List zones in the database matching the \fIpattern\fP as a substring.
.TP
\fBzone\fP \fBremove\fP \fIzone\-name\fP [\fBforce\fP]
Remove a zone from the database. If some keys are currently active, the
\fBforce\fP argument must be specified.
.TP
\fBzone\fP \fBset\fP \fIzone\-name\fP [\fBpolicy\fP \fIpolicy\-name\fP]
Change zone configuration. At the moment, only a policy can be changed.
.TP
\fBzone\fP \fBshow\fP \fIzone\-name\fP
Show zone details.
.TP
\fBzone\fP \fBkey\fP \fBlist\fP \fIzone\-name\fP [\fBfilter\fP]
List key IDs and tags of zone keys.
.TP
......@@ -163,7 +185,26 @@ The \fItime\fP accepts YYYYMMDDHHMMSS format, unix timestamp, or offset from the
current time. For the offset, add \fB+\fP or \fB\-\fP prefix and optionally a
suffix \fBmi\fP, \fBh\fP, \fBd\fP, \fBw\fP, \fBmo\fP, or \fBy\fP\&. If no suffix is specified,
the offset is in seconds.
.SS policy commands
.SS zone commands (legacy)
.INDENT 0.0
.TP
\fBzone\fP \fBadd\fP \fIzone\-name\fP [\fBpolicy\fP \fIpolicy\-name\fP]
Add a zone into the database. The policy defaults to \(aqdefault\(aq.
.TP
\fBzone\fP \fBlist\fP [\fIpattern\fP]
List zones in the database matching the \fIpattern\fP as a substring.
.TP
\fBzone\fP \fBremove\fP \fIzone\-name\fP [\fBforce\fP]
Remove a zone from the database. If some keys are currently active, the
\fBforce\fP argument must be specified.
.TP
\fBzone\fP \fBset\fP \fIzone\-name\fP [\fBpolicy\fP \fIpolicy\-name\fP]
Change zone configuration. At the moment, only a policy can be changed.
.TP
\fBzone\fP \fBshow\fP \fIzone\-name\fP
Show zone details.
.UNINDENT
.SS policy commands (legacy)
.INDENT 0.0
.TP
\fBpolicy\fP \fBlist\fP
......@@ -236,7 +277,7 @@ Name of the key store to be used for private key material.
.UNINDENT
.UNINDENT
.UNINDENT
.SS keystore commands
.SS keystore commands (legacy)
.INDENT 0.0
.TP
\fBkeystore\fP \fBlist\fP
......@@ -276,126 +317,36 @@ the later case, the module is looked up in the default modules location.
.UNINDENT
.UNINDENT
.UNINDENT
.SS tsig commands
.INDENT 0.0
.TP
\fBtsig\fP \fBgenerate\fP \fIname\fP [\fBalgorithm\fP \fIid\fP] [\fBsize\fP \fIbits\fP]
Generate new TSIG key and print it on the standard output. The algorithm
defaults to \fIhmac\-sha256\fP\&. The default key size is determined optimally based
on the selected algorithm.
.sp
The generated key is printed out in the server configuration format to allow
direct inclusion into the server configuration. The first line of the output
contains a comment with the key in the one\-line key format accepted by client
utilities.
.UNINDENT
.SH EXAMPLES
.INDENT 0.0
.IP 1. 3
Initialize a new KASP database and add a zone \fIexample.com\fP with the
\fIdefault\fP policy assigned:
Generate two RSA\-SHA\-256 signing keys. The first key will be used as a KSK,
the second one as a ZSK:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr init
$ keymgr policy add default
$ keymgr zone add example.com policy default
$ keymgr zone key generate example.com algorithm rsasha256 size 2048 ksk
$ keymgr zone key generate example.com algorithm rsasha256 size 1024
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 2. 3
List zones containing \fI\&.com\fP substring:
Import a key in legacy format. The used algorithm must match with the one
configured in the policy:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr zone list .com
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 3. 3
Add a testing policy \fIlab\fP with rapid key rollovers. Apply the policy to an
existing zone:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr policy add lab rrsig\-lifetime 300 rrsig\-refresh 150 \e
zsk\-lifetime 600 delay 10
$ keymgr zone set example.com policy lab
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 4. 3
Add an existing and already secured zone. Let the keys be managed by the
KASP. Make sure to import all used keys. Also the used algorithm must match
with the one configured in the policy:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr zone add example.com policy default
$ keymgr zone key import example.com Kexample.com+010+12345.private
$ keymgr zone key import example.com Kexample.com+010+67890.private
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 5. 3
Disable automatic key management for a secured zone. For this purpose,
create a policy named \(aqmanual\(aq with otherwise default signing parameters:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr policy add manual manual true
$ keymgr zone set example.com policy manual
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 6. 3
Add a zone to be signed with manual key maintenance. Generate one ECDSA
signing key. The Single\-Type Signing scheme will be used:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr policy add manual manual true
$ keymgr zone add example.com policy manual
$ keymgr zone key gen example.com algo 13 size 256
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 7. 3
Add a zone to be signed with manual key maintenance. Generate two
RSA\-SHA\-256 signing keys. The first key will be used as a KSK, the second
one as a ZSK:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr policy add manual manual true
$ keymgr zone add example.com policy manual
$ keymgr zone key generate example.com algorithm rsasha256 size 2048 ksk
$ keymgr zone key generate example.com algorithm rsasha256 size 1024
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 8. 3
.IP 3. 3
Generate a TSIG key named \fIoperator.key\fP:
.INDENT 3.0
.INDENT 3.5
......@@ -407,23 +358,6 @@ $ keymgr tsig generate operator.key algorithm hmac\-sha512
.fi
.UNINDENT
.UNINDENT
.IP 9. 3
Add a new key store named \fIhsm\fP and backed by the SoftHSM PKCS #11 module,
then add a new policy named \fIsecure\fP with default parameters using this key
store, and finally add the zone \fIexample.com\fP which will use this policy:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr keystore add hsm backend pkcs11 \e
config "pkcs11:token=knot;pin\-value=1234 libsofthsm2.so"
$ keymgr policy add secure keystore hsm
$ keymgr zone add example.com policy secure
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
......
......@@ -66,10 +66,10 @@ the following symbols:
| – Choice
.UNINDENT
.sp
There are 8 main sections (\fBserver\fP, \fBkey\fP, \fBacl\fP, \fBcontrol\fP,
\fBremote\fP, \fBtemplate\fP, \fBzone\fP and \fBlog\fP) and module sections with the
\fBmod\-\fP prefix. The most of the sections (excluding \fBserver\fP and
\fBcontrol\fP) are sequences of settings blocks. Each settings block
There are 10 main sections (\fBserver\fP, \fBcontrol\fP, \fBlog\fP, \fBkeystore\fP,
\fBpolicy\fP, \fBkey\fP, \fBacl\fP, \fBremote\fP, \fBtemplate\fP, and \fBzone\fP) and
module sections with the \fBmod\-\fP prefix. Most of the sections (excluding
\fBserver\fP and \fBcontrol\fP) are sequences of settings blocks. Each settings block
begins with a unique identifier, which can be used as a reference from other
sections (such identifier must be defined in advance).
.sp
......@@ -427,6 +427,158 @@ A UNIX socket path where the server listens for control commands.
Maximum time the control socket operations can take. Set 0 for infinity.
.sp
\fIDefault:\fP 5
.SH KEYSTORE SECTION
.sp
DNSSEC keystore configuration.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
keystore:
\- id: STR
backend: pem | pkcs11
config: STR
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A keystore identifier.
.SS backend
.sp
A key storage backend type. A directory with PEM files or a PKCS11 storage.
.sp
\fIDefault:\fP pem
.SS config
.sp
A backend specific configuration. A directory for PEM storage (the path can
be specified as a relative path to \fI\%kasp\-db\fP) or
a configuration string for PKCS11 storage.
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
A PKCS11 configuration can look like:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
"pkcs11:token=knot;pin\-value=1234 libsofthsm2.so"
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.sp
\fIDefault:\fP \fI\%kasp\-db\fP/keys
.SH POLICY SECTION
.sp
DNSSEC policy configuration.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
policy:
\- id: STR
keystore: STR
manual: BOOL
algorithm: dsa | rsasha1 | dsansec3sha1 | rsasha1nsec3sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384
ksk\-size: SIZE
zsk\-size: SIZE
dnskey\-ttl: TIME
zsk\-lifetime: TIME
rrsig\-lifetime: TIME
rrsig\-refresh: TIME
nsec3: BOOL
nsec3\-iterations: INT
nsec3\-salt\-length: INT
nsec3\-resalt: TIME
propagation\-delay: TIME
.ft P
.fi
.UNINDENT
.UNINDENT
.SS id
.sp
A policy identifier.
.SS keystore
.sp
A \fI\%reference\fP to a keystore holding private key material
for zones.
.sp
\fIDefault:\fP default
.SS manual
.sp
If enabled, automatic key management is not used.
.sp
\fIDefault:\fP off
.SS algorithm
.sp
An algorithm of signing keys and issued signatures.
.sp
\fIDefault:\fP ECDSA\-P256\-SHA256
.SS ksk\-size
.sp
A length of newly generated KSK keys.
.sp
\fIDefault:\fP 256 (algorithm dependent)
.SS zsk\-size
.sp
A length of newly generated ZSK keys.
.sp
\fIDefault:\fP 256 (algorithm dependent)
.SS dnskey\-ttl
.sp
A TTL value for DNSKEY records added into zone apex.
.sp
\fIDefault:\fP zone SOA TTL
.SS zsk\-lifetime
.sp
A period between ZSK publication and the next rollover initiation.
.sp
\fIDefault:\fP 30 days
.SS rrsig\-lifetime
.sp
A validity period of newly issued signatures.
.sp
\fIDefault:\fP 14 days
.SS rrsig\-refresh
.sp
A period how long before a signature expiration the signature will be refreshed.
.sp
\fIDefault:\fP 7 days
.SS nsec3
.sp
Specifies if NSEC3 will be used instead of NSEC.
.sp
\fIDefault:\fP off
.SS nsec3\-iterations
.sp
A number of additional times the hashing is performed.
.sp
\fIDefault:\fP 5
.SS nsec3\-salt\-length
.sp
A length of a salt field in octets, which is appended to the original owner
name before hashing.
.sp
\fIDefault:\fP 8
.SS nsec3\-resalt
.sp
A validity period of newly issued salt field.
.sp
\fIDefault:\fP 30 days
.SS propagation\-delay
.sp
An extra delay added for each key rollover step. This value should be high
enough to cover propagation of data from the master server to all slaves.
.sp
\fIDefault:\fP 1 day
.SH REMOTE SECTION
.sp
Definitions of remote servers for outgoing connections (source of a zone
......@@ -541,6 +693,7 @@ zone:
ixfr\-from\-differences: BOOL
max\-journal\-size: SIZE
dnssec\-signing: BOOL
dnssec\-policy: STR
kasp\-db: STR
request\-edns\-option: INT:[HEXSTR]
serial\-policy: increment | unixtime
......@@ -715,6 +868,11 @@ Cannot be enabled on a slave zone.
.UNINDENT
.sp
\fIDefault:\fP off
.SS dnssec\-policy
.sp
A \fI\%reference\fP to DNSSEC signing policy.
.sp
\fIDefault:\fP default
.SS kasp\-db
.sp
A KASP database path. Non absolute path is relative to
......
......@@ -36,13 +36,45 @@ a name must be unique amongst the other names.
Global options
..............
**--dir** *path*
The location of the KASP database to work with. Defaults to current working
directory or ``KEYMGR_DIR`` environment variable (if set).
**-c**, **--config** *file*
Use a textual configuration file to get KASP database location (default is
:file:`@config_dir@/knot.conf`).
**-C**, **--confdb** *directory*
Use a binary configuration database directory to get KASP database location
(default is :file:`@storage_dir@/confdb`).
The default configuration database, if exists, has a preference to the default
configuration file.
**-d**, **--dir** *path*
Use a specified KASP database path to work with. Defaults to current working
directory (if no configuration is used) or ``KEYMGR_DIR`` environment
variable (if set). This option also overides **--config** and **--confdb**
options.
**-h**, **--help**
Print the program help.
**-l**, **--legacy**
Enable legacy mode. Zone, policy, and keystore configuration is stored
in KASP database (not in server configuration).
**-V**, **--version**
Print the program version.
Main commands
.............
**tsig** ...
Operations with TSIG keys.
**zone** ...
Operations with zones in the database. A zone holds assigned signing
configuration and signing metadata.
Main commands (legacy)
......................
**init**
Initialize new KASP database or upgrade existing one. The command is
idempotent and therefore it is safe to be run multiple times.
......@@ -51,10 +83,6 @@ Main commands
*default*). In case of upgrade, existing objects are checked and any missing
attributes are filled in.
**zone** ...
Operations with zones in the database. A zone holds assigned signing
configuration and signing metadata.
**policy** ...
Operations with KASP policies. A policy holds parameters that define the
way how a zone is signed.
......@@ -64,27 +92,21 @@ Main commands
store holds private key material for zone signing separately from the zone
metadata.
**tsig** ...
Operations with TSIG keys.
zone commands
tsig commands
.............
**zone** **add** *zone-name* [**policy** *policy-name*]
Add a zone into the database. The policy defaults to 'default'.
**zone** **list** [*pattern*]
List zones in the database matching the *pattern* as a substring.
**zone** **remove** *zone-name* [**force**]
Remove a zone from the database. If some keys are currently active, the
**force** argument must be specified.
**tsig** **generate** *name* [**algorithm** *id*] [**size** *bits*]
Generate new TSIG key and print it on the standard output. The algorithm
defaults to *hmac-sha256*. The default key size is determined optimally based
on the selected algorithm.
**zone** **set** *zone-name* [**policy** *policy-name*]
Change zone configuration. At the moment, only a policy can be changed.
The generated key is printed out in the server configuration format to allow
direct inclusion into the server configuration. The first line of the output
contains a comment with the key in the one-line key format accepted by client
utilities.
**zone** **show** *zone-name*
Show zone details.
zone commands
.............
**zone** **key** **list** *zone-name* [**filter**]
List key IDs and tags of zone keys.
......@@ -134,8 +156,27 @@ current time. For the offset, add **+** or **-** prefix and optionally a
suffix **mi**, **h**, **d**, **w**, **mo**, or **y**. If no suffix is specified,
the offset is in seconds.
policy commands
...............
zone commands (legacy)
......................
**zone** **add** *zone-name* [**policy** *policy-name*]
Add a zone into the database. The policy defaults to 'default'.
**zone** **list** [*pattern*]
List zones in the database matching the *pattern* as a substring.
**zone** **remove** *zone-name* [**force**]
Remove a zone from the database. If some keys are currently active, the
**force** argument must be specified.
**zone** **set** *zone-name* [**policy** *policy-name*]
Change zone configuration. At the moment, only a policy can be changed.
**zone** **show** *zone-name*
Show zone details.
policy commands (legacy)
........................
**policy** **list**
List policies in the database.
......@@ -201,8 +242,8 @@ Available *policy-parameter*\ s:
**keystore** *name*
Name of the key store to be used for private key material.
keystore commands
.................
keystore commands (legacy)
..........................
**keystore** **list**
List names of configured key stores.
......@@ -235,82 +276,23 @@ Supported key store backends:
The PKCS #11 module path can be an absolute path or just a module name. In
the later case, the module is looked up in the default modules location.
tsig commands
.............
**tsig** **generate** *name* [**algorithm** *id*] [**size** *bits*]
Generate new TSIG key and print it on the standard output. The algorithm
defaults to *hmac-sha256*. The default key size is determined optimally based
on the selected algorithm.
The generated key is printed out in the server configuration format to allow
direct inclusion into the server configuration. The first line of the output
contains a comment with the key in the one-line key format accepted by client
utilities.
Examples
--------
1. Initialize a new KASP database and add a zone *example.com* with the
*default* policy assigned::
$ keymgr init
$ keymgr policy add default
$ keymgr zone add example.com policy default
2. List zones containing *.com* substring::
$ keymgr zone list .com
3. Add a testing policy *lab* with rapid key rollovers. Apply the policy to an
existing zone::
$ keymgr policy add lab rrsig-lifetime 300 rrsig-refresh 150 \
zsk-lifetime 600 delay 10
$ keymgr zone set example.com policy lab
1. Generate two RSA-SHA-256 signing keys. The first key will be used as a KSK,
the second one as a ZSK::
4. Add an existing and already secured zone. Let the keys be managed by the
KASP. Make sure to import all used keys. Also the used algorithm must match
with the one configured in the policy::
$ keymgr zone add example.com policy default
$ keymgr zone key import example.com Kexample.com+010+12345.private
$ keymgr zone key import example.com Kexample.com+010+67890.private
5. Disable automatic key management for a secured zone. For this purpose,
create a policy named 'manual' with otherwise default signing parameters::
$ keymgr policy add manual manual true
$ keymgr zone set example.com policy manual
6. Add a zone to be signed with manual key maintenance. Generate one ECDSA
signing key. The Single-Type Signing scheme will be used::
$ keymgr policy add manual manual true
$ keymgr zone add example.com policy manual
$ keymgr zone key gen example.com algo 13 size 256
7. Add a zone to be signed with manual key maintenance. Generate two
RSA-SHA-256 signing keys. The first key will be used as a KSK, the second
one as a ZSK::
$ keymgr policy add manual manual true
$ keymgr zone add example.com policy manual
$ keymgr zone key generate example.com algorithm rsasha256 size 2048 ksk
$ keymgr zone key generate example.com algorithm rsasha256 size 1024
8. Generate a TSIG key named *operator.key*::
2. Import a key in legacy format. The used algorithm must match with the one
configured in the policy::
$ keymgr tsig generate operator.key algorithm hmac-sha512
$ keymgr zone key import example.com Kexample.com+010+12345.private
9. Add a new key store named *hsm* and backed by the SoftHSM PKCS #11 module,
then add a new policy named *secure* with default parameters using this key
store, and finally add the zone *example.com* which will use this policy::
3. Generate a TSIG key named *operator.key*::
$ keymgr keystore add hsm backend pkcs11 \
config "pkcs11:token=knot;pin-value=1234 libsofthsm2.so"
$ keymgr policy add secure keystore hsm
$ keymgr zone add example.com policy secure
$ keymgr tsig generate operator.key algorithm hmac-sha512
See Also
--------
......
......@@ -60,7 +60,7 @@ server configuration:
5. Add the zone into the Knot DNS configuration. Zone configuration must
include correct zone file path (option :ref:`file<zone_file>`) and KASP
database location (option :ref:`kasp-db<zone_kasp_db>`). You can follow
database location (option :ref:`kasp-db<zone_kasp-db>`). You can follow
this configuration file snippet::
zone:
......
......@@ -31,10 +31,10 @@ the following symbols:
- [ ] – Optional value
- \| – Choice
There are 8 main sections (``server``, ``key``, ``acl``, ``control``,
``remote``, ``template``, ``zone`` and ``log``) and module sections with the
``mod-`` prefix. The most of the sections (excluding ``server`` and
``control``) are sequences of settings blocks. Each settings block
There are 10 main sections (``server``, ``control``, ``log``, ``keystore``,
``policy``, ``key``, ``acl``, ``remote``, ``template``, and ``zone``) and
module sections with the ``mod-`` prefix. Most of the sections (excluding
``server`` and ``control``) are sequences of settings blocks. Each settings block
begins with a unique identifier, which can be used as a reference from other
sections (such identifier must be defined in advance).
......@@ -485,6 +485,215 @@ Maximum time the control socket operations can take. Set 0 for infinity.
*Default:* 5
.. _Keystore section:
Keystore section
================
DNSSEC keystore configuration.
::
keystore:
- id: STR
backend: pem | pkcs11
config: STR
.. _keystore_id:
id
--
A keystore identifier.
.. _keystore_backend:
backend
-------
A key storage backend type. A directory with PEM files or a PKCS11 storage.
*Default:* pem
.. _keystore_config:
config
------
A backend specific configuration. A directory for PEM storage (the path can
be specified as a relative path to :ref:`kasp-db<zone_kasp-db>`) or
a configuration string for PKCS11 storage.
.. NOTE::
A PKCS11 configuration can look like::
"pkcs11:token=knot;pin-value=1234 libsofthsm2.so"
*Default:* :ref:`kasp-db<zone_kasp-db>`/keys
.. _Policy section:
Policy section
==============
DNSSEC policy configuration.