Commit 86667b16 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

doc: child-records-publish

parent 2280677c
......@@ -572,6 +572,7 @@ policy:
nsec3\-salt\-length: INT
nsec3\-salt\-lifetime: TIME
ksk\-submission: submission_id
child\-records\-publish: none | empty | rollover | always
.ft P
.fi
.UNINDENT
......@@ -737,6 +738,31 @@ A reference to \fI\%submission\fP section holding parameters of
KSK submittion checks.
.sp
\fIDefault:\fP not set
.SS child\-records\-publish
.sp
Controls if and how shall the CDS and CDNSKEY be published in the zone.
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
This only applies if the zone keys are automatically managed by the server.
.UNINDENT
.UNINDENT
.sp
Possible values:
.INDENT 0.0
.IP \(bu 2
\fBnone\fP \- never publish any CDS or CDNSKEY records in the zone
.IP \(bu 2
\fBempty\fP \- publish special CDS and CDNSKEY records indicating turning off DNSSEC
.IP \(bu 2
\fBrollover\fP \- publish CDS and CDNSKEY records only for the period of KSK submission
(newly generated KSK either initial or during rollover)
.IP \(bu 2
\fBalways\fP \- always publish CDS and CDNSKEY records for the current KSK
.UNINDENT
.sp
\fIDefault:\fP always
.SH REMOTE SECTION
.sp
Definitions of remote servers for outgoing connections (source of a zone
......
......@@ -322,14 +322,14 @@ More precisely, we tell the parent zone to remove our zone's DS record by
publishing a special formatted CDNSKEY and CDS record. This is mostly useful
if we want to turn off DNSSEC on our zone so it becomes insecure, but not bogus.
First we have to turn off automatic DNSSEC siging and key management. See
:ref:`configuration reference<zone_dnssec-signing>` for details. After that,
we add special CDNSKEY and CDS records with the rdata "0 3 0 AA==" and "0 0 0 00",
respectively, by editing zone file or DDNS.
With automatic DNSSEC signing and key management by Knot, this is as easy as
configuring :ref:`policy_child-records-publish` option and reloading the configuration.
We check if the special CDNSKEY and CDS records with the rdata "0 3 0 AA==" and "0 0 0 00",
respectively, appeared in the zone.
After the parent zone notices and reflects the change, we wait for TTL expire
(so all resolvers' caches get updated), and finally we may do anything with the
zone, e.g. removing all the keys and signatures as desired.
zone, e.g. turning off DNSSEC, removing all the keys and signatures as desired.
.. _Controlling running daemon:
......
......@@ -642,6 +642,7 @@ DNSSEC policy configuration.
nsec3-salt-length: INT
nsec3-salt-lifetime: TIME
ksk-submission: submission_id
child-records-publish: none | empty | rollover | always
.. _policy_id:
......@@ -854,6 +855,26 @@ KSK submittion checks.
*Default:* not set
.. _policy_child-records-publish:
child-records-publish
---------------------
Controls if and how shall the CDS and CDNSKEY be published in the zone.
.. NOTE::
This only applies if the zone keys are automatically managed by the server.
Possible values:
- ``none`` - never publish any CDS or CDNSKEY records in the zone
- ``empty`` - publish special CDS and CDNSKEY records indicating turning off DNSSEC
- ``rollover`` - publish CDS and CDNSKEY records only for the period of KSK submission
(newly generated KSK either initial or during rollover)
- ``always`` - always publish CDS and CDNSKEY records for the current KSK
*Default:* always
.. _Remote section:
Remote section
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment