Commit 9c2bbbfd authored by Mark Karpilovskij's avatar Mark Karpilovskij

doc: a couple of DNSSEC notes for the GeoIP module

parent cf62832f
......@@ -25,10 +25,18 @@ have a **default** RRset of the same type contained in the zone, so that the NSE
chain can be built correctly. Also, it is STRONGLY RECOMMENDED to use manual key rollover in this setting,
as the module has to be reloaded when the signing key changes.
.. NOTE::
If the GeoIP module is used with automatic DNSSEC signing, the keys for computing record signatures
MUST exist or be generated before the server is launched, otherwise the module fails to
compute the signatures and does not load.
Alternatively, the :ref:`geoip<mod-geoip>` module may be combined with the
:ref:`onlinesign<mod-onlinesign>` module and the tailored responses can be signed
on the fly. This approach is more computationally demanding for the server.
on the fly. This approach is much more computationally demanding for the server.
.. NOTE::
If the GeoIP module is used with online signing, it is recommended to set the :ref:`nsec-bitmap<mod-onlinesign_nsec-bitmap>`
option of the onlinesign module to contain all Resource Record types potentially generated by the module.
Example
-------
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment