Commit be9a155b authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

doc: various dnssec-realted minor updates

parent a2908bc5
......@@ -294,7 +294,7 @@ by LMDB.
management, the database must be *readable* by the server process. For
automatic key management, it must be *writeable*. If no HSM is used,
the database also contains private key material – don't set the permissions
too week.
too weak.
.. _dnssec-automatic-zsk-management:
......@@ -421,8 +421,8 @@ Let's use the Single-Type Signing scheme with two algorithms. Run:
.. code-block:: console
$ keymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024
$ keymgr -d path/to/keydir myzone.test. generate algorithm=ECDSAP256SHA256 size=256
$ keymgr myzone.test. generate algorithm=RSASHA256 size=1024
$ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 size=256
And reload the server. The zone will be signed.
......@@ -432,14 +432,14 @@ it yet:
.. code-block:: console
$ keymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024 active=now+1d
$ keymgr myzone.test. generate algorithm=RSASHA256 size=1024 active=now+1d
Take the key ID (or key tag) of the old RSA key and disable it the same time
the new key gets activated:
.. code-block:: console
$ keymgr -d path/to/keydir myzone.test. set <old_key_id> retire=now+1d remove=now+1d
$ keymgr myzone.test. set <old_key_id> retire=now+1d remove=now+1d
Reload the server again. The new key will be published (i.e. the DNSKEY record
will be added into the zone). Do not forget to update the DS record in the
......@@ -461,11 +461,11 @@ Zone signing
The signing process consists of the following steps:
#. Processing KASP database events. (e.g. performing a step of a rollover).
#. Fixing the NSEC or NSEC3 chain.
#. Updating the DNSKEY records. The whole DNSKEY set in zone apex is replaced
by the keys from the KASP database. Note that keys added into the zone file
manually will be removed. To add an extra DNSKEY record into the set, the
key must be imported into the KASP database (possibly deactivated).
#. Fixing the NSEC or NSEC3 chain.
#. Removing expired signatures, invalid signatures, signatures expiring
in a short time, and signatures issued by an unknown key.
#. Creating missing signatures. Unless the Single-Type Signing Scheme
......@@ -478,6 +478,7 @@ The signing is initiated on the following occasions:
- Start of the server
- Zone reload
- Reaching the signature refresh period
- Key set changed due to rollover event
- Received DDNS update
- Forced zone resign via server control interface
......@@ -509,7 +510,6 @@ of the limitations will be hopefully removed in the near future.
- Legacy key import requires a private key.
- Legacy key export is not implemented.
- DS record export is not implemented.
.. _query-modules:
......
......@@ -152,7 +152,7 @@ now+0, now\-1y, ...
.SH EXAMPLES
.INDENT 0.0
.IP 1. 3
Generate TSIG key:
Generate new TSIG key:
.INDENT 3.0
.INDENT 3.5
.sp
......@@ -164,26 +164,26 @@ $ keymgr \-t my_name hmac\-sha384
.UNINDENT
.UNINDENT
.IP 2. 3
Import a key from BIND:
Generate new DNSSEC key:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr example.com. import\-bind ~/bind/Kharbinge4d5.+007+63089.key
$ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \e
ksk=true created=1488034625 publish=20170223205611 retire=now+10mo remove=now+1y
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 3. 3
Generate new key:
Import a DNSSEC key from BIND:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \e
ksk=true created=1488034625 publish=20170223205611 retire=now+10mo remove=now+1y
$ keymgr example.com. import\-bind ~/bind/Kharbinge4d5.+007+63089.key
.ft P
.fi
.UNINDENT
......@@ -195,7 +195,7 @@ Configure key timing:
.sp
.nf
.ft C
$ keymgr \-d ${knot_data_dir}/keys test.test. set 4208 active=now+2mi retire=now+4mi remove=now+5mi
$ keymgr example.com. set 4208 active=now+2mi retire=now+4mi remove=now+5mi
.ft P
.fi
.UNINDENT
......@@ -207,7 +207,7 @@ Share a KSK from another zone:
.sp
.nf
.ft C
$ keymgr \-c ${knot_data_dir}/knot.conf test.test. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
$ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
.ft P
.fi
.UNINDENT
......
......@@ -602,7 +602,8 @@ An algorithm of signing keys and issued signatures.
\fIDefault:\fP ecdsap256sha256
.SS ksk\-size
.sp
A length of newly generated KSK keys.
A length of newly generated KSK or
CSK keys.
.sp
\fIDefault:\fP 1024 (dsa*), 2048 (rsa*), 256 (ecdsap256*), 384 (ecdsap384*)
.SS zsk\-size
......@@ -652,6 +653,8 @@ KSK key lifetime is also infuenced by propagation\-delay, dnskey\-ttl,
and KSK submission delay.
.sp
The default infinite value causes no KSK rollover as a result.
.sp
This applies for CSK lifetime if single\-type\-signing is enabled.
.UNINDENT
.UNINDENT
.SS propagation\-delay
......
......@@ -129,26 +129,26 @@ Timestamps
Examples
--------
1. Generate TSIG key::
1. Generate new TSIG key::
$ keymgr -t my_name hmac-sha384
2. Import a key from BIND::
$ keymgr example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key
3. Generate new key::
2. Generate new DNSSEC key::
$ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \
ksk=true created=1488034625 publish=20170223205611 retire=now+10mo remove=now+1y
3. Import a DNSSEC key from BIND::
$ keymgr example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key
4. Configure key timing::
$ keymgr -d ${knot_data_dir}/keys test.test. set 4208 active=now+2mi retire=now+4mi remove=now+5mi
$ keymgr example.com. set 4208 active=now+2mi retire=now+4mi remove=now+5mi
5. Share a KSK from another zone::
$ keymgr -c ${knot_data_dir}/knot.conf test.test. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
$ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
See Also
--------
......
......@@ -98,10 +98,10 @@ server configuration:
3. Import all existing zone keys into the KASP database. Make sure that all
the keys were imported correctly::
$ keymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+11111
$ keymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+22222
$ keymgr example.com. import-bind path/to/Kexample.com.+013+11111
$ keymgr example.com. import-bind path/to/Kexample.com.+013+22222
$ ...
$ keymgr -d path/to/keydir example.com. list
$ keymgr example.com. list
.. NOTE::
The server can be run under a dedicated user account, usually ``knot``.
......
......@@ -692,7 +692,8 @@ An algorithm of signing keys and issued signatures.
ksk-size
--------
A length of newly generated :abbr:`KSK (Key Signing Key)` keys.
A length of newly generated :abbr:`KSK (Key Signing Key)` or
:abbr:`CSK (Combined Signing Key)` keys.
*Default:* 1024 (dsa*), 2048 (rsa*), 256 (ecdsap256*), 384 (ecdsap384*)
......@@ -751,6 +752,8 @@ A period between KSK publication and the next rollover initiation.
The default infinite value causes no KSK rollover as a result.
This applies for CSK lifetime if single-type-signing is enabled.
.. _policy_propagation-delay:
propagation-delay
......
......@@ -97,7 +97,7 @@ Example
:ref:`Manual key management<dnssec-manual-key-management>`.
.. NOTE::
Only id, manual, keystore, algorithm, zsk-size, and rrsig-lifetime policy items are
Only id, manual, keystore, algorithm, ksk-size, and rrsig-lifetime policy items are
relevant to this module. If no rrsig-lifetime is configured, the
default value is 25 hours.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment