Commit c044d734 authored by Daniel Salzman's avatar Daniel Salzman

doc: fixes

parent c99b99dd
......@@ -354,20 +354,21 @@ additional options in :ref:`policy section <Policy section>`, mostly specifying
desired (finite) lifetime for KSK: ::
remote:
- id: cz_zone
- id: test_zone_server
address: 192.168.12.1@53
submission:
- id: cz_zone_sbm
parent: [cz_zone]
- id: test_zone_sbm
parent: [test_zone_server]
policy:
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 30d
ksk-lifetime: 365d
ksk-submission: cz_zone_sbm
ksk-submission: test_zone_sbm
zone:
- domain: myzone.test
......@@ -384,20 +385,19 @@ change the policy ``id`` afterwards! The shared key's creation timestamp will be
zones, but other timers (e.g. activate, retire) may get out of sync. ::
policy:
- id: sharedp
ksk-lifetime: 365d
- id: shared
...
ksk-shared: true
ksk-submission: cz_zone_sbm
zone:
- domain: firstzone.test
dnssec-signing: on
dnssec-policy: sharedp
dnssec-policy: shared
zone:
- domain: secondzone.test
dnssec-signing: on
dnssec-policy: sharedp
dnssec-policy: shared
.. _dnssec-manual-key-management:
......
......@@ -87,7 +87,7 @@ Imports a BIND\-style key into KASP database (converting it to PEM format).
Takes one argument: path to BIND key file (private or public, but both MUST exist).
.TP
\fBimport\-pem\fP \fIPEM_file\fP [\fIarguments\fP\&...]
Imports a DNSSEC key form PEM file. The key parameters (same as for generate action) need to be
Imports a DNSSEC key from PEM file. The key parameters (same as for generate action) need to be
specified (mostly algorithm, timers...) because they are not contained in the PEM format.
.TP
\fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...]
......
......@@ -521,6 +521,8 @@ A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for
presence of corresponding DS records in case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
.sp
\fIDefault:\fP not set
.SS check\-interval
.sp
Interval for periodic checks of DS resence on parent\(aqs DNS servers, in case of
......@@ -530,7 +532,7 @@ KSK submission.
.SS timeout
.sp
After this period, the KSK submission is automatically considered successful, even
if all the check were negative or no parents are configured.
if all the checks were negative or no parents are configured. Set 0 for infinity.
.sp
\fIDefault:\fP infinity
.SH POLICY SECTION
......
......@@ -64,7 +64,7 @@ Actions
Takes one argument: path to BIND key file (private or public, but both MUST exist).
**import-pem** *PEM_file* [*arguments*...]
Imports a DNSSEC key form PEM file. The key parameters (same as for generate action) need to be
Imports a DNSSEC key from PEM file. The key parameters (same as for generate action) need to be
specified (mostly algorithm, timers...) because they are not contained in the PEM format.
**set** *key_spec* [*arguments*...]
......
......@@ -586,6 +586,8 @@ presence of corresponding DS records in case of KSK submission. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
*Default:* not set
.. _submission_check-interval:
check-interval
......@@ -602,7 +604,7 @@ timeout
-------
After this period, the KSK submission is automatically considered successful, even
if all the check were negative or no parents are configured.
if all the checks were negative or no parents are configured. Set 0 for infinity.
*Default:* infinity
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment