Commit d7d36939 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

doc: nsec3 opt-out

parent 28e9063c
......@@ -568,6 +568,7 @@ policy:
rrsig\-refresh: TIME
nsec3: BOOL
nsec3\-iterations: INT
nsec3\-opt\-out: BOOL
nsec3\-salt\-length: INT
nsec3\-salt\-lifetime: TIME
ksk\-submission: submission_id
......@@ -705,6 +706,20 @@ Specifies if NSEC3 will be used instead of NSEC.
A number of additional times the hashing is performed.
.sp
\fIDefault:\fP 5
.SS nsec3\-opt\-out
.sp
If set, NSEC3 records won\(aqt be created for insecure delegations.
This speeds up the zone signing and reduces overall zone size.
.sp
\fBWARNING:\fP
.INDENT 0.0
.INDENT 3.5
NSEC3 with the Opt\-Out bit set no longer works as a proof of non\-existence
in this zone.
.UNINDENT
.UNINDENT
.sp
\fIDefault:\fP off
.SS nsec3\-salt\-length
.sp
A length of a salt field in octets, which is appended to the original owner
......
......@@ -638,6 +638,7 @@ DNSSEC policy configuration.
rrsig-refresh: TIME
nsec3: BOOL
nsec3-iterations: INT
nsec3-opt-out: BOOL
nsec3-salt-length: INT
nsec3-salt-lifetime: TIME
ksk-submission: submission_id
......@@ -810,6 +811,20 @@ A number of additional times the hashing is performed.
*Default:* 5
.. _policy_nsec3-opt-out:
nsec3-opt-out
-------------
If set, NSEC3 records won't be created for insecure delegations.
This speeds up the zone signing and reduces overall zone size.
.. WARNING::
NSEC3 with the Opt-Out bit set no longer works as a proof of non-existence
in this zone.
*Default:* off
.. _policy_nsec3-salt-length:
nsec3-salt-length
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment