From 2616416a677634e01cea98a07d45c305cce8274a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 27 Jun 2016 10:52:04 +1000 Subject: [PATCH] add missing / tags --- bin/python/dnssec-keymgr.docbook | 161 ++++++++++++++++++------------- 1 file changed, 94 insertions(+), 67 deletions(-) diff --git a/bin/python/dnssec-keymgr.docbook b/bin/python/dnssec-keymgr.docbook index 1bf4c6d700..a4e9258680 100644 --- a/bin/python/dnssec-keymgr.docbook +++ b/bin/python/dnssec-keymgr.docbook @@ -60,11 +60,10 @@ DESCRIPTION - dnssec-keymgr - is a high level Python wrapper to facilitate the key rollover - process for zones handled by BIND. It uses the BIND commands - for manipulating DNSSEC key metadata: - dnssec-keygen and + dnssec-keymgr is a high level Python wrapper + to facilitate the key rollover process for zones handled by + BIND. It uses the BIND commands for manipulating DNSSEC key + metadata: dnssec-keygen and dnssec-settime. @@ -242,28 +241,34 @@ - Policy classes - () - can be inherited by zone policies or other policy classes; these - can be used to create sets of different security profiles. For - example, a policy class normal might specify - 1024-bit key sizes, but a class extra might - specify 2048 bits instead; extra would be - used for zones that had unusually high security needs. + + Policy classes + () + can be inherited by zone policies or other policy classes; these + can be used to create sets of different security profiles. For + example, a policy class normal might specify + 1024-bit key sizes, but a class extra might + specify 2048 bits instead; extra would be + used for zones that had unusually high security needs. + - Algorithm policies: - ( ) - override default per-algorithm settings. For example, by default, - RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This - can be modified using algorithm-policy, and the - new key sizes would then be used for any key of type RSASHA256. + + Algorithm policies: + ( ) + override default per-algorithm settings. For example, by default, + RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This + can be modified using algorithm-policy, and the + new key sizes would then be used for any key of type RSASHA256. + - Zone policies: - ( ) - set policy for a single zone by name. A zone policy can inherit - a policy class by including a option. + + Zone policies: + ( ) + set policy for a single zone by name. A zone policy can inherit + a policy class by including a option. + @@ -273,82 +278,100 @@ algorithm - The key algorithm. If no policy is defined, the default is - RSASHA256. + + The key algorithm. If no policy is defined, the default is + RSASHA256. + coverage - The length of time to ensure that keys will be correct; no action - will be taken to create new keys to be activated after this time. - This can be represented as a number of seconds, or as a duration using - human-readable units (examples: "1y" or "6 months"). - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies. - If no policy is configured, the default is six months. + + The length of time to ensure that keys will be correct; no action + will be taken to create new keys to be activated after this time. + This can be represented as a number of seconds, or as a duration using + human-readable units (examples: "1y" or "6 months"). + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. + If no policy is configured, the default is six months. + directory - Specifies the directory in which keys should be stored. + + Specifies the directory in which keys should be stored. + key-size - Specifies the number of bits to use in creating keys. - Takes two arguments: keytype (eihter "zsk" or "ksk") and size. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies. If no policy is - configured, the default is 1024 bits for DSA keys and 2048 for - RSA. + + Specifies the number of bits to use in creating keys. + Takes two arguments: keytype (eihter "zsk" or "ksk") and size. + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. If no policy is + configured, the default is 1024 bits for DSA keys and 2048 for + RSA. + keyttl - The key TTL. If no policy is defined, the default is one hour. + + The key TTL. If no policy is defined, the default is one hour. + post-publish - How long after inactivation a key should be deleted from the zone. - Note: If is not set, this value is - ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a - duration. A default value for this option can be set in algorithm - policies as well as in policy classes or zone policies. The default - is one month. + + How long after inactivation a key should be deleted from the zone. + Note: If is not set, this value is + ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a + duration. A default value for this option can be set in algorithm + policies as well as in policy classes or zone policies. The default + is one month. + pre-publish - How long before activation a key should be published. Note: If - is not set, this value is ignored. - Takes two arguments: keytype (either "zsk" or "ksk") and a duration. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies. The default is - one month. + + How long before activation a key should be published. Note: If + is not set, this value is ignored. + Takes two arguments: keytype (either "zsk" or "ksk") and a duration. + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. The default is + one month. + roll-period - How frequently keys should be rolled over. - Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. - A default value for this option can be set in algorithm policies - as well as in policy classes or zone policies. If no policy is - configured, the default is one year for ZSK's. KSK's do not - roll over by default. + + How frequently keys should be rolled over. + Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. + A default value for this option can be set in algorithm policies + as well as in policy classes or zone policies. If no policy is + configured, the default is one year for ZSK's. KSK's do not + roll over by default. + standby - Not yet implemented. + + Not yet implemented. + @@ -357,16 +380,20 @@ REMAINING WORK - Enable scheduling of KSK rollovers using the - and options to - dnssec-keygen and - dnssec-settime. Check the parent zone - (as in dnssec-checkds) to determine when it's - safe for the key to roll. + + Enable scheduling of KSK rollovers using the + and options to + dnssec-keygen and + dnssec-settime. Check the parent zone + (as in dnssec-checkds) to determine when it's + safe for the key to roll. + - Allow configuration of standby keys and use of the REVOKE bit, - for keys that use RFC 5011 semantics. + + Allow configuration of standby keys and use of the REVOKE bit, + for keys that use RFC 5011 semantics. +