upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 12:50:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Deduplicate dnssec-policy definition in the ARM

Browse source 
(cherry picked from commit 3233414a53)
This commit is contained in:
Petr Špaček 2022-06-17 13:24:37 +02:00
parent b023b62b8d
commit 70924290ca
No known key found for this signature in database
GPG key ID: ABD587CDF06581AE
1 changed files with 17 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
doc/arm/reference.rst
View file

@ -1703,14 +1703,11 @@ default is used.
the maximum is ``1440`` (24 hours); any higher value is silently
reduced.
.. namedconf:statement:: dnssec-policy
:namedconf:ref:`dnssec-policy`
This specifies which key and signing policy (KASP) should be used for this
zone. This is a string referring to a ``dnssec-policy`` statement. There
are three built-in policies: ``default``, which uses the default policy,
``insecure``, to be used when you want to gracefully unsign your zone, and
``none``, which means no DNSSEC policy. The default is ``none``.
See :ref:`dnssec-policy Grammar <dnssec_policy_grammar>` for more details.
zone. This is a string referring to a :namedconf:ref:`dnssec-policy` block.
The default is ``none``.
.. namedconf:statement:: dnssec-update-mode
@ -5685,16 +5682,23 @@ for zones.
A KASP determines how one or more zones are signed with DNSSEC. For
example, it specifies how often keys should roll, which cryptographic
algorithms to use, and how often RRSIG records need to be refreshed.
Multiple key and signing policies can be configured with unique policy names.
A policy for a zone is selected using a ``dnssec-policy`` statement in the
:namedconf:ref:`zone` block, specifying the name of the policy that should be
used.
There are three built-in policies:
- ``default``, which uses the :ref:`default policy <dnssec_policy_default>`,
- ``insecure``, to be used when you want to gracefully unsign your zone,
- ``none``, which means no DNSSEC policy (the same as not selecting
``dnssec-policy`` at all; the zone is not signed.)
Keys are not shared among zones, which means that one set of keys per
zone is generated even if they have the same policy. If multiple views
are configured with different versions of the same zone, each separate
version uses the same set of signing keys.
Multiple key and signing policies can be configured. To attach a policy
to a zone, add a ``dnssec-policy`` option to the ``zone`` statement,
specifying the name of the policy that should be used.
By default, ``dnssec-policy`` assumes ``inline-signing``. This means that
a signed version of the zone is maintained separately and is written out to
a different file on disk (the zone's filename plus a ``.signed`` extension).
@ -5715,10 +5719,9 @@ taken to submit a DS record to the parent. Rollover timing for KSKs and
CSKs is adjusted to take into account delays in processing and
propagating DS updates.
There are two predefined ``dnssec-policy`` names: ``none`` and
``default``. Setting a zone's policy to ``none`` is the same as not
setting ``dnssec-policy`` at all; the zone is not signed. Policy
``default`` causes the zone to be signed with a single combined-signing
.. _dnssec_policy_default:
Policy ``default`` causes the zone to be signed with a single combined-signing
key (CSK) using algorithm ECDSAP256SHA256; this key has an unlimited
lifetime. (A verbose copy of this policy may be found in the source
tree, in the file ``doc/misc/dnssec-policy.default.conf``.)