diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index f3722283a3..2e14d163ac 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -52,6 +52,8 @@ during the lifetime of a DNS zone: - :ref:`dnssec_dynamic_zones` - only for special needs - :ref:`dnssec_tools` - discouraged, use only for debugging +.. _zone_keys: + Zone keys ^^^^^^^^^ Regardless of the :ref:`zone-signing ` method in use, cryptographic keys are diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index 6effd7f27c..0581b96f9b 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -1147,17 +1147,7 @@ looking at the actual DNSKEY record, we can tell them apart: 256 is ZSK, and 257 is KSK. The name of the file also tells us something -about the contents. The file names are of the form: - -:: - - K++ - -The "zone name" is self-explanatory. The "algorithm ID" is a number assigned -to the algorithm used to construct the key: the number appears in the -DNSKEY resource record. In -our example, 8 means the algorithm RSASHA256. Finally, the "keyid" is -essentially a hash of the key itself. +about the contents. See chapter :ref:`zone_keys` for more details. Make sure these files are readable by :iscman:`named` and make sure that the ``.private`` files are not readable by anyone else.