From a73a07832e9cf7058df2cbc1d7034bd17f862846 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 20 Sep 2021 15:20:33 +0200 Subject: [PATCH 1/3] The s stands for security So "hardware security modules" not "hardware service modules" --- doc/arm/reference.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index b5394990c6..ba41d40f75 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -5079,7 +5079,7 @@ The following options can be specified in a ``dnssec-policy`` statement: An optional second token determines where the key is stored. Currently, keys can only be stored in the configured ``key-directory``. This token may be used in the future to store - keys in hardware service modules or separate directories. + keys in hardware security modules or separate directories. The ``lifetime`` parameter specifies how long a key may be used before rolling over. In the example above, the first key has an From 9ddc23b2bfcbbb327a876a57b0f8313fd036507a Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 20 Sep 2021 15:22:53 +0200 Subject: [PATCH 2/3] Add a note about salt length Apparently it is confusing that you don't specify a specific salt, but a salt length. --- doc/arm/reference.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index ba41d40f75..725800dfcf 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -5163,7 +5163,9 @@ The following options can be specified in a ``dnssec-policy`` statement: The default is to use NSEC. The ``iterations``, ``optout`` and ``salt-length`` parts are optional, but if not set, the values in - the example above are the default NSEC3 parameters. + the example above are the default NSEC3 parameters. Note that you don't + specify a specific salt string, ``named`` will create a salt for you + of the provided salt length. ``zone-propagation-delay`` This is the expected propagation delay from the time when a zone is From 4e3ba8169652e3e0423d176aa59d8686e95e014a Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 21 Sep 2021 15:22:49 +0200 Subject: [PATCH 3/3] Remove copy paste error on zone-max-ttl The "zone-max-ttl" option inside a "dnssec-policy" is not used to cap the TTLs in a zone, only yo calculate key rollover timings. --- doc/arm/reference.rst | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 725800dfcf..0a4627bf40 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -5138,10 +5138,7 @@ The following options can be specified in a ``dnssec-policy`` statement: ``max-zone-ttl`` Like the ``max-zone-ttl`` zone option, this specifies the maximum - permissible TTL value, in seconds, for the zone. When loading a - zone file using a ``masterfile-format`` of ``text`` or ``raw``, any - record encountered with a TTL higher than ``max-zone-ttl`` is capped - at the maximum permissible TTL value. + permissible TTL value, in seconds, for the zone. This is needed in DNSSEC-maintained zones because when rolling to a new DNSKEY, the old key needs to remain available until RRSIG