diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index dc5b536f4e..faa3115f31 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -111,6 +111,10 @@ command is one of the following:\n\ dnssec -status zone [class [view]]\n\ Show the DNSSEC signing state for the specified zone.\n\ Requires the zone to have a dnssec-policy.\n\ + dnssec -step zone [class [view]]\n\ + Run the key manager for a zone configured with a\n\ + dnssec-policy in manual mode, executing the operations that\n\ + had previously been blocked (if any).\n\ dnstap -reopen\n\ Close, truncate and re-open the DNSTAP output file.\n\ dnstap -roll [count]\n\ diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst index 9f3e02c35d..c19fcfd410 100644 --- a/bin/rndc/rndc.rst +++ b/bin/rndc/rndc.rst @@ -185,6 +185,28 @@ Currently supported commands are: The following commands allow you to interact with the "dnssec-policy" of a given zone. + .. program:: rndc dnssec + .. option:: -checkds [-key id [-alg algorithm]] [-when time] (published | withdrawn) zone [class [view]] + + This command informs :iscman:`named` that the DS for a specified zone's + key-signing key (KSK) has been confirmed to be published in, or withdrawn + from, the parent zone. This is required in order to complete a KSK + rollover. The ``-key id`` and ``-alg algorithm`` arguments can be used to + specify a particular KSK, if necessary; if there is only one key acting + as a KSK for the zone, these arguments can be omitted. The time of + publication or withdrawal for the DS is set to the current time by + default, but can be overridden to a specific time with the argument + ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS notation. + + .. program:: rndc dnssec + .. option:: -rollover -key id [-alg algorithm] [-when time] zone [class [view]] + + This command allows you to schedule key rollover for a specific key + (overriding the original key lifetime). The ``-key id`` and + ``-alg algorithm`` arguments specify which key to roll. The time to start + the rollover can be set with ``-when time``, where ``time`` is expressed in + YYYYMMDDHHMMSS. If not set the rollover will start immediately. + .. program:: rndc dnssec .. option:: -status [-v] zone [class [view]] @@ -202,28 +224,6 @@ Currently supported commands are: understand what will happen next and then, using ``rndc dnssec -step``, to inform :iscman:`named` to proceed to the next stage. - .. program:: rndc dnssec - .. option:: -rollover -key id [-alg algorithm] [-when time] zone [class [view]] - - This command allows you to schedule key rollover for a specific key - (overriding the original key lifetime). The ``-key id`` and - ``-alg algorithm`` arguments specify which key to roll. The time to start - the rollover can be set with ``-when time``, where ``time`` is expressed in - YYYYMMDDHHMMSS. If not set the rollover will start immediately. - - .. program:: rndc dnssec - .. option:: -checkds [-key id [-alg algorithm]] [-when time] (published | withdrawn) zone [class [view]] - - This command informs :iscman:`named` that the DS for a specified zone's - key-signing key (KSK) has been confirmed to be published in, or withdrawn - from, the parent zone. This is required in order to complete a KSK - rollover. The ``-key id`` and ``-alg algorithm`` arguments can be used to - specify a particular KSK, if necessary; if there is only one key acting - as a KSK for the zone, these arguments can be omitted. The time of - publication or withdrawal for the DS is set to the current time by - default, but can be overridden to a specific time with the argument - ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS notation. - .. program:: rndc .. option:: dnstap (-reopen | -roll [number])