upstream/knot-dns
1
0
Fork 0
mirror of https://gitlab.nic.cz/knot/knot-dns.git synced 2026-06-09 00:22:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

doc: shared KSK rollover

Browse source
This commit is contained in:
Libor Peltan 2017-04-26 11:05:55 +02:00 committed by Daniel Salzman
parent a0d2217983
commit c4667147da
3 changed files with 35 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
doc/configuration.rst
View file

@ -375,6 +375,26 @@ convenience delay the submittion is started. The server publishes CDS and CDNSKE
and the user shall propagate them to the parent. The server periodically checks for
DS at the master and when positive, finishes the rollover.
To share KSKs among zones, set the ksk-shared policy parameter. It is strongly discouraged to
change the policy ``id`` afterwards! The shared key's creation timestamp will be equal for all
zones, but other timers (e.g. activate, retire) may get out of sync. ::
policy:
- id: sharedp
ksk-lifetime: 365d
ksk-shared: true
ksk-submittion-check: [cz_zone]
zone:
- domain: firstzone.test
dnssec-signing: on
dnssec-policy: sharedp
zone:
- domain: secondzone.test
dnssec-signing: on
dnssec-policy: sharedp
.. _dnssec-manual-key-management:
Manual key management

6
doc/man/knot.conf.5in
View file

@ -511,6 +511,7 @@ policy:
algorithm: dsa | rsasha1 | dsa\-nsec3\-sha1 | rsasha1\-nsec3\-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384
ksk\-size: SIZE
zsk\-size: SIZE
ksk\-shared: BOOL
dnskey\-ttl: TIME
zsk\-lifetime: TIME
ksk\-lifetime: TIME
@ -570,6 +571,11 @@ A length of newly generated KSK keys.
A length of newly generated ZSK keys.
.sp
\fIDefault:\fP see default for \fI\%ksk\-size\fP
.SS ksk\-shared
.sp
If enabled, all zones with this policy assigned will share one KSK.
.sp
\fIDefault:\fP off
.SS dnskey\-ttl
.sp
A TTL value for DNSKEY records added into zone apex.

10
doc/reference.rst
View file

@ -571,6 +571,7 @@ DNSSEC policy configuration.
algorithm: dsa | rsasha1 | dsa-nsec3-sha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384
ksk-size: SIZE
zsk-size: SIZE
ksk-shared: BOOL
dnskey-ttl: TIME
zsk-lifetime: TIME
ksk-lifetime: TIME
@ -651,7 +652,14 @@ A length of newly generated :abbr:`ZSK (Zone Signing Key)` keys.
*Default:* see default for :ref:`ksk-size<policy_ksk-size>`
.. _policy_dnskey-ttl:
.. _policy_ksk-shared:
ksk-shared
----------
If enabled, all zones with this policy assigned will share one KSK.
*Default:* off
dnskey-ttl
----------