Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
BIND
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
637
Issues
637
List
Boards
Labels
Service Desk
Milestones
Merge Requests
104
Merge Requests
104
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
ISC Open Source Projects
BIND
Commits
2616416a
Commit
2616416a
authored
Jun 27, 2016
by
Mark Andrews
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add missing <para>/<para> tags
parent
980c504b
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
94 additions
and
67 deletions
+94
-67
bin/python/dnssec-keymgr.docbook
bin/python/dnssec-keymgr.docbook
+94
-67
No files found.
bin/python/dnssec-keymgr.docbook
View file @
2616416a
...
...
@@ -60,11 +60,10 @@
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>dnssec-keymgr</command>
is a high level Python wrapper to facilitate the key rollover
process for zones handled by BIND. It uses the BIND commands
for manipulating DNSSEC key metadata:
<command>dnssec-keygen</command> and
<command>dnssec-keymgr</command> is a high level Python wrapper
to facilitate the key rollover process for zones handled by
BIND. It uses the BIND commands for manipulating DNSSEC key
metadata: <command>dnssec-keygen</command> and
<command>dnssec-settime</command>.
</para>
<para>
...
...
@@ -242,28 +241,34 @@
</para>
<itemizedlist>
<listitem>
<emphasis>Policy classes</emphasis>
(<option>policy <replaceable>name</replaceable> { ... };</option>)
can be inherited by zone policies or other policy classes; these
can be used to create sets of different security profiles. For
example, a policy class <userinput>normal</userinput> might specify
1024-bit key sizes, but a class <userinput>extra</userinput> might
specify 2048 bits instead; <userinput>extra</userinput> would be
used for zones that had unusually high security needs.
<para>
<emphasis>Policy classes</emphasis>
(<option>policy <replaceable>name</replaceable> { ... };</option>)
can be inherited by zone policies or other policy classes; these
can be used to create sets of different security profiles. For
example, a policy class <userinput>normal</userinput> might specify
1024-bit key sizes, but a class <userinput>extra</userinput> might
specify 2048 bits instead; <userinput>extra</userinput> would be
used for zones that had unusually high security needs.
</para>
</listitem>
<listitem>
Algorithm policies:
(<option>algorithm-policy <replaceable>algorithm</replaceable> { ... };</option> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
can be modified using <command>algorithm-policy</command>, and the
new key sizes would then be used for any key of type RSASHA256.
<para>
Algorithm policies:
(<option>algorithm-policy <replaceable>algorithm</replaceable> { ... };</option> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
can be modified using <command>algorithm-policy</command>, and the
new key sizes would then be used for any key of type RSASHA256.
</para>
</listitem>
<listitem>
Zone policies:
(<option>zone <replaceable>name</replaceable> { ... };</option> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <option>policy</option> option.
<para>
Zone policies:
(<option>zone <replaceable>name</replaceable> { ... };</option> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <option>policy</option> option.
</para>
</listitem>
</itemizedlist>
<para>
...
...
@@ -273,82 +278,100 @@
<varlistentry>
<term><command>algorithm</command></term>
<listitem>
The key algorithm. If no policy is defined, the default is
RSASHA256.
<para>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>coverage</command></term>
<listitem>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
<para>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>directory</command></term>
<listitem>
Specifies the directory in which keys should be stored.
<para>
Specifies the directory in which keys should be stored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>key-size</command></term>
<listitem>
Specifies the number of bits to use in creating keys.
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
<para>
Specifies the number of bits to use in creating keys.
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>keyttl</command></term>
<listitem>
The key TTL. If no policy is defined, the default is one hour.
<para>
The key TTL. If no policy is defined, the default is one hour.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>post-publish</command></term>
<listitem>
How long after inactivation a key should be deleted from the zone.
Note: If <option>roll-period</option> is not set, this value is
ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
duration. A default value for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
<para>
How long after inactivation a key should be deleted from the zone.
Note: If <option>roll-period</option> is not set, this value is
ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
duration. A default value for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>pre-publish</command></term>
<listitem>
How long before activation a key should be published. Note: If
<option>roll-period</option> is not set, this value is ignored.
Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
<para>
How long before activation a key should be published. Note: If
<option>roll-period</option> is not set, this value is ignored.
Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>roll-period</command></term>
<listitem>
How frequently keys should be rolled over.
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSK's. KSK's do not
roll over by default.
<para>
How frequently keys should be rolled over.
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSK's. KSK's do not
roll over by default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>standby</command></term>
<listitem>
Not yet implemented.
<para>
Not yet implemented.
</para>
</listitem>
</varlistentry>
</variablelist>
...
...
@@ -357,16 +380,20 @@
<refsection><info><title>REMAINING WORK</title></info>
<itemizedlist>
<listitem>
Enable scheduling of KSK rollovers using the <option>-P sync</option>
and <option>-D sync</option> options to
<command>dnssec-keygen</command> and
<command>dnssec-settime</command>. Check the parent zone
(as in <command>dnssec-checkds</command>) to determine when it's
safe for the key to roll.
<para>
Enable scheduling of KSK rollovers using the <option>-P sync</option>
and <option>-D sync</option> options to
<command>dnssec-keygen</command> and
<command>dnssec-settime</command>. Check the parent zone
(as in <command>dnssec-checkds</command>) to determine when it's
safe for the key to roll.
</para>
</listitem>
<listitem>
Allow configuration of standby keys and use of the REVOKE bit,
for keys that use RFC 5011 semantics.
<para>
Allow configuration of standby keys and use of the REVOKE bit,
for keys that use RFC 5011 semantics.
</para>
</listitem>
</itemizedlist>
</refsection>
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment