Commit 2616416a authored by Mark Andrews's avatar Mark Andrews

add missing <para>/<para> tags

parent 980c504b
......@@ -60,11 +60,10 @@
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>dnssec-keymgr</command>
is a high level Python wrapper to facilitate the key rollover
process for zones handled by BIND. It uses the BIND commands
for manipulating DNSSEC key metadata:
<command>dnssec-keygen</command> and
<command>dnssec-keymgr</command> is a high level Python wrapper
to facilitate the key rollover process for zones handled by
BIND. It uses the BIND commands for manipulating DNSSEC key
metadata: <command>dnssec-keygen</command> and
<command>dnssec-settime</command>.
</para>
<para>
......@@ -242,28 +241,34 @@
</para>
<itemizedlist>
<listitem>
<emphasis>Policy classes</emphasis>
(<option>policy <replaceable>name</replaceable> { ... };</option>)
can be inherited by zone policies or other policy classes; these
can be used to create sets of different security profiles. For
example, a policy class <userinput>normal</userinput> might specify
1024-bit key sizes, but a class <userinput>extra</userinput> might
specify 2048 bits instead; <userinput>extra</userinput> would be
used for zones that had unusually high security needs.
<para>
<emphasis>Policy classes</emphasis>
(<option>policy <replaceable>name</replaceable> { ... };</option>)
can be inherited by zone policies or other policy classes; these
can be used to create sets of different security profiles. For
example, a policy class <userinput>normal</userinput> might specify
1024-bit key sizes, but a class <userinput>extra</userinput> might
specify 2048 bits instead; <userinput>extra</userinput> would be
used for zones that had unusually high security needs.
</para>
</listitem>
<listitem>
Algorithm policies:
(<option>algorithm-policy <replaceable>algorithm</replaceable> { ... };</option> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
can be modified using <command>algorithm-policy</command>, and the
new key sizes would then be used for any key of type RSASHA256.
<para>
Algorithm policies:
(<option>algorithm-policy <replaceable>algorithm</replaceable> { ... };</option> )
override default per-algorithm settings. For example, by default,
RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
can be modified using <command>algorithm-policy</command>, and the
new key sizes would then be used for any key of type RSASHA256.
</para>
</listitem>
<listitem>
Zone policies:
(<option>zone <replaceable>name</replaceable> { ... };</option> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <option>policy</option> option.
<para>
Zone policies:
(<option>zone <replaceable>name</replaceable> { ... };</option> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <option>policy</option> option.
</para>
</listitem>
</itemizedlist>
<para>
......@@ -273,82 +278,100 @@
<varlistentry>
<term><command>algorithm</command></term>
<listitem>
The key algorithm. If no policy is defined, the default is
RSASHA256.
<para>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>coverage</command></term>
<listitem>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
<para>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>directory</command></term>
<listitem>
Specifies the directory in which keys should be stored.
<para>
Specifies the directory in which keys should be stored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>key-size</command></term>
<listitem>
Specifies the number of bits to use in creating keys.
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
<para>
Specifies the number of bits to use in creating keys.
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>keyttl</command></term>
<listitem>
The key TTL. If no policy is defined, the default is one hour.
<para>
The key TTL. If no policy is defined, the default is one hour.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>post-publish</command></term>
<listitem>
How long after inactivation a key should be deleted from the zone.
Note: If <option>roll-period</option> is not set, this value is
ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
duration. A default value for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
<para>
How long after inactivation a key should be deleted from the zone.
Note: If <option>roll-period</option> is not set, this value is
ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
duration. A default value for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>pre-publish</command></term>
<listitem>
How long before activation a key should be published. Note: If
<option>roll-period</option> is not set, this value is ignored.
Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
<para>
How long before activation a key should be published. Note: If
<option>roll-period</option> is not set, this value is ignored.
Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>roll-period</command></term>
<listitem>
How frequently keys should be rolled over.
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSK's. KSK's do not
roll over by default.
<para>
How frequently keys should be rolled over.
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSK's. KSK's do not
roll over by default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>standby</command></term>
<listitem>
Not yet implemented.
<para>
Not yet implemented.
</para>
</listitem>
</varlistentry>
</variablelist>
......@@ -357,16 +380,20 @@
<refsection><info><title>REMAINING WORK</title></info>
<itemizedlist>
<listitem>
Enable scheduling of KSK rollovers using the <option>-P sync</option>
and <option>-D sync</option> options to
<command>dnssec-keygen</command> and
<command>dnssec-settime</command>. Check the parent zone
(as in <command>dnssec-checkds</command>) to determine when it's
safe for the key to roll.
<para>
Enable scheduling of KSK rollovers using the <option>-P sync</option>
and <option>-D sync</option> options to
<command>dnssec-keygen</command> and
<command>dnssec-settime</command>. Check the parent zone
(as in <command>dnssec-checkds</command>) to determine when it's
safe for the key to roll.
</para>
</listitem>
<listitem>
Allow configuration of standby keys and use of the REVOKE bit,
for keys that use RFC 5011 semantics.
<para>
Allow configuration of standby keys and use of the REVOKE bit,
for keys that use RFC 5011 semantics.
</para>
</listitem>
</itemizedlist>
</refsection>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment