Commit 3853b3cf authored by Evan Hunt's avatar Evan Hunt

update documentation

- change references to trusted-keys to dnssec-keys with static-key
- rebuild doc/misc/options and other generated grammar doc
- add a "see MANAGED-KEYS" note when building named.conf.docbook
parent d07053c8
......@@ -218,14 +218,17 @@
</para>
<para>
Note: When reading the trust anchor file,
<command>delv</command> treats <option>managed-keys</option>
statements and <option>trusted-keys</option> statements
identically. That is, for a managed key, it is the
<emphasis>initial</emphasis> key that is trusted; RFC 5011
key management is not supported. <command>delv</command>
will not consult the managed-keys database maintained by
<command>named</command>. This means that if either of the
keys in <filename>/etc/bind.keys</filename> is revoked
<command>delv</command> treats <option>dnssec-keys</option>
<option>initial-key</option> and <option>static-key</option>
entries identically. That is, even if a key is configured
with <command>initial-key</command>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <command>delv</command>
as if it had been configured as a <command>static-key</command>.
<command>delv</command> does not consult the managed keys
database maintained by <command>named</command>. This means
that if either of the keys in
<filename>/etc/bind.keys</filename> is revoked
and rolled over, it will be necessary to update
<filename>/etc/bind.keys</filename> to use DNSSEC
validation in <command>delv</command>.
......
......@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2018-12-07</date>
<date>2019-05-10</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
......@@ -80,14 +80,12 @@
</refsection>
<refsection><info><title>ACL</title></info>
<literallayout class="normal">
acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>CONTROLS</title></info>
<literallayout class="normal">
controls {
inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
......@@ -104,7 +102,6 @@ controls {
</refsection>
<refsection><info><title>DLZ</title></info>
<literallayout class="normal">
dlz <replaceable>string</replaceable> {
database <replaceable>string</replaceable>;
......@@ -113,8 +110,15 @@ dlz <replaceable>string</replaceable> {
</literallayout>
</refsection>
<refsection><info><title>DYNDB</title></info>
<refsection><info><title>DNSSEC-KEYS</title></info>
<literallayout class="normal">
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>DYNDB</title></info>
<literallayout class="normal">
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
<replaceable>unspecified-text</replaceable> };
......@@ -122,7 +126,6 @@ dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable>
</refsection>
<refsection><info><title>KEY</title></info>
<literallayout class="normal">
key <replaceable>string</replaceable> {
algorithm <replaceable>string</replaceable>;
......@@ -132,7 +135,6 @@ key <replaceable>string</replaceable> {
</refsection>
<refsection><info><title>LOGGING</title></info>
<literallayout class="normal">
logging {
category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
......@@ -154,15 +156,15 @@ logging {
<refsection><info><title>MANAGED-KEYS</title></info>
<para>See DNSSEC-KEYS.</para>
<literallayout class="normal">
managed-keys { <replaceable>string</replaceable> <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
managed-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>MASTERS</title></info>
<literallayout class="normal">
masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceable> ] [ dscp
<replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
......@@ -172,7 +174,6 @@ masters <replaceable>string</replaceable> [ port <replaceable>integer</replaceab
</refsection>
<refsection><info><title>OPTIONS</title></info>
<literallayout class="normal">
options {
allow-new-zones <replaceable>boolean</replaceable>;
......@@ -251,7 +252,6 @@ options {
dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no );
......@@ -403,11 +403,12 @@ options {
resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname |
disabled | drop | given | no-op | nodata | nxdomain | passthru
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [
response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
<replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
......@@ -474,7 +475,6 @@ options {
</refsection>
<refsection><info><title>PLUGIN</title></info>
<literallayout class="normal">
plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified-text</replaceable>
} ];
......@@ -482,7 +482,6 @@ plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified-
</refsection>
<refsection><info><title>SERVER</title></info>
<literallayout class="normal">
server <replaceable>netprefix</replaceable> {
bogus <replaceable>boolean</replaceable>;
......@@ -520,7 +519,6 @@ server <replaceable>netprefix</replaceable> {
</refsection>
<refsection><info><title>STATISTICS-CHANNELS</title></info>
<literallayout class="normal">
statistics-channels {
inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
......@@ -532,15 +530,15 @@ statistics-channels {
</refsection>
<refsection><info><title>TRUSTED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated
</literallayout>
</refsection>
<refsection><info><title>VIEW</title></info>
<literallayout class="normal">
view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
allow-new-zones <replaceable>boolean</replaceable>;
......@@ -612,7 +610,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-enable <replaceable>boolean</replaceable>;
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no );
......@@ -650,9 +650,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
key-directory <replaceable>quoted_string</replaceable>;
lame-ttl <replaceable>ttlval</replaceable>;
lmdb-mapsize <replaceable>sizeval</replaceable>;
managed-keys { <replaceable>string</replaceable> <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
managed-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-clients { <replaceable>address_match_element</replaceable>; ... };
......@@ -735,11 +735,12 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname |
disabled | drop | given | no-op | nodata | nxdomain | passthru
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [
response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
<replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
......@@ -801,9 +802,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
] [ dscp <replaceable>integer</replaceable> ];
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
... };
trusted-keys { <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated
try-tcp-refresh <replaceable>boolean</replaceable>;
update-check-ksk <replaceable>boolean</replaceable>;
use-alt-transfer-source <replaceable>boolean</replaceable>;
......@@ -915,7 +917,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
</refsection>
<refsection><info><title>ZONE</title></info>
<literallayout class="normal">
zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
allow-notify { <replaceable>address_match_element</replaceable>; ... };
......
......@@ -458,7 +458,7 @@
<term><userinput>managed-keys <replaceable>(status | refresh | sync | destroy)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
<listitem>
<para>
Inspect and control the "managed-keys" database which
Inspect and control the "managed keys" database which
handles RFC 5011 DNSSEC trust anchor maintenance. If a view
is specified, these commands are applied to that view;
otherwise they are applied to all views.
......@@ -467,14 +467,14 @@
<listitem>
<para>
When run with the <literal>status</literal> keyword, prints
the current status of the managed-keys database.
the current status of the managed keys database.
</para>
</listitem>
<listitem>
<para>
When run with the <literal>refresh</literal> keyword,
forces an immediate refresh query to be sent for all
the managed keys, updating the managed-keys database
the managed keys, updating the managed keys database
if any new keys are found, without waiting the normal
refresh interval.
</para>
......@@ -482,7 +482,7 @@
<listitem>
<para>
When run with the <literal>sync</literal> keyword, forces an
immediate dump of the managed-keys database to disk
immediate dump of the managed keys database to disk
(in the file <filename>managed-keys.bind</filename> or
(<filename><replaceable>viewname</replaceable>.mkeys</filename>).
This synchronizes the database with its journal file, so
......@@ -493,7 +493,7 @@
<listitem>
<para>
When run with the <literal>destroy</literal> keyword, the
managed-keys database is shut down and deleted, and all key
managed keys database is shut down and deleted, and all key
maintenance is terminated. This command should be used only
with extreme caution.
</para>
......@@ -772,9 +772,10 @@
<listitem>
<para>
Dump the security roots (i.e., trust anchors
configured via <command>trusted-keys</command>,
<command>managed-keys</command>, or
<command>dnssec-validation auto</command>) and negative trust
configured via <command>dnssec-keys</command> statements,
or the synonymous <command>managed-keys</command> or
the deprecated <command>trusted-keys</command> statements, or
via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
they are configured as trusted keys, managed keys, or
......
......@@ -259,8 +259,8 @@ key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; };
view "test-view" in {
key "viewkey" { algorithm "xxx" ; secret "eXl5" ; };
also-notify { 10.2.2.3; };
trusted-keys {
foo.com. 4 3 2 "abdefghijklmnopqrstuvwxyz";
managed-keys {
foo.com. static 4 3 2 "abdefghijklmnopqrstuvwxyz";
};
sig-validity-interval 45;
max-cache-size 100000;
......@@ -342,8 +342,8 @@ zone "." {
// pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
trusted-keys {
"." 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
managed-keys {
"." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
......
This diff is collapsed.
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Generated by doc/misc/docbook-options.pl -->
<programlisting>
<command>dnssec-keys</command> { <replaceable>string</replaceable> ( static-key |
<command>initial-key</command> ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</programlisting>
......@@ -132,10 +132,14 @@ $ <userinput>make</userinput>
parameters. By default the path to this configuration file is
<filename>/etc/dns.conf</filename>. This module is very experimental
and the configuration syntax or library interfaces may change in
future versions. Currently, only the <command>trusted-keys</command>
statement is supported, whose syntax is the same as the same
statement in <filename>named.conf</filename>. (See
<xref linkend="trusted-keys"/> for details.)
future versions. Currently, only static key configuration is supported.
<command>managed-keys</command> and <command>trusted-keys</command>
statements are parsed exactly as they are in
<filename>named.conf</filename>, except that all
<command>managed-keys</command> entries will be treated as
if they were configured with the <command>static-key</command>
keyword, even if they are configured with <command>initial-key</command>.
(See <xref linkend="managed-keys"/> for syntax details.)
</para>
</section>
<section>
......
......@@ -12,6 +12,7 @@
<!-- Generated by doc/misc/docbook-options.pl -->
<programlisting>
<command>managed-keys</command> { <replaceable>string</replaceable> <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
<command>managed-keys</command> { <replaceable>string</replaceable> ( static-key |
<command>initial-key</command> ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</programlisting>
......@@ -24,11 +24,10 @@
<!-- TODO: command tag is overloaded for configuration and executables -->
<para>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
<command>managed-keys</command> statement. Information about
<command>dnssec-keys</command> statement and the
<command>initial-key</command> keyword. Information about
this can be found in
<xref linkend="managed-keys"/>.</para>
<!-- TODO: managed-keys examples
also in DNSSEC section above here in ARM -->
<xref linkend="dnssec-keys"/>.</para>
</section>
<section><info><title>Authoritative Server</title></info>
......
......@@ -89,7 +89,6 @@
<command>dnsrps-options</command> { <replaceable>unspecified-text</replaceable> };
<command>dnssec-accept-expired</command> <replaceable>boolean</replaceable>;
<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
<command>dnssec-enable</command> <replaceable>boolean</replaceable>;
<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
<command>dnssec-lookaside</command> ( <replaceable>string</replaceable> trust-anchor
<replaceable>string</replaceable> | auto | no );
......@@ -241,11 +240,12 @@
<command>resolver-retry-interval</command> <replaceable>integer</replaceable>;
<command>response-padding</command> { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>;
<command>response-policy</command> { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname |
<command>disabled</command> | drop | given | no-op | nodata | nxdomain | passthru
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [
<command>nsip-enable</command> <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [
<command>response-policy</command> { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
<replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
<command>nodata</command> | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
<command>recursive-only</command> <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
<command>nsdname-enable</command> <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
<command>break-dnssec</command> <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
<command>min-update-interval</command> <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
<command>nsip-wait-recurse</command> <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
......
......@@ -12,6 +12,7 @@
<!-- Generated by doc/misc/docbook-options.pl -->
<programlisting>
<command>trusted-keys</command> { <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
<command>trusted-keys</command> { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated
</programlisting>
......@@ -71,5 +71,6 @@ docbook: options
${PERL} docbook-grammars.pl options options > ${top_srcdir}/doc/arm/options.grammar.xml
${PERL} docbook-grammars.pl options server > ${top_srcdir}/doc/arm/server.grammar.xml
${PERL} docbook-grammars.pl options statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml
${PERL} docbook-grammars.pl options trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml
${PERL} docbook-grammars.pl options dnssec-keys > ${top_srcdir}/doc/arm/dnssec-keys.grammar.xml
${PERL} docbook-grammars.pl options managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml
${PERL} docbook-grammars.pl options trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml
......@@ -128,8 +128,9 @@ while (<FH>) {
s{ // not configured}{};
s{ // non-operational}{};
s{ // may occur multiple times}{};
s{ (// )*may occur multiple times}{};
s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
s{ // deprecated,*}{// deprecated};
s{[[]}{[}g;
s{[]]}{]}g;
s{ }{\t}g;
......@@ -137,10 +138,24 @@ while (<FH>) {
my $HEADING = uc $1;
print <<END;
<refsection><info><title>$HEADING</title></info>
END
if ($1 eq "trusted-keys") {
print <<END;
<para>Deprecated - see DNSSEC-KEYS.</para>
END
}
if ($1 eq "managed-keys") {
print <<END;
<para>See DNSSEC-KEYS.</para>
END
}
print <<END;
<literallayout class="normal">
END
}
}
if (m{^\s*$} && !$blank) {
$blank = 1;
......
......@@ -21,6 +21,10 @@ dlz <string> {
search <boolean>;
}; // may occur multiple times
dnssec-keys { <string> ( static-key |
initial-key ) <integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
dyndb <string> <quoted_string> {
<unspecified-text> }; // may occur multiple times
......@@ -47,8 +51,9 @@ logging {
lwres { <unspecified-text> }; // obsolete, may occur multiple times
managed-keys { <string> <string> <integer>
<integer> <integer> <quoted_string>; ... }; // may occur multiple times
managed-keys { <string> ( static-key |
initial-key ) <integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
masters <string> [ port <integer> ] [ dscp
<integer> ] { ( <masters> | <ipv4_address> [
......@@ -207,7 +212,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
......@@ -434,8 +439,9 @@ statistics-channels {
} ]; // may occur multiple times
}; // may occur multiple times
trusted-keys { <string> <integer> <integer>
<integer> <quoted_string>; ... }; // may occur multiple times
trusted-keys { <string> <integer>
<integer> <integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
view <string> [ <class> ] {
acache-cleaning-interval <integer>; // obsolete
......@@ -513,6 +519,9 @@ view <string> [ <class> ] {
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>; // obsolete
dnssec-keys { <string> ( static-key |
initial-key ) <integer> <integer>
<integer> <quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor
<string> | auto | no ); // may occur multiple times
......@@ -553,11 +562,11 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> <string>
<integer> <integer> <integer>
<quoted_string>; ... }; // may occur multiple times
managed-keys { <string> ( static-key |
initial-key ) <integer> <integer>
<integer> <quoted_string>; ... }; // may occur multiple times
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-clients { <address_match_element>; ... };
......@@ -720,9 +729,10 @@ view <string> [ <class> ] {
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
trust-anchor-telemetry <boolean>; // experimental
trusted-keys { <string> <integer>
<integer> <integer> <quoted_string>;
... }; // may occur multiple times
trusted-keys { <string>
<integer> <integer>
<integer>
<quoted_string>; ... }; // may occur multiple times, deprecated
try-tcp-refresh <boolean>;
update-check-ksk <boolean>;
use-alt-transfer-source <boolean>;
......
......@@ -4365,10 +4365,10 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
/*
* Walk the zone DB. If we find any keys whose names are no longer
* in managed-keys (or *are* in trusted-keys, meaning they are
* permanent and not RFC5011-maintained), delete them from the
* zone. Otherwise call load_secroots(), which loads keys into
* secroots as appropriate.
* in managed-keys as initial-keys (or which are now configured as
* static keys, meaning they are permanent and not RFC5011-maintained),
* delete them from the zone. Otherwise call load_secroots(), which
* loads keys into secroots as appropriate.
*/
dns_rriterator_init(&rrit, db, ver, 0);
for (result = dns_rriterator_first(&rrit);
......
......@@ -1427,6 +1427,7 @@
./doc/arm/controls.grammar.xml SGML 2018,2019
./doc/arm/delegation-only.zoneopt.xml SGML 2018,2019
./doc/arm/dlz.xml SGML 2012,2013,2014,2015,2016,2018,2019
./doc/arm/dnssec-keys.grammar.xml SGML 2019
./doc/arm/dnssec.xml SGML 2010,2011,2015,2016,2017,2018,2019
./doc/arm/dyndb.xml SGML 2015,2016,2018,2019
./doc/arm/forward.zoneopt.xml SGML 2018,2019
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment