Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
Include ZSKs when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
@@ -65,7 +65,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the
.RS 4
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.
.sp
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSKs) and 2048 bits for key signing keys (KSKs, generated with
\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
\fB\-a\fR, then there is no default key size, and the
@@ -337,13 +337,14 @@ to be effective. It defaults to enabled.
Sets a DNSSEC negative trust anchor (NTA) for
\fBdomain\fR, with a lifetime of
\fBlifetime\fR. The default lifetime is configured in
<file>named.conf</file>
\fInamed.conf\fR
via the
\fBnta\-lifetime\fR, and defaults to one hour. The lifetime cannot exceed one week.
\fBnta\-lifetime\fR
option, and defaults to one hour. The lifetime cannot exceed one week.
.sp
A negative trust anchor selectively disables DNSSEC validation for zones that known to be failing because of misconfiguration rather than an attack. When data to be validated is at or below an active NTA (and above any other configured trust anchors),
A negative trust anchor selectively disables DNSSEC validation for zones that are known to be failing because of misconfiguration rather than an attack. When data to be validated is at or below an active NTA (and above any other configured trust anchors),
\fBnamed\fR
will abort the DNSSEC validation process and treat the data as insecure rather than bogus. This continues until the NTA's lifetime is elapsed, or until the server is restarted (NTA's do not persist across restarts).
will abort the DNSSEC validation process and treat the data as insecure rather than bogus. This continues until the NTA's lifetime is elapsed, or until the server is restarted (NTAs do not persist across restarts).