Commit 86f22149 authored by Mark Andrews's avatar Mark Andrews

alphabetize

parent 48bf87ba
<!--
- Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
......@@ -59,10 +59,10 @@
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>dnssec-keymgr</command>
is a high level Python wrapper to facilitate the key rollover
is a high level Python wrapper to facilitate the key rollover
process for zones handled by BIND. It uses the BIND commands
for manipulating DNSSEC key metadata:
<command>dnssec-keygen</command> and
<command>dnssec-keygen</command> and
<command>dnssec-settime</command>.
</para>
<para>
......@@ -80,14 +80,14 @@
DNSSEC policy (for example, because the policy has been changed),
they are automatically corrected.
</para>
</para>
<para>
A zone policy can specify a duration for which we want to
ensure the key correctness (<option>coverage</option>). It can
also specify a rollover period (<option>roll-period</option>).
If policy indicates that a key should roll over before the
coverage period ends, then a successor key will automatically be
created and added to the end of the key series.
<para>
</para>
<para>
If zones are specified on the command line,
<command>dnssec-keymgr</command> will examine only those zones.
......@@ -103,22 +103,12 @@
</para>
<para>
It is expected that this tool will be run automatically and
unattended (for example, by <command>cron</command>).
unattended (for example, by <command>cron</command>).
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">file</replaceable></term>
<listitem>
......@@ -149,39 +139,42 @@
</varlistentry>
<varlistentry>
<term>-q</term>
<term>-g <replaceable class="parameter">keygen path</replaceable></term>
<listitem>
<para>
Quiet: suppress printing of <command>dnssec-keygen</command>
and <command>dnssec-settime</command>.
Specifies a path to a <command>dnssec-keygen</command> binary.
Used for testing.
See also the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Only apply policies to KSK keys.
Sets the directory in which keys can be found. Defaults to the
current working directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<term>-k</term>
<listitem>
<para>
Only apply policies to ZSK keys.
Only apply policies to KSK keys.
See also the <option>-z</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">keygen path</replaceable></term>
<term>-q</term>
<listitem>
<para>
Specifies a path to a <command>dnssec-keygen</command> binary.
Used for testing.
Quiet: suppress printing of <command>dnssec-keygen</command>
and <command>dnssec-settime</command>.
</para>
</listitem>
</varlistentry>
......@@ -192,6 +185,17 @@
<para>
Specifies a path to a <command>dnssec-settime</command> binary.
Used for testing.
See also the <option>-g</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Only apply policies to ZSK keys.
See also the <option>-k</option> option.
</para>
</listitem>
</varlistentry>
......@@ -233,79 +237,79 @@
Options that can be specified in policies:
</para>
<variablelist>
<varlistentry>
<term><command>directory</command></term>
<listitem>
Specifies the directory in which keys should be stored.
</listitem>
</varlistentry>
<varlistentry>
<term><command>algorithm</command></term>
<listitem>
The key algorithm. If no policy is defined, the default is
RSASHA256.
</listitem>
</varlistentry>
<varlistentry>
<term><command>keyttl</command></term>
<listitem>
The key TTL. If no policy is defined, the default is one hour.
RSASHA256.
</listitem>
</varlistentry>
<varlistentry>
<term><command>coverage</command></term>
<listitem>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
If no policy is configured, the default is six months.
</listitem>
</varlistentry>
<varlistentry>
<term><command>directory</command></term>
<listitem>
Specifies the directory in which keys should be stored.
</listitem>
</varlistentry>
<varlistentry>
<term><command>key-size</command></term>
<listitem>
Specifies the number of bits to use in creating keys.
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
</listitem>
</varlistentry>
<varlistentry>
<term><command>roll-period</command></term>
<term><command>keyttl</command></term>
<listitem>
How frequently keys should be rolled over.
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSK's. KSK's do not
roll over by default.
The key TTL. If no policy is defined, the default is one hour.
</listitem>
</varlistentry>
<varlistentry>
<term><command>post-publish</command></term>
<listitem>
How long after inactivation a key should be deleted from the zone.
Note: If <option>roll-period</option> is not set, this value is
ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
duration. A default value for this option can be set in algorithm
policies as well as in policy classes or zone policies. The default
is one month.
</listitem>
</varlistentry>
<varlistentry>
<term><command>pre-publish</command></term>
<listitem>
How long before activation a key should be published. Note: If
<option>roll-period</option> is not set, this value is ignored.
Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
<option>roll-period</option> is not set, this value is ignored.
Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
one month.
</listitem>
</varlistentry>
<varlistentry>
<term><command>post-publish</command></term>
<term><command>roll-period</command></term>
<listitem>
How long after inactivation a key should be deleted from the zone.
Note: If <option>roll-period</option> is not set, this value is ignored.
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
How frequently keys should be rolled over.
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is one
month.
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSK's. KSK's do not
roll over by default.
</listitem>
</varlistentry>
<varlistentry>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment