Commit 8cc38b58 authored by Tinderbox User's avatar Tinderbox User
Browse files

regen master

parent 681deaaa
......@@ -55,7 +55,7 @@ of the key is specified on the command line\&. This must match the name of the z
.RS 4
Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384\&. These values are case insensitive\&.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. These values are case insensitive\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
......
......@@ -91,7 +91,7 @@
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</p>
<p>
......
......@@ -54,7 +54,7 @@ of the key is specified on the command line\&. For DNSSEC keys, this must match
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
......@@ -87,7 +87,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable\&.
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 algorithms are NSEC3\-capable\&.
.RE
.PP
\-C
......
......@@ -95,7 +95,7 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
......@@ -158,8 +158,8 @@
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
</p>
</dd>
<dt><span class="term">-C</span></dt>
......
......@@ -52,16 +52,16 @@ bits of prime\&.
.PP
\-a \fIalgorithm\fR
.RS 4
Specify the key algorithm class: Supported classes are RSA, DSA, DH, and ECC\&. In addition to these strings, the
Specify the key algorithm class: Supported classes are RSA, DSA, DH, ECC and ECX\&. In addition to these strings, the
\fBalgorithm\fR
can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps to ECC\&. The default class is "RSA"\&.
can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps to ECC, and ED25519 to ECX\&. The default class is "RSA"\&.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Create the key pair with
\fBkeysize\fR
bits of prime\&. For ECC keys, the only valid values are 256 and 384, and the default is 256\&.
bits of prime\&. For ECC keys, the only valid values are 256 and 384, and the default is 256\&. For ECX kyes, the only valid values are 256 and 456, and the default is 256\&.
.RE
.PP
\-e
......
......@@ -65,11 +65,11 @@
<dd>
<p>
Specify the key algorithm class: Supported classes are RSA,
DSA, DH, and ECC. In addition to these strings, the
DSA, DH, ECC and ECX. In addition to these strings, the
<code class="option">algorithm</code> can be specified as a DNSSEC
signing algorithm that will be used with this key; for
example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
to ECC. The default class is "RSA".
example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
to ECC, and ED25519 to ECX. The default class is "RSA".
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
......@@ -77,7 +77,8 @@
<p>
Create the key pair with <code class="option">keysize</code> bits of
prime. For ECC keys, the only valid values are 256 and 384,
and the default is 256.
and the default is 256. For ECX kyes, the only valid values
are 256 and 456, and the default is 256.
</p>
</dd>
<dt><span class="term">-e</span></dt>
......
......@@ -202,7 +202,7 @@ Algorithm policies: (\fBalgorithm\-policy \fR\fB\fIalgorithm\fR\fR\fB { \&.\&.\&
Zone policies: (\fBzone \fR\fB\fIname\fR\fR\fB { \&.\&.\&. };\fR
) set policy for a single zone by name\&. A zone policy can inherit a policy class by including a
\fBpolicy\fR
option\&.
option\&. Zone names beginning with digits (i\&.e\&., 0\-9) must be quoted\&.
.RE
.PP
Options that can be specified in policies:
......
......@@ -103,93 +103,93 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
If <code class="option">-c</code> is specified, then the DNSSEC
policy is read from <code class="option">file</code>. (If not
specified, then the policy is read from
<code class="filename">/etc/dnssec-policy.conf</code>; if that file
doesn't exist, a built-in global default policy is used.)
</p>
</dd>
<p>
If <code class="option">-c</code> is specified, then the DNSSEC
policy is read from <code class="option">file</code>. (If not
specified, then the policy is read from
<code class="filename">/etc/dnssec-policy.conf</code>; if that file
doesn't exist, a built-in global default policy is used.)
</p>
</dd>
<dt><span class="term">-f</span></dt>
<dd>
<p>
Force: allow updating of key events even if they are
already in the past. This is not recommended for use with
zones in which keys have already been published. However,
if a set of keys has been generated all of which have
publication and activation dates in the past, but the
keys have not been published in a zone as yet, then this
option can be used to clean them up and turn them into a
proper series of keys with appropriate rollover intervals.
</p>
</dd>
<p>
Force: allow updating of key events even if they are
already in the past. This is not recommended for use with
zones in which keys have already been published. However,
if a set of keys has been generated all of which have
publication and activation dates in the past, but the
keys have not been published in a zone as yet, then this
option can be used to clean them up and turn them into a
proper series of keys with appropriate rollover intervals.
</p>
</dd>
<dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
<dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
Used for testing.
See also the <code class="option">-s</code> option.
</p>
</dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
Used for testing.
See also the <code class="option">-s</code> option.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
and exit.
</p>
</dd>
<p>
Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
and exit.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</p>
</dd>
<p>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Only apply policies to KSK keys.
See also the <code class="option">-z</code> option.
</p>
</dd>
<p>
Only apply policies to KSK keys.
See also the <code class="option">-z</code> option.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
and <span class="command"><strong>dnssec-settime</strong></span>.
</p>
</dd>
<p>
Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
and <span class="command"><strong>dnssec-settime</strong></span>.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd>
<p>
Specifies a path to a file containing random data.
This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary
using its <code class="option">-r</code> option.
<p>
Specifies a path to a file containing random data.
This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary
using its <code class="option">-r</code> option.
</p>
</dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>
<dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
Used for testing.
See also the <code class="option">-g</code> option.
</p>
</dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
Used for testing.
See also the <code class="option">-g</code> option.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
<p>
Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.
</p>
</dd>
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Only apply policies to ZSK keys.
See also the <code class="option">-k</code> option.
</p>
</dd>
<p>
Only apply policies to ZSK keys.
See also the <code class="option">-k</code> option.
</p>
</dd>
</dl></div>
</div>
......@@ -228,6 +228,7 @@
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
</p>
</li>
</ul></div>
......@@ -239,26 +240,26 @@
<dd>
<p>
The key algorithm. If no policy is defined, the default is
RSASHA256.
RSASHA256.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
<dd>
<p>
The length of time to ensure that keys will be correct; no action
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
will be taken to create new keys to be activated after this time.
This can be represented as a number of seconds, or as a duration using
human-readable units (examples: "1y" or "6 months").
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies.
If no policy is configured, the default is six months.
If no policy is configured, the default is six months.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
<dd>
<p>
<p>
Specifies the directory in which keys should be stored.
</p>
</p>
</dd>
<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
<dd>
......@@ -267,8 +268,8 @@
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
configured, the default is 1024 bits for DSA keys and 2048 for
RSA.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
......@@ -292,11 +293,11 @@
<dd>
<p>
How long before activation a key should be published. Note: If
<code class="option">roll-period</code> is not set, this value is ignored.
<code class="option">roll-period</code> is not set, this value is ignored.
Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. The default is
one month.
one month.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
......@@ -306,8 +307,8 @@
Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
configured, the default is one year for ZSK's. KSK's do not
roll over by default.
configured, the default is one year for ZSK's. KSK's do not
roll over by default.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
......@@ -324,18 +325,18 @@
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
and <code class="option">-D sync</code> options to
<span class="command"><strong>dnssec-keygen</strong></span> and
<span class="command"><strong>dnssec-settime</strong></span>. Check the parent zone
(as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
safe for the key to roll.
Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
and <code class="option">-D sync</code> options to
<span class="command"><strong>dnssec-keygen</strong></span> and
<span class="command"><strong>dnssec-settime</strong></span>. Check the parent zone
(as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
safe for the key to roll.
</p>
</li>
<li class="listitem">
<p>
Allow configuration of standby keys and use of the REVOKE bit,
for keys that use RFC 5011 semantics.
Allow configuration of standby keys and use of the REVOKE bit,
for keys that use RFC 5011 semantics.
</p>
</li>
</ul></div>
......
......@@ -44,6 +44,7 @@
<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Windows XP No Longer Supported</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
......@@ -424,6 +425,22 @@
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="proto_changes"></a>Protocol Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<p>
BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC
signing algorithms described in RFC 8080. Note, however, that
these algorithms must be supported in OpenSSL;
currently they are only available in the development branch
of OpenSSL at
<a class="link" href="https://github.com/openssl/openssl" target="_top">https://github.com/openssl/openssl</a>.
[RT #44696]
</p>
</li></ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
......
......@@ -249,6 +249,7 @@
<dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Windows XP No Longer Supported</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#proto_changes">Protocol Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
......
......@@ -109,7 +109,7 @@
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</p>
<p>
......
......@@ -113,7 +113,7 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
......@@ -176,8 +176,8 @@
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
</p>
</dd>
<dt><span class="term">-C</span></dt>
......
......@@ -121,93 +121,93 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
If <code class="option">-c</code> is specified, then the DNSSEC
policy is read from <code class="option">file</code>. (If not
specified, then the policy is read from
<code class="filename">/etc/dnssec-policy.conf</code>; if that file
doesn't exist, a built-in global default policy is used.)
</p>
</dd>
<p>
If <code class="option">-c</code> is specified, then the DNSSEC
policy is read from <code class="option">file</code>. (If not
specified, then the policy is read from
<code class="filename">/etc/dnssec-policy.conf</code>; if that file
doesn't exist, a built-in global default policy is used.)
</p>
</dd>
<dt><span class="term">-f</span></dt>
<dd>
<p>
Force: allow updating of key events even if they are
already in the past. This is not recommended for use with
zones in which keys have already been published. However,
if a set of keys has been generated all of which have
publication and activation dates in the past, but the
keys have not been published in a zone as yet, then this
option can be used to clean them up and turn them into a
proper series of keys with appropriate rollover intervals.
</p>
</dd>
<p>
Force: allow updating of key events even if they are
already in the past. This is not recommended for use with
zones in which keys have already been published. However,
if a set of keys has been generated all of which have
publication and activation dates in the past, but the
keys have not been published in a zone as yet, then this
option can be used to clean them up and turn them into a
proper series of keys with appropriate rollover intervals.
</p>
</dd>
<dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
<dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
Used for testing.
See also the <code class="option">-s</code> option.
</p>
</dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
Used for testing.
See also the <code class="option">-s</code> option.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
and exit.
</p>
</dd>
<p>
Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
and exit.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</p>
</dd>
<p>
Sets the directory in which keys can be found. Defaults to the
current working directory.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Only apply policies to KSK keys.
See also the <code class="option">-z</code> option.
</p>
</dd>
<p>
Only apply policies to KSK keys.
See also the <code class="option">-z</code> option.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
and <span class="command"><strong>dnssec-settime</strong></span>.
</p>
</dd>
<p>
Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
and <span class="command"><strong>dnssec-settime</strong></span>.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd>
<p>
Specifies a path to a file containing random data.
This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary
using its <code class="option">-r</code> option.
<p>
Specifies a path to a file containing random data.
This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary
using its <code class="option">-r</code> option.
</p>
</dd>
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>
<dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
Used for testing.
See also the <code class="option">-g</code> option.
</p>
</dd>
<p>
Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
Used for testing.
See also the <code class="option">-g</code> option.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
<p>
Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.
</p>
</dd>
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Only apply policies to ZSK keys.
See also the <code class="option">-k</code> option.
</p>
</dd>
<p>
Only apply policies to ZSK keys.
See also the <code class="option">-k</code> option.
</p>
</dd>
</dl></div>
</div>
......@@ -246,6 +246,7 @@
(<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
set policy for a single zone by name. A zone policy can inherit
a policy class by including a <code class="option">policy</code> option.
Zone names beginning with digits (i.e., 0-9) must be quoted.
</p>
</li>
</ul></div>
......@@ -257,26 +258,26 @@
<dd>
<p>
The key algorithm. If no policy is defined, the default is
RSASHA256.