Commit da0ae529 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

arm: Update DNSSEC documentation

parent 53e76f88
......@@ -16,9 +16,10 @@
</section>
<para>
Changing a zone from insecure to secure can be done in two
ways: using a dynamic DNS update, or the
<command>auto-dnssec</command> zone option.
Changing a zone from insecure to secure can be done in three
ways: using a dynamic DNS update, use the
<command>auto-dnssec</command> zone option, or set a DNSSEC
policy for the zone with <command>dnssec-policy</command>.
</para>
<para>
For either method, you need to configure
......@@ -26,8 +27,9 @@
<filename>K*</filename> files which contain the public and private
parts of the keys that will be used to sign the zone. These files
will have been generated by
<command>dnssec-keygen</command>. You can do this by placing them
in the key-directory, as specified in
<command>dnssec-keygen</command> (or created when needed by
<command>named</command> if <command>dnssec-policy</command> is
used). Keys should be placed in the key-directory, as specified in
<filename>named.conf</filename>:</para>
<programlisting>
zone example.net {
......@@ -44,6 +46,18 @@
well. An NSEC chain will be generated as part of the initial
signing process.
</para>
<para>
With <command>dnssec-policy</command> you specify what keys should
be KSK and/or ZSK. If you want a key to sign all records with a key
you will need to specify a CSK:
</para>
<programlisting>
dnssec-policy csk {
keys {
csk key-directory P5Y 13;
};
};
</programlisting>
<section><info><title>Dynamic DNS update method</title></info>
......@@ -95,7 +109,8 @@
</section>
<para>
To enable automatic signing, add the
To enable automatic signing, you can set a
<command>dnssec-policy</command>, or add the
<command>auto-dnssec</command> option to the zone statement in
<filename>named.conf</filename>.
<command>auto-dnssec</command> has two possible arguments:
......@@ -117,6 +132,13 @@
(See <xref linkend="man.dnssec-keygen"/> and
<xref linkend="man.dnssec-settime"/> for more information.)
</para>
<para>
<command>dnssec-policy</command> is like
<command>auto-dnssec maintain</command>, but will also automatically
create new keys when necessary. Also any configuration related
to DNSSEC signing is retrieved from the policy (ignoring existing
DNSSEC named.conf options).
</para>
<para>
<command>named</command> will periodically search the key directory
for keys matching the zone, and if the keys' metadata indicates
......@@ -288,6 +310,9 @@
chain will be generated before the NSEC chain is
destroyed.
</para>
<para>
NSEC3 is not supported yet with <command>dnssec-policy</command>.
</para>
<section><info><title>Converting from NSEC3 to NSEC</title></info>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment