Commit e3bd90ee authored by Tinderbox User's avatar Tinderbox User

regen master

parent 33987cb5
......@@ -376,7 +376,7 @@ Sets the debugging level\&.
.PP
\-x
.RS 4
Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys\&. (This is similar to the
Only sign the DNSKEY, CDNSKEY, and CDS RRsets with key\-signing keys, and omit signatures from zone\-signing keys\&. (This is similar to the
\fBdnssec\-dnskey\-kskonly yes;\fR
zone option in
\fBnamed\fR\&.)
......
......@@ -563,8 +563,9 @@
<dt><span class="term">-x</span></dt>
<dd>
<p>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
Only sign the DNSKEY, CDNSKEY, and CDS RRsets with
key-signing keys, and omit signatures from zone-signing
keys. (This is similar to the
<span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
<span class="command"><strong>named</strong></span>.)
</p>
......
......@@ -4911,9 +4911,9 @@ options {
When this option and <span class="command"><strong>update-check-ksk</strong></span>
are both set to <code class="literal">yes</code>, only key-signing
keys (that is, keys with the KSK bit set) will be used
to sign the DNSKEY RRset at the zone apex. Zone-signing
keys (keys without the KSK bit set) will be used to sign
the remainder of the zone, but not the DNSKEY RRset.
to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex.
Zone-signing keys (keys without the KSK bit set) will be used
to sign the remainder of the zone, but not the DNSKEY RRset.
This is similar to the
<span class="command"><strong>dnssec-signzone -x</strong></span> command line option.
</p>
......
......@@ -528,6 +528,22 @@
matching <span class="command"><strong>cookie-secret</strong></span>.
</p>
</li>
<li class="listitem">
<p>
A new statistics counter has been added to track prefetch
queries. [RT #45847]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-signzone -x</strong></span> flag and the
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> option in
<span class="command"><strong>named.conf</strong></span>, which suppress the use of
the ZSK when signing DNSKEY records, now also apply to
CDNSKEY and CDS records. Thanks to Tony Finch for the
contribution. [RT #45689]
</p>
</li>
</ul></div>
</div>
......
......@@ -581,8 +581,9 @@
<dt><span class="term">-x</span></dt>
<dd>
<p>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
Only sign the DNSKEY, CDNSKEY, and CDS RRsets with
key-signing keys, and omit signatures from zone-signing
keys. (This is similar to the
<span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
<span class="command"><strong>named</strong></span>.)
</p>
......
......@@ -489,6 +489,22 @@
matching <span class="command"><strong>cookie-secret</strong></span>.
</p>
</li>
<li class="listitem">
<p>
A new statistics counter has been added to track prefetch
queries. [RT #45847]
</p>
</li>
<li class="listitem">
<p>
The <span class="command"><strong>dnssec-signzone -x</strong></span> flag and the
<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> option in
<span class="command"><strong>named.conf</strong></span>, which suppress the use of
the ZSK when signing DNSKEY records, now also apply to
CDNSKEY and CDS records. Thanks to Tony Finch for the
contribution. [RT #45689]
</p>
</li>
</ul></div>
</div>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment