diff options
Diffstat (limited to 'doc/arm/managed-keys.xml')
| -rw-r--r-- | doc/arm/managed-keys.xml | 46 |
1 files changed, 23 insertions, 23 deletions
diff --git a/doc/arm/managed-keys.xml b/doc/arm/managed-keys.xml index 51949487fbb40..d1335eaf4b9d2 100644 --- a/doc/arm/managed-keys.xml +++ b/doc/arm/managed-keys.xml @@ -1,6 +1,5 @@ -<?xml version="1.0" encoding="utf-8"?> <!-- - - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2010, 2015 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -15,28 +14,29 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: managed-keys.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ --> +<!-- $Id$ --> + +<!-- Converted by db4-upgrade version 1.0 --> +<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="rfc5011.support"><info><title>Dynamic Trust Anchor Management</title></info> -<sect1 id="rfc5011.support"> - <title>Dynamic Trust Anchor Management</title> <para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust - anchor management. Using this feature allows + anchor management. Using this feature allows <command>named</command> to keep track of changes to critical DNSSEC keys without any need for the operator to make changes to configuration files.</para> - <sect2> - <title>Validating Resolver</title> + <section><info><title>Validating Resolver</title></info> + <!-- TODO: command tag is overloaded for configuration and executables --> <para>To configure a validating resolver to use RFC 5011 to - maintain a trust anchor, configure the trust anchor using a + maintain a trust anchor, configure the trust anchor using a <command>managed-keys</command> statement. Information about - this can be found in - <xref linkend="managed-keys" />.</para> + this can be found in + <xref linkend="managed-keys"/>.</para> <!-- TODO: managed-keys examples also in DNSSEC section above here in ARM --> - </sect2> - <sect2> - <title>Authoritative Server</title> + </section> + <section><info><title>Authoritative Server</title></info> + <para>To set up an authoritative zone for RFC 5011 trust anchor maintenance, generate two (or more) key signing keys (KSKs) for the zone. Sign the zone with one of them; this is the "active" @@ -52,21 +52,21 @@ also in DNSSEC section above here in ARM --> timer has completed, the active KSK can be revoked, and the zone can be "rolled over" to the newly accepted key.</para> <para>The easiest way to place a stand-by key in a zone is to - use the "smart signing" features of - <command>dnssec-keygen</command> and + use the "smart signing" features of + <command>dnssec-keygen</command> and <command>dnssec-signzone</command>. If a key with a publication date in the past, but an activation date which is unset or in - the future, " + the future, " <command>dnssec-signzone -S</command>" will include the DNSKEY record in the zone, but will not sign with it:</para> <screen> $ <userinput>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</userinput> $ <userinput>dnssec-signzone -S -K keys example.net</userinput> </screen> - <para>To revoke a key, the new command + <para>To revoke a key, the new command <command>dnssec-revoke</command> has been added. This adds the - REVOKED bit to the key flags and re-generates the - <filename>K*.key</filename> and + REVOKED bit to the key flags and re-generates the + <filename>K*.key</filename> and <filename>K*.private</filename> files.</para> <para>After revoking the active key, the zone must be signed with both the revoked KSK and the new active KSK. (Smart @@ -84,7 +84,7 @@ $ <userinput>dnssec-signzone -S -K keys example.net</userinput> "<filename>Kexample.com.+005+10128</filename>".</para> <para>If two keys have ID's exactly 128 apart, and one is revoked, then the two key ID's will collide, causing several - problems. To prevent this, + problems. To prevent this, <command>dnssec-keygen</command> will not generate a new key if another key is present which may collide. This checking will only occur if the new keys are written to the same directory @@ -96,5 +96,5 @@ $ <userinput>dnssec-signzone -S -K keys example.net</userinput> <para>It is expected that a future release of BIND 9 will address this problem in a different way, by storing revoked keys with their original unrevoked key ID's.</para> - </sect2> -</sect1> + </section> +</section> |