From: Matthijs Mekking Date: Tue, 21 Oct 2025 12:23:23 +0000 (+0200) Subject: Split rndc dnssec manpage into sections X-Git-Tag: v9.21.16~11^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c96081fc3041b7e3a271543c0ef3c523d38879a;p=thirdparty%2Fbind9.git Split rndc dnssec manpage into sections Making it more readable. --- diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst index 0a47fba5fee..cd9404df341 100644 --- a/bin/rndc/rndc.rst +++ b/bin/rndc/rndc.rst @@ -180,34 +180,51 @@ Currently supported commands are: See also :option:`rndc addzone` and :option:`rndc modzone`. -.. option:: dnssec (-status [-v] | -step | -rollover -key id [-alg algorithm] [-when time] | -checkds [-key id [-alg algorithm]] [-when time] published | withdrawn)) zone [class [view]] - - This command allows you to interact with the "dnssec-policy" of a given - zone. - - ``rndc dnssec -status`` show the DNSSEC signing state for the specified - zone. Add ``-v`` to show more verbose output on key states. - - ``rndc dnssec -step`` sends a signal to an instance of :iscman:`named` for a - zone configured with ``dnssec-policy`` in manual mode, telling it to - continue with the operations that had previously been blocked but logged. - This gives the human operator a chance to review the log messages, - understand what will happen next and then, using ``rndc dnssec -step``, to - inform :iscman:`named` to proceed to the next stage. - - ``rndc dnssec -rollover`` allows you to schedule key rollover for a - specific key (overriding the original key lifetime). - - ``rndc dnssec -checkds`` informs :iscman:`named` that the DS for - a specified zone's key-signing key has been confirmed to be published - in, or withdrawn from, the parent zone. This is required in order to - complete a KSK rollover. The ``-key id`` and ``-alg algorithm`` arguments - can be used to specify a particular KSK, if necessary; if there is only - one key acting as a KSK for the zone, these arguments can be omitted. - The time of publication or withdrawal for the DS is set to the current - time by default, but can be overridden to a specific time with the - argument ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS - notation. +.. option:: dnssec + + The following commands allow you to interact with the "dnssec-policy" of a + given zone. + + .. program:: rndc dnssec + .. option:: -status [-v] zone [class [view]] + + This command shows the DNSSEC signing state for the specified zone. + Adding ``-v`` also lists no longer used keys and shows the key states of + the keys. + + .. program:: rndc dnssec + .. option:: -step zone [class [view]] + + This command sends a signal to an instance of :iscman:`named` for a + zone configured with ``dnssec-policy`` in manual mode, telling it to + continue with the operations that had previously been blocked but logged. + This gives the human operator a chance to review the log messages, + understand what will happen next and then, using ``rndc dnssec -step``, to + inform :iscman:`named` to proceed to the next stage. + + .. program:: rndc dnssec + .. option:: -rollover -key id [-alg algorithm] [-when time] zone [class [view]] + + This command allows you to schedule key rollover for a specific key + (overriding the original key lifetime). The ``-key id`` and + ``-alg algorithm`` arguments specify which key to roll. The time to start + the rollover can be set with ``-when time``, where ``time`` is expressed in + YYYYMMDDHHMMSS. If not set the rollover will start immediately. + + .. program:: rndc dnssec + .. option:: -checkds [-key id [-alg algorithm]] [-when time] (published | withdrawn) zone [class [view]] + + This command informs :iscman:`named` that the DS for a specified zone's + key-signing key (KSK) has been confirmed to be published in, or withdrawn + from, the parent zone. This is required in order to complete a KSK + rollover. The ``-key id`` and ``-alg algorithm`` arguments can be used to + specify a particular KSK, if necessary; if there is only one key acting + as a KSK for the zone, these arguments can be omitted. The time of + publication or withdrawal for the DS is set to the current time by + default, but can be overridden to a specific time with the argument + ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS notation. + +.. program:: rndc .. option:: dnstap (-reopen | -roll [number])