From: Peter Thomassen Date: Fri, 16 Sep 2016 17:51:20 +0000 (-0300) Subject: docs: clarify that rectify is done during AXFR (not only incoming) X-Git-Tag: rec-4.1.0-alpha1~328^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ad575f1300da749cd9dff64c3a81299fd32cce0;p=thirdparty%2Fpdns.git docs: clarify that rectify is done during AXFR (not only incoming) --- diff --git a/docs/markdown/authoritative/backend-generic-sql.md b/docs/markdown/authoritative/backend-generic-sql.md index ed401d46c9..b2454e26ee 100644 --- a/docs/markdown/authoritative/backend-generic-sql.md +++ b/docs/markdown/authoritative/backend-generic-sql.md @@ -110,7 +110,7 @@ To enable DNSSEC processing, the `backend-dnssec` option must be set to 'yes'. ## Rules for filling out DNSSEC fields Two additional fields in the 'records' table are important: 'auth' and 'ordername'. -These fields are set correctly on an incoming zone transfer, and also by running +These fields are set correctly on a zone transfer, and also by running `pdnsutil rectify-zone`. The 'auth' field should be set to '1' for data for which the zone itself is @@ -137,7 +137,7 @@ encoded representation of the salted & iterated hash of the full record name. In addition, PowerDNS fully supports empty non-terminals. If you have a zone example.com, and a host a.b.c.example.com in it, rectify-zone (and the AXFR -client code) will insert b.c.example.com and c.example.com in the records table +code) will insert b.c.example.com and c.example.com in the records table with type NULL (SQL NULL, not 'NULL'). Having these entries provides several benefits. We no longer reply NXDOMAIN for these shorter names (this was an RFC violation but not one that caused trouble). But more importantly, to do NSEC3 correctly, diff --git a/docs/markdown/authoritative/dnssec.md b/docs/markdown/authoritative/dnssec.md index f67324cc57..10b5e74531 100644 --- a/docs/markdown/authoritative/dnssec.md +++ b/docs/markdown/authoritative/dnssec.md @@ -218,7 +218,7 @@ In this way, if keying material is available for an unsigned zone that is retrieved from a master server, this keying material will be used when serving data from this zone. -As part of the zone retrieval, the equivalent of `pdnsutil rectify-zone` is run +As part of the zone transfer, the equivalent of `pdnsutil rectify-zone` is run to make sure that all DNSSEC-related fields are set correctly. Signatures and Hashing is similar as described [above](#online-signing)