From: JP Mens Date: Thu, 8 Jan 2015 20:21:44 +0000 (+0100) Subject: Add blurb about presign as discussed X-Git-Tag: rec-3.7.0-rc1~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=943b2f7449e367bf7040fd40787f91b76883cf31;p=thirdparty%2Fpdns.git Add blurb about presign as discussed for #2057 --- diff --git a/docs/markdown/authoritative/domainmetadata.md b/docs/markdown/authoritative/domainmetadata.md index 2779524033..b001e3993e 100644 --- a/docs/markdown/authoritative/domainmetadata.md +++ b/docs/markdown/authoritative/domainmetadata.md @@ -39,7 +39,7 @@ Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode. See `set- NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM record. If present, NSEC3 is used, if not present, zones default to NSEC. See `set-nsec3` in [`pdnssec`](dnssec.md#pdnssec). Example content: "1 0 1 ab". ## PRESIGNED -This zone carries DNSSEC RRSIGs (signatures), and is presigned. See `set-presigned` in [`pdnssec`](dnssec.md#pdnssec). +This zone carries DNSSEC RRSIGs (signatures), and is presigned. PowerDNS sets this flag automatically upon incoming zone transfers (AXFR) if it detects DNSSEC records in the zone. However, if you import a presigned zone using `zone2sql` or `pdnssec load-zone` you must explicitly set the zone to be `PRESIGNED`. Note that PowerDNS will not be able to correctly serve the zone if the imported data is bogus or incomplete. Also see `set-presigned` in [`pdnssec`](dnssec.md#pdnssec). ## SOA-EDIT When serving this zone, modify the SOA serial number in one of several ways. Mostly useful to get slaves to re-transfer a zone regularly to get fresh RRSIGs.