~~~~~~~~~~~~~~~~~~~
To configure a validating resolver to use :rfc:`5011` to maintain a trust
-anchor, configure the trust anchor using a ``dnssec-keys`` statement and
+anchor, configure the trust anchor using a ``trust-anchors`` statement and
the ``initial-key`` keyword. Information about this can be found in
:ref:`trust-anchors`.
``trust-anchor-telemetry``
This causes ``named`` to send specially formed queries once per day to
domains for which trust anchors have been configured via, e.g.,
- ``dnssec-keys`` or ``dnssec-validation auto``.
+ ``trust-anchors`` or ``dnssec-validation auto``.
The query name used for these queries has the form
- "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four
+ ``_ta-xxxx(-xxxx)(...).<domain>``, where each "xxxx" is a group of four
hexadecimal digits representing the key ID of a trusted DNSSEC key.
The key IDs for each domain are sorted smallest to largest prior to
encoding. The query type is NULL.
in the managed keys database.
The next time ``named`` runs after an ``initial-key`` or ``initial-ds`` has been *removed*
-from the ``dnssec-keys`` statement (or changed to a ``static-key`` or ``static-ds``), the
+from the ``trust-anchors`` statement (or changed to a ``static-key`` or ``static-ds``), the
corresponding zone is removed from the managed keys database, and
:rfc:`5011` key maintenance is no longer used for that domain.
projects / thirdparty / bind9.git / commitdiff
