~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A zone can be changed from insecure to secure in three ways: using a
-dynamic DNS update, or via the ``auto-dnssec`` zone option, or set a
+dynamic DNS update, via the ``auto-dnssec`` zone option, or by setting a
DNSSEC policy for the zone with ``dnssec-policy``.
-For either method, ``named`` must be configured so that it can see
+For any method, ``named`` must be configured so that it can see
the ``K*`` files which contain the public and private parts of the keys
that are used to sign the zone. These files are generated
-by ``dnssec-keygen`` (or created when needed by ``named`` if
-``dnssec-policy`` is used). Keys should be placed in the
+by ``dnssec-keygen``, or created when needed by ``named`` if
+``dnssec-policy`` is used. Keys should be placed in the
key-directory, as specified in ``named.conf``:
::
ZSK, and the DNSKEY RRset to be signed with the KSK. An NSEC
chain is generated as part of the initial signing process.
-With ``dnssec-policy you specify what keys should be KSK and/or ZSK.
-If you want a key to sign all records with a key you will need to
-specify a CSK. For example:
+With ``dnssec-policy``, it is possible to specify which keys should be
+KSK and/or ZSK. To sign all records with a key, a CSK must be specified.
+For example:
::
Fully Automatic Zone Signing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-To enable automatic signing, you can set a ``dnssec-policy``, or add the
+To enable automatic signing, set a ``dnssec-policy`` or add the
``auto-dnssec`` option to the zone statement in ``named.conf``.
``auto-dnssec`` has two possible arguments: ``allow`` or ``maintain``.
the keys' timing metadata. (See :ref:`man_dnssec-keygen` and
:ref:`man_dnssec-settime` for more information.)
-``dnssec-policy`` is like ``auto-dnssec maintain``, but will also automatically
-create new keys when necessary. Also any configuration related to DNSSEC
-signing is retrieved from the policy (ignoring existing DNSSEC ``named.conf``
-options).
+``dnssec-policy`` is similar to ``auto-dnssec maintain``, but
+``dnssec-policy`` also automatically creates new keys when necessary. In
+addition, any configuration related to DNSSEC signing is retrieved from the
+policy, ignoring existing DNSSEC ``named.conf`` options.
``named`` periodically searches the key directory for keys matching
the zone; if the keys' metadata indicates that any change should be
NSEC3PARAM record has a zero flag field. The NSEC3 chain is
generated before the NSEC chain is destroyed.
-NSEC3 is not supported yet with ``dnssec-policy``.
+NSEC3 is not yet supported with ``dnssec-policy``.
Converting From NSEC3 to NSEC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If ``full``, the server collects statistical data on all zones,
unless specifically turned off on a per-zone basis by specifying
``zone-statistics terse`` or ``zone-statistics none`` in the ``zone``
- statement. These include, for example, DNSSEC signing operations
- and the number of authoritative answers per query type. The
+ statement. The statistical data includes, for example, DNSSEC signing
+ operations and the number of authoritative answers per query type. The
default is ``terse``, providing minimal statistics on zones
(including name and current serial number, but not query type
counters).
projects / thirdparty / bind9.git / commitdiff
