key-directory "dynamic/example.net";
};
-Assuming one KSK and ons ZSK DNSKEY key has been generated. Then
+Assuming one KSK and one ZSK DNSKEY key have been generated. Then
this will cause the zone to be signed with the ZSK and the DNSKEY
RRset to be signed with the KSK DNSKEY. A NSEC chain will also be
generated as part of the initial signing process.
> send
While the update request will complete almost immediately the zone
-will not be completely signed until named has hand time to walk the
+will not be completely signed until named has had time to walk the
zone and generate the NSEC and RRSIG records. Initially the NSEC
record at the zone apex will have the OPT bit set. When the NSEC
chain is complete the OPT bit will be cleared. Additionally when
-the zone fully signed the private type (default TYPE65535) records
+the zone is fully signed the private type (default TYPE65535) records
will have a non zero value for the final octet.
The private type record has 5 octets.
You should then wait for the maximum TLL in the zone before removing the
old DNSKEY. If it is a KSK that is being updated you also need to wait
for the DS RRset in the parent to be updated and its TTL to expire.
-This ensures that all clients will be able to verify atleast a signature
+This ensures that all clients will be able to verify at least a signature
when you remove the old DNSKEY.
-The can be removed the old DNSKEY via UPDATE. Take care to specify
+The old DNSKEY can be removed via UPDATE. Take care to specify
the correct key. Named will clean out any signatures generated by
the old key after the update completes.
Converting from secure to insecure
To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
-will be removed as will as associated NSEC3PARAM records. The will
+will be removed as well as associated NSEC3PARAM records. This will
take place after the update requests completes.
Periodic re-signing.
projects / thirdparty / bind9.git / commitdiff
