mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-04 00:25:29 +00:00
Code Issues Releases Wiki Activity

Document dnssec-policy keys range directive

Browse Source 
Co-authored-by: Suzanne Goldlust <sgoldlust@isc.org>
This commit is contained in:
Mark Andrews
2024-08-08 13:11:40 +10:00
parent e7decd7a65
commit c088772191
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
doc/arm/reference.rst
View File

@@ -6474,7 +6474,7 @@ The following options can be specified in a :any:`dnssec-policy` statement:
keys { keys {
ksk key-directory lifetime unlimited algorithm rsasha256 2048; ksk key-directory lifetime unlimited algorithm rsasha256 2048;
zsk lifetime 30d algorithm 8; zsk lifetime 30d algorithm 8 tag-range 0 32767;
csk key-store "hsm" lifetime P6MT12H3M15S algorithm ecdsa256; csk key-store "hsm" lifetime P6MT12H3M15S algorithm ecdsa256;
}; };
@@ -6498,6 +6498,11 @@ The following options can be specified in a :any:`dnssec-policy` statement:
When using ``key-directory``, the key is stored in the zone's When using ``key-directory``, the key is stored in the zone's
configured :any:`key-directory`. This is also the default. configured :any:`key-directory`. This is also the default.
When using ``tag-range``, valid key tags for managed keys are
restricted to this range [``tag-min`` ``tag-max``]. The optional
``tag-range`` is intended to be used in multi-signer scenarios.
The default is unlimited ([0..65535]).
The ``lifetime`` parameter specifies how long a key may be used The ``lifetime`` parameter specifies how long a key may be used
before rolling over. For convenience, TTL-style time-unit suffixes before rolling over. For convenience, TTL-style time-unit suffixes
can be used to specify the key lifetime. It also accepts ISO 8601 can be used to specify the key lifetime. It also accepts ISO 8601