diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 4069e6b1f4..c6dbfef797 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -3985,6 +3985,34 @@ options {

+
trust-anchor-telemetry
+
+

+ Causes named to send specially-formed + queries once per day to domains for which trust anchors + have been configured via trusted-keys, + managed-keys, + dnssec-validation auto, or + dnssec-lookaside auto. +

+

+ The query name used for these queries has the + form "_ta-xxxx(-xxxx)(...)".<domain>, where + each "xxxx" is a group of four hexadecimal digits + representing the key ID of a trusted DNSSEC key. + The key IDs for each domain are sorted smallest + to largest prior to encoding. The query type is NULL. +

+

+ By monitoring these queries, zone operators will + be able to see which resolvers have been updated to + trust a new key; this may help them decide when it + is safe to remove an old one. +

+

+ The default is yes. +

+
use-id-pool

This option is obsolete. diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index 5c33e1a310..9c7ebab587 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -570,6 +570,17 @@ name rather than returning all of the matching RRsets. Thanks to Tony Finch for the contribution. [RT #41615]

+

  • + named now provides feedback to the + owners of zones which have trust anchors configured + (trusted-keys, + managed-keys, dnssec-validation + auto; and dnssec-lookaside auto;) + by sending a daily query which encodes the keyids of the + configured trust anchors for the zone. This is controlled + by trust-anchor-telemetry and defaults + to yes. +

    • diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 2b7bab524d..599078a8e6 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -531,6 +531,17 @@ name rather than returning all of the matching RRsets. Thanks to Tony Finch for the contribution. [RT #41615]

    +

  • + named now provides feedback to the + owners of zones which have trust anchors configured + (trusted-keys, + managed-keys, dnssec-validation + auto; and dnssec-lookaside auto;) + by sending a daily query which encodes the keyids of the + configured trust anchors for the zone. This is controlled + by trust-anchor-telemetry and defaults + to yes. +

    • diff --git a/doc/misc/options b/doc/misc/options index 8bbfb1d97a..b2277b90b1 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -322,6 +322,7 @@ options { transfers-out ; transfers-per-ns ; treat-cr-as-space ; // obsolete + trust-anchor-telemetry ; try-tcp-refresh ; update-check-ksk ; use-alt-transfer-source ; @@ -608,6 +609,7 @@ view [ ] { dscp ]; transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; + trust-anchor-telemetry ; trusted-keys { ; ... }; try-tcp-refresh ;