diff --git a/doc/man/keymgr.8in b/doc/man/keymgr.8in index e3e9c07a6cb34bf5315f53318e5781565f20f519..862264ae84eb00e93835035147a5134f79bb5641 100644 --- a/doc/man/keymgr.8in +++ b/doc/man/keymgr.8in @@ -234,9 +234,14 @@ List private keys in the key store. .INDENT 0.0 .TP \fBtsig\fP \fBgenerate\fP \fIname\fP [\fBalgorithm\fP \fIid\fP] [\fBsize\fP \fIbits\fP] -Generate new TSIG key and print it on the standard output. The HMAC algorithm +Generate new TSIG key and print it on the standard output. The algorithm defaults to \fIhmac\-sha256\fP\&. The default key size is determined optimally based on the selected algorithm. +.sp +The generated key is printed out in the server configuration format to allow +direct inclusion into the server configuration. The first line of the output +contains a comment with the key in the one\-line key format accepted by client +utilities. .UNINDENT .SH EXAMPLES .INDENT 0.0 diff --git a/doc/man/knotc.8in b/doc/man/knotc.8in index 84cf5c0bf71abb0e0554405278657fb3d0207590..c2980e38d8d37fc517c4cc33bd6873b718b99547 100644 --- a/doc/man/knotc.8in +++ b/doc/man/knotc.8in @@ -119,7 +119,23 @@ Export the configuration database to a file. .sp .nf .ft C -$ keymgr tsig generate knotc\-key > knotc.key +$ keymgr tsig generate knotc\-key > knotc\-key.conf +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The generated key file contains a key in the server configuration format and +thus can be directly included into the server configuration file. +.sp +Knot DNS utilities accept one\-line format which is included in the generated +key file on the first line as a comment. It can be extracted easily: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +$ head \-1 knotc\-key.conf | sed \(aqs/^#\es*//\(aq > knotc.key .ft P .fi .UNINDENT diff --git a/doc/man_keymgr.rst b/doc/man_keymgr.rst index 8f5ef1e4ba5d1dbf89a54aa5550aef15033756c2..53f621ddddecd999558fd0103202e9035941eb2f 100644 --- a/doc/man_keymgr.rst +++ b/doc/man_keymgr.rst @@ -30,7 +30,7 @@ available subcommands in that area. The listing of available command arguments is not supported yet. Command and argument names are parsed in a smart way. Only a beginning -of a name can be entered and it will be recognized. The specified part of +of a name can be entered and it will be recognized. The specified part of a name must be unique amongst the other names. Global options @@ -199,10 +199,15 @@ tsig commands ............. **tsig** **generate** *name* [**algorithm** *id*] [**size** *bits*] - Generate new TSIG key and print it on the standard output. The HMAC algorithm + Generate new TSIG key and print it on the standard output. The algorithm defaults to *hmac-sha256*. The default key size is determined optimally based on the selected algorithm. + The generated key is printed out in the server configuration format to allow + direct inclusion into the server configuration. The first line of the output + contains a comment with the key in the one-line key format accepted by client + utilities. + Examples -------- diff --git a/doc/man_knotc.rst b/doc/man_knotc.rst index 4e5d1b144f61809d1bb798da8168bc946e1638b8..27b66c0e2c35969d8a7574085b07047121bd2bd6 100644 --- a/doc/man_knotc.rst +++ b/doc/man_knotc.rst @@ -97,7 +97,15 @@ Setup a key file for remote control :: - $ keymgr tsig generate knotc-key > knotc.key + $ keymgr tsig generate knotc-key > knotc-key.conf + +The generated key file contains a key in the server configuration format and +thus can be directly included into the server configuration file. + +Knot DNS utilities accept one-line format which is included in the generated +key file on the first line as a comment. It can be extracted easily:: + + $ head -1 knotc-key.conf | sed 's/^#\s*//' > knotc.key Make sure the key file can be read only by the owner for security reasons.