Merge branch 'doc_man_key_mgmt' into 'master'

doc: update old irrelevant stuff See merge request !1269

Merge branch 'doc_man_key_mgmt' into 'master'
0007d9a4 · Daniel Salzman · 6cc963f0 · 5fa9c0ba · 0007d9a4
Commit 0007d9a4 authored 4 years ago by Daniel Salzman
--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@@ -470,42 +470,35 @@ with manual key management flag has to be set::
      dnssec-policy: manual

 To generate signing keys, use the :doc:`keymgr<man_keymgr>` utility.
-Let's use the Single-Type Signing scheme with two algorithms. Run:
+For example, we can use Single-Type Signing:

 .. code-block:: console

-  $ keymgr myzone.test. generate algorithm=ECDSAP256SHA256
-  $ keymgr myzone.test. generate algorithm=ED25519
+  $ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes

 And reload the server. The zone will be signed.

 To perform a manual rollover of a key, the timing parameters of the key need
-to be set. Let's roll the RSA key. Generate a new RSA key, but do not activate
+to be set. Let's roll the key. Generate a new key, but do not activate
 it yet:

 .. code-block:: console

-  $ keymgr myzone.test. generate algorithm=RSASHA256 size=1024 active=+1d
+  $ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes active=+1d

-Take the key ID (or key tag) of the old RSA key and disable it the same time
+Take the key ID (or key tag) of the old key and disable it the same time
 the new key gets activated:

 .. code-block:: console

-  $ keymgr myzone.test. set <old_key_id> retire=+1d remove=+1d
+  $ keymgr myzone.test. set <old_key_id> retire=+2d remove=+3d

 Reload the server again. The new key will be published (i.e. the DNSKEY record
 will be added into the zone). Remember to update the DS record in the
-parent zone to include a reference to the new RSA key. This must happen within one
+parent zone to include a reference to the new key. This must happen within one
 day (in this case) including a delay required to propagate the new DS to
 caches.

-Note that as the ``+1d`` time specification is computed from the current time,
-the key replacement will not happen at once. First, a new key will be
-activated.  A few moments later, the old key will be deactivated and removed.
-You can use exact time specification to make these two actions happen in one
-go.
-
 .. WARNING::
   If you ever decide to switch from manual key management to automatic key management,
   note that the automatic key management uses