doc: mod-online-sign doc improved

2d1129c4 · Libor Peltan · 1602db38 · 2d1129c4 · 2d1129c4 · 2d1129c4
Commit 2d1129c4 authored 8 years ago by Libor Peltan
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -1213,6 +1213,30 @@ If enabled, query messages will be logged.
 If enabled, response messages will be logged.
 .sp
 \fIDefault:\fP on
+.SH MODULE ONLINE-SIGN
+.sp
+The module provides online DNSSEC signing. Instead of pre\-computing the zone signatures
+when the zone is loaded into the server or instead of loading an externally signed zone,
+the signatures are computed on\-the\-fly during answering.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mod\-online\-sign:
+  \- id: STR
+    policy: STR
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS id
+.sp
+A module identifier.
+.SS policy
+.sp
+A \fI\%reference\fP to DNSSEC signing policy. A special \fIdefault\fP
+value can be used for the default policy settings.
 .SH MODULE SYNTH-RECORD
 .sp
 This module is able to synthesize either forward or reverse records for the

--- a/doc/modules.rst
+++ b/doc/modules.rst
@@ -387,8 +387,11 @@ How to use the online signing module:
     - domain: example.com
       module: mod-online-sign/explicit

+  Or use manual policy in an analogous manner, see
+  :ref:`Manual key management<dnssec-manual-key-management>`.
+
  .. NOTE::
-     Only keystore, algorithm, zsk-size, and rrsig-lifetime policy items are
+     Only id, manual, keystore, algorithm, zsk-size, and rrsig-lifetime policy items are
     relevant to this module. If no rrsig-lifetime is configured, the
     default value is 25 hours.

@@ -424,7 +427,7 @@ Known issues:

 Limitations:

-* Only a Single-Type Signing scheme is supported.
+* Online-sign module always enforces Single-Type Signing scheme.

 * Only one active signing key can be used.


--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -1418,6 +1418,36 @@ If enabled, response messages will be logged.

 *Default:* on

+.. _Module online-sign:
+
+Module online-sign
+==================
+
+The module provides online DNSSEC signing. Instead of pre-computing the zone signatures
+when the zone is loaded into the server or instead of loading an externally signed zone,
+the signatures are computed on-the-fly during answering.
+
+::
+
+ mod-online-sign:
+   - id: STR
+     policy: STR
+
+.. _mod-online-sign_id:
+
+id
+--
+
+A module identifier.
+
+.. _mod-online-sign_policy:
+
+policy
+------
+
+A :ref:`reference<policy_id>` to DNSSEC signing policy. A special *default*
+value can be used for the default policy settings.
+
 .. _Module synth-record:

 Module synth-record