Updated documentation.

doc/configuration.texi

@@ -362,11 +362,11 @@ $ dnssec-keygen -3 -f KSK example.com
 
 @subsection Signing policy
 
-Currently the signing policy is set hard in the server:
+Currently the signing policy is not configurable, except for signature lifetime.
 
 @itemize @bullet
-@item Signature lifetime is 30 days.
-@item Signature is refreshed 2 hours before expiration.
+@item Signature lifetime can be set in configuration globally for all zones and for each zone in particular. @xref{signature-lifetime}. If not set, the default value is 30 days.
+@item Signature is refreshed 2 hours before expiration. The signature lifetime must thus be set to more than 2 hours.
 @end itemize
 
 @subsection Zone signing
@@ -379,8 +379,7 @@ Fixing @code{NSEC} or @code{NSEC3} records. This is determined by
 @code{NSEC3PARAM} record presence in unsigned zone.
 
 @item
-Updating @code{DNSKEY} records. This also means removing all keys which are
-not present in directory with signing keys.
+Updating @code{DNSKEY} records. This also means adding DNSKEY records for any keys that are present in keydir, but missing in zone file.
 
 @item
 Removing expired signatures, invalid signatures, signatures expiring in a short

doc/reference.texi

@@ -906,6 +906,7 @@ zones @{
   zonefile-sync 1h;
   ixfr-fslimit 1G;
   dnssec-enable on;
+  dnssec-keydir "keys";
   signature-lifetime 60d;
   example.com @{
     file "samples/example.com.zone";

man/knot.conf.5.in

@@ -258,12 +258,12 @@ serves as an example of the configuration for knotc(8) and knotd(8).
 
   # Enable DNSSEC online signing (EXPERIMENTAL)
   # Possible values: on | off;
-  # Default value: off
-  dnssec-enable off;
+  # Default value: on if dnssec-keydir is set; otherwise off
+  dnssec-enable on;
 
-  # Location of DNSSEC signing keys.
+  # Location of DNSSEC signing keys (relative to storage directory).
   # Default value: not set
-  # dnssec-keydir "some-secure-directory";
+  dnssec-keydir "keys";
 
   # Validity period for DNSSEC signatures
   # Possible values: (7200..INT_MAX> (seconds)
@@ -272,7 +272,7 @@ serves as an example of the configuration for knotc(8) and knotd(8).
   # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
   # The lower limit is because the server will trigger resign when any of the
   # signatures expires in 7200 seconds or less.
-  # signature-lifetime 30d;
+  signature-lifetime 30d;
 
   # Zone entry
   #
@@ -324,13 +324,9 @@ serves as an example of the configuration for knotc(8) and knotd(8).
 
     # Enable DNSSEC online signing (EXPERIMENTAL)
     # Possible values: on | off;
-    # Default value: off
+    # Default value: inherited from zones section
     dnssec-enable off;
 
-    # Location of DNSSEC signing keys.
-    # Default value: not set
-    # dnssec-keydir "some-secure-directory";
-
     # Validity period for DNSSEC signatures
     # Possible values: (7200..INT_MAX> (seconds)
     # Default value: 30d (30 days or 2592000 seconds)
@@ -338,7 +334,7 @@ serves as an example of the configuration for knotc(8) and knotd(8).
     # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
     # The lower limit is because the server will trigger resign when any of the
     # signatures expires in 7200 seconds or less.
-    # signature-lifetime 30d;
+    signature-lifetime 30d;
 
     # XFR master server
     xfr-in server0;

samples/knot.full.conf

@@ -252,8 +252,8 @@ zones {
 
   # Enable DNSSEC online signing (EXPERIMENTAL)
   # Possible values: on | off;
-  # Default value: on if dnssec-keydir is set
-  dnssec-enable on;
+  # Default value: on if dnssec-keydir is set; otherwise off
+  # dnssec-enable on;
 
   # Location of DNSSEC signing keys (relative to storage dir).
   # Default value: not set
@@ -318,7 +318,7 @@ zones {
 
     # Enable DNSSEC online signing (EXPERIMENTAL)
     # Possible values: on | off;
-    # Default value: inherited from zones
+    # Default value: inherited from zones section
     # dnssec-enable on;
 
     # Validity period for DNSSEC signatures