From 82a6512ee014dfab80fdd0d5c096d2f41db7ec82 Mon Sep 17 00:00:00 2001
From: Lubos Slovak <lubos.slovak@nic.cz>
Date: Thu, 3 Oct 2013 13:44:57 +0200
Subject: [PATCH] Updated documentation.

---
 doc/configuration.texi |  9 ++++-----
 doc/reference.texi     |  1 +
 man/knot.conf.5.in     | 18 +++++++-----------
 samples/knot.full.conf |  6 +++---
 4 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/doc/configuration.texi b/doc/configuration.texi
index 7fe416ac3b..ce05d48c8e 100644
--- a/doc/configuration.texi
+++ b/doc/configuration.texi
@@ -362,11 +362,11 @@ $ dnssec-keygen -3 -f KSK example.com
 
 @subsection Signing policy
 
-Currently the signing policy is set hard in the server:
+Currently the signing policy is not configurable, except for signature lifetime.
 
 @itemize @bullet
-@item Signature lifetime is 30 days.
-@item Signature is refreshed 2 hours before expiration.
+@item Signature lifetime can be set in configuration globally for all zones and for each zone in particular. @xref{signature-lifetime}. If not set, the default value is 30 days.
+@item Signature is refreshed 2 hours before expiration. The signature lifetime must thus be set to more than 2 hours.
 @end itemize
 
 @subsection Zone signing
@@ -379,8 +379,7 @@ Fixing @code{NSEC} or @code{NSEC3} records. This is determined by
 @code{NSEC3PARAM} record presence in unsigned zone.
 
 @item
-Updating @code{DNSKEY} records. This also means removing all keys which are
-not present in directory with signing keys.
+Updating @code{DNSKEY} records. This also means adding DNSKEY records for any keys that are present in keydir, but missing in zone file.
 
 @item
 Removing expired signatures, invalid signatures, signatures expiring in a short
diff --git a/doc/reference.texi b/doc/reference.texi
index 0558766b68..4823420dc8 100644
--- a/doc/reference.texi
+++ b/doc/reference.texi
@@ -906,6 +906,7 @@ zones @{
   zonefile-sync 1h;
   ixfr-fslimit 1G;
   dnssec-enable on;
+  dnssec-keydir "keys";
   signature-lifetime 60d;
   example.com @{
     file "samples/example.com.zone";
diff --git a/man/knot.conf.5.in b/man/knot.conf.5.in
index 24fb7930ac..78d3c0487f 100644
--- a/man/knot.conf.5.in
+++ b/man/knot.conf.5.in
@@ -258,12 +258,12 @@ serves as an example of the configuration for knotc(8) and knotd(8).
 
   # Enable DNSSEC online signing (EXPERIMENTAL)
   # Possible values: on | off;
-  # Default value: off
-  dnssec-enable off;
+  # Default value: on if dnssec-keydir is set; otherwise off
+  dnssec-enable on;
 
-  # Location of DNSSEC signing keys.
+  # Location of DNSSEC signing keys (relative to storage directory).
   # Default value: not set
-  # dnssec-keydir "some-secure-directory";
+  dnssec-keydir "keys";
 
   # Validity period for DNSSEC signatures
   # Possible values: (7200..INT_MAX> (seconds)
@@ -272,7 +272,7 @@ serves as an example of the configuration for knotc(8) and knotd(8).
   # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
   # The lower limit is because the server will trigger resign when any of the
   # signatures expires in 7200 seconds or less.
-  # signature-lifetime 30d;
+  signature-lifetime 30d;
 
   # Zone entry
   #
@@ -324,13 +324,9 @@ serves as an example of the configuration for knotc(8) and knotd(8).
 
     # Enable DNSSEC online signing (EXPERIMENTAL)
     # Possible values: on | off;
-    # Default value: off
+    # Default value: inherited from zones section
     dnssec-enable off;
 
-    # Location of DNSSEC signing keys.
-    # Default value: not set
-    # dnssec-keydir "some-secure-directory";
-
     # Validity period for DNSSEC signatures
     # Possible values: (7200..INT_MAX> (seconds)
     # Default value: 30d (30 days or 2592000 seconds)
@@ -338,7 +334,7 @@ serves as an example of the configuration for knotc(8) and knotd(8).
     # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
     # The lower limit is because the server will trigger resign when any of the
     # signatures expires in 7200 seconds or less.
-    # signature-lifetime 30d;
+    signature-lifetime 30d;
 
     # XFR master server
     xfr-in server0;
diff --git a/samples/knot.full.conf b/samples/knot.full.conf
index cce8b9c4b8..e72bc4ef76 100644
--- a/samples/knot.full.conf
+++ b/samples/knot.full.conf
@@ -252,8 +252,8 @@ zones {
 
   # Enable DNSSEC online signing (EXPERIMENTAL)
   # Possible values: on | off;
-  # Default value: on if dnssec-keydir is set
-  dnssec-enable on;
+  # Default value: on if dnssec-keydir is set; otherwise off
+  # dnssec-enable on;
 
   # Location of DNSSEC signing keys (relative to storage dir).
   # Default value: not set
@@ -318,7 +318,7 @@ zones {
 
     # Enable DNSSEC online signing (EXPERIMENTAL)
     # Possible values: on | off;
-    # Default value: inherited from zones
+    # Default value: inherited from zones section
     # dnssec-enable on;
 
     # Validity period for DNSSEC signatures
-- 
GitLab