Skip to content
Snippets Groups Projects
Commit b066c887 authored by Jan Včelák's avatar Jan Včelák :rocket:
Browse files

doc: teenage days of IXFR and DNSSEC are over

- IXFR is no longer experimental
- DNSSEC is no longer experimental, but technical preview
parent ca91a96d
No related branches found
No related tags found
1 merge request!130doc: DNSSEC migration from Bind
......@@ -13,7 +13,7 @@ In this chapter we provide suggested configurations and explain the meaning of i
* Enabling zone semantic checks::
* Creating IXFR differences from zone file changes::
* Using Response Rate Limiting::
* Automatic DNSSEC signing (experimental)::
* Automatic DNSSEC signing::
@end menu
@node Minimal configuration
......@@ -192,24 +192,7 @@ message to its primary master specified by @code{xfr-in} directive. When it rece
the response from primary master, it forwards it back to the originator. This finishes the transaction.
However, if the zone is configured as master (i.e. not having any @code{xfr-in} directive), it accepts
such an UPDATE and processes it. As of 1.2, there are a few limitations with DNSSEC signed zones described below. Other than that, UPDATE of unsigned zones works as expected without any limitations.
@itemize @bullet
@item
Knot DNS doesn't automatically sign incoming RR if the zone is signed.
As a workaround, it accepts DNSSEC-related records. However, it may prove challenging
to create such an UPDATE that it correctly adds/replaces signed RRs, so this
feature should be treated as experimental until correct signing is implemented.
@item
As for the reason in a previous point, removing RRSIG with no specified rdata makes it impossible
to determine whether the user meant a RRSIG for an NSEC3 record or other one.
Since they are stored separately, it is advisable to always specify RRSIG along with at least the types it covers.
@item
Deleting a last RR also removes its RRSIG.
@end itemize
such an UPDATE and processes it.
@node Remote control interface
@section Remote control interface
......@@ -246,7 +229,7 @@ which checks are enabled by default and which are optional.
@node Creating IXFR differences from zone file changes
@section Creating IXFR differences from zone file changes
If Knot is being run as a master server, experimental feature @code{ixfr-from-differences}
If Knot is being run as a master server, feature @code{ixfr-from-differences}
can be enabled to create IXFR differences from changes made to the master zone file.
See @ref{Controlling running daemon} for more information. For more about @code{zones} statement see @ref{zones}.
......@@ -276,14 +259,14 @@ system @{
@}
@end example
@node Automatic DNSSEC signing (experimental)
@section Automatic DNSSEC signing (experimental)
@node Automatic DNSSEC signing
@section Automatic DNSSEC signing
Knot DNS 1.4 is the first release to include automatic DNSSEC signing feature.
Automatic DNSSEC signing is currently highly experimental and there is a lot of
issues we are working on and limitations we will try to eliminate. By all
means, anything in the current implementation can change including
configuration options. We have no intention to maintain backward compatibility.
Automatic DNSSEC signing is currently technical preview and there are some
limitations we will try to eliminate. The concept of key management and
configuration is likely to change in future without maintaining backward
compatibility.
@subsection Example configuration
......
......@@ -29,8 +29,7 @@ Knot DNS supports the following DNS features:
@itemize
@item TCP/UDP protocols
@item AXFR - master, slave
@item IXFR - master (primary master experimental), slave
@item AXFR, IXFR - master, slave
@item TSIG
@item ENDS0
@item DNSSEC, including NSEC3
......
......@@ -831,7 +831,7 @@ Most checks are disabled by default.
@subsubsection ixfr-from-differences
@vindex ixfr-from-differences
EXPERIMENTAL: option @code{ixfr-from-differences} is only relevant if you are running Knot DNS as a master for this zone.
Option @code{ixfr-from-differences} is only relevant if you are running Knot DNS as a master for this zone.
By turning the feature on you tell Knot to create differences from changes you made to a zone file upon server reload.
See @ref{Controlling running daemon} for more information.
......@@ -882,7 +882,7 @@ Default value: not set
@subsubsection dnssec-enable
@vindex dnssec-enable
EXPERIMENTAL: Enable automatic DNSSEC signing for the zone.
PREVIEW: Enable automatic DNSSEC signing for the zone.
Default value (in @code{zones} section): off
......@@ -926,7 +926,7 @@ zones @{
example.com @{
storage "samples";
file "example.com.zone";
ixfr-from-differences off; #experimental
ixfr-from-differences off;
disable-any off;
semantic-checks on;
notify-timeout 60;
......
......@@ -155,9 +155,7 @@ $ knotc -c master.conf reload # reconfigure and load updated zones
If you want @emph{IXFR-out} differences created from changes you make to a zone file, enable @ref{ixfr-from-differences}
in @code{zones} statement, then reload your server as seen above.
If @emph{SOA}'s @emph{serial} is not changed no differences will be created. Please note
that this feature is in @emph{experimental} stage and should be used with care.
If you encounter a bug using this feature, please send it to Knot developers (@pxref{Submitting a bugreport}).
If @emph{SOA}'s @emph{serial} is not changed no differences will be created.
If you want to force refresh the slave zones, you can do this with the @code{knotc refresh} action.
@example
......
......@@ -217,7 +217,7 @@ serves as an example of the configuration for knotc(8) and knotd(8).
# default: ${localstatedir}/lib/knot, configured with --with-storage
storage "/var/lib/knot";
# Build differences from zone file changes. EXPERIMENTAL feature.
# Build differences from zone file changes
# Possible values: on|off
# Default value: off
ixfr-from-differences off;
......@@ -256,7 +256,7 @@ serves as an example of the configuration for knotc(8) and knotd(8).
# f.e. 1k, 100M, 2G
ixfr-fslimit 1G;
# Enable DNSSEC online signing (EXPERIMENTAL)
# Enable DNSSEC online signing (technical preview)
# Possible values: on | off;
# Default value: off
dnssec-enable off;
......@@ -331,7 +331,7 @@ serves as an example of the configuration for knotc(8) and knotd(8).
# Default value: inherited from zones section
dnssec-keydir "keys";
# Enable DNSSEC online signing (EXPERIMENTAL)
# Enable DNSSEC online signing (technical preview)
# Possible values: on | off;
# Default value: inherited from zones section
dnssec-enable off;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment