Changeset 1897 for trunk/pdns/pdns/docs/pdns.xml
- Timestamp:
- 01/19/11 20:15:49 (2 years ago)
- Files:
-
- 1 modified
-
trunk/pdns/pdns/docs/pdns.xml (modified) (7 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/pdns/pdns/docs/pdns.xml
r1894 r1897 9100 9100 </para> 9101 9101 <para> 9102 PowerDNS supports serving pre-signed zones, as well as online ('live') signed operations. In the last case, Signature Rollover 9103 and Key Maintenance are fully managed by PowerDNS. 9104 </para> 9105 <para> 9102 9106 In addition to the above, PowerDNSSEC also supports modes of operation which may not have an equivalent in other 9103 pieces of software, for example NSEC3-narrow mode. In such cases we strive for implementing the relevant standards 9104 well. 9107 pieces of software, for example NSEC3-narrow mode. 9105 9108 </para> 9106 9109 <para> … … 9191 9194 <para>TBD</para> 9192 9195 </section> 9193 <section id="dnssec--dnssec-migration"><title>From existing DNSSEC non-PowerDNS setups</title> 9196 <section id="dnssec-dnssec-migration-presigned"><title>From existing DNSSEC non-PowerDNS setups, pre-signed</title> 9197 <para> 9198 Industry standard signed zones can be served natively by PowerDNS, without changes. In such cases, signing 9199 happens externally to PowerDNS, possibly via OpenDNSSEC, ldns-sign or dnssec-sign. 9200 </para> 9201 <para> 9202 PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run 'pdnssec set-presigned zone'. 9203 </para> 9204 </section> 9205 <section id="dnssec-dnssec-migration-live"><title>From existing DNSSEC non-PowerDNS setups, live signing</title> 9194 9206 <para> 9195 9207 The 'pdnssec' tool features the option to import zone keys in the industry standard private key format, … … 9206 9218 </section> 9207 9219 <section id="powerdnssec"> 9208 <title>Records, Keys, signatures, hashes within PowerDNSSEC </title>9220 <title>Records, Keys, signatures, hashes within PowerDNSSEC in online signing mode</title> 9209 9221 <para> 9210 Within PowerDNSSEC , keys are stored separately from the zone records. Zone data are only9222 Within PowerDNSSEC live signing, keys are stored separately from the zone records. Zone data are only 9211 9223 combined with signatures and keys when requests come in over the internet. 9212 9224 </para> … … 9255 9267 <section id="rrsig"><title>Signatures</title> 9256 9268 <para> 9257 In PowerDNS , signatures, as served through RRSIG records, are calculated on the fly, and heavily cached. All CPU cores9269 In PowerDNS live signing mode, signatures, as served through RRSIG records, are calculated on the fly, and heavily cached. All CPU cores 9258 9270 are used for the calculation. 9259 9271 </para> … … 9458 9470 <para> 9459 9471 .. pdnssec show-zone ZONE and communicatate duplicate DS .. 9460 .. pdnssec activate-zone-key ZONE next-key-id .. 9461 .. pdnssec deactivate-zone-key ZONE prev-key-id .. 9462 .. pdnssec remove-zone-key ZONE prev-key-id .. 9472 .. pdnssec set-nsec3 'parameters' ZONE 9463 9473 </para> 9464 9474 </section> … … 9483 9493 non-DNSSEC operations. 9484 9494 </para> 9495 <section id="dnssec-presigned"><title>PowerDNSSEC Pre-signed records</title> 9496 <para> 9497 In this mode, PowerDNS serves zones that already contain DNSSEC records. Such zones can either be slaved from 9498 a remote master, or can be signed using tools like OpenDNSSEC, ldns-signzone or dnssec-signzone. 9499 </para> 9500 </section> 9485 9501 <section id="dnssec-frontserver"><title>PowerDNSSEC Front-signing</title> 9486 9502 <para> … … 9556 9572 </para> 9557 9573 <para> 9558 In some settings, having such (private) keying material available online is considered undesireable. 9574 In some settings, having such (private) keying material available online is considered undesireable. In this case, 9575 consider running in pre-signed mode. 9559 9576 </para> 9560 9577 </section>
