diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 483344f1ca..fe370dcf10 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -5169,7 +5169,7 @@ The following options can be specified in a ``dnssec-policy`` statement: :: keys { - ksk key-directory lifetime unlimited algorithm rsasha1 2048; + ksk key-directory lifetime unlimited algorithm rsasha256 2048; zsk lifetime P30D algorithm 8; csk lifetime P6MT12H3M15S algorithm ecdsa256; }; @@ -5205,6 +5205,8 @@ The following options can be specified in a ``dnssec-policy`` statement: number. An optional second parameter specifies the key's size in bits. If it is omitted, as shown in the example for the second and third keys, an appropriate default size for the algorithm is used. + Each KSK/ZSK pair must have the same algorithm. A CSK combines the + functionality of a ZSK and a KSK. ``purge-keys`` This is the time after when DNSSEC keys that have been deleted from diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index c25b1c401f..ea920801b5 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -762,9 +762,10 @@ The policy has multiple parts: - The ``keys`` clause lists all keys that should be in the zone, along with their associated parameters. In this example, we are using the conventional KSK/ZSK split, with the KSK changed every year and the - ZSK changed every two months. We have used one of the two mandatory - algorithms for the keys. (The ``default`` DNSSEC policy sets a CSK - that is never changed.) + ZSK changed every two months (the ``default`` DNSSEC policy sets a + CSK that is never changed). Keys are created using the + ECDSAPS256SHA256 algorithm; each KSK/ZSK pair must have the same + algorithm. A CSK combines the functionality of a ZSK and a KSK. - The parameters ending in ``-ttl`` are, as expected, the TTLs of the associated records. Remember that during a key rollover,