From c088772191dbc1dad98491f43ebc780937d3a8ed Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 8 Aug 2024 13:11:40 +1000 Subject: [PATCH] Document dnssec-policy keys range directive Co-authored-by: Suzanne Goldlust --- doc/arm/reference.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index f427f6b02f..75f4fe938b 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6474,7 +6474,7 @@ The following options can be specified in a :any:`dnssec-policy` statement: keys { ksk key-directory lifetime unlimited algorithm rsasha256 2048; - zsk lifetime 30d algorithm 8; + zsk lifetime 30d algorithm 8 tag-range 0 32767; csk key-store "hsm" lifetime P6MT12H3M15S algorithm ecdsa256; }; @@ -6498,6 +6498,11 @@ The following options can be specified in a :any:`dnssec-policy` statement: When using ``key-directory``, the key is stored in the zone's configured :any:`key-directory`. This is also the default. + When using ``tag-range``, valid key tags for managed keys are + restricted to this range [``tag-min`` ``tag-max``]. The optional + ``tag-range`` is intended to be used in multi-signer scenarios. + The default is unlimited ([0..65535]). + The ``lifetime`` parameter specifies how long a key may be used before rolling over. For convenience, TTL-style time-unit suffixes can be used to specify the key lifetime. It also accepts ISO 8601