From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Thu, 6 Jan 2011 22:00:05 +0000 (+0000)
Subject: add some operational doctrine, plus link to the wiki
X-Git-Tag: auth-3.0~421
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f1d1ff4797cacaef225ca38d4970057659648390;p=pdns

add some operational doctrine, plus link to the wiki


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1826 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/docs/pdns.sgml b/pdns/docs/pdns.sgml
index 76965e700..5f0dc06ff 100644
--- a/pdns/docs/pdns.sgml
+++ b/pdns/docs/pdns.sgml
@@ -9049,7 +9049,7 @@ $ pdnssec rectify-zone
     Domain metadata is stored in the 'domainmetadata' table. This includes NSEC3 settings.
   </para>
   <para>
-    Once the database schema has been changed for DNSSEC usage (see the relevant backend chapters for the update statements), the 'pdnssec'
+    Once the database schema has been changed for DNSSEC usage (see the relevant backend chapters or <ulink url="http://wiki.powerdns.com/trac/wiki/PDNSSEC">the PowerDNSSEC wiki</ulink> for the update statements), the 'pdnssec'
     tool can be used to fill out keying details, and 'rectify' the auth and ordername fields.
   </para>
   <para>
@@ -9202,6 +9202,46 @@ $ pdnssec rectify-zone
       </variablelist>
     </para>
   </section>
+  <section id="dnssec-operational-doctrine">
+  <title>Operational instructions</title>
+  <para>
+  In this chapter various DNSSEC transitions are discussed, and how to execute them within PowerDNSSEC.
+  </para>
+  <section id="publish-ds"><title>Publishing a DS</title>
+  <para>
+  To publish a DS to a parent zone, utilize 'pdnssec show-zone' and take the DS from its output, and transfer it securely
+  to your parent zone.
+  </para>
+  </section>
+  <section id="zsk-rollover"><title>ZSK rollover</title>
+  <para>
+  .. pdnssec activate-zone-key ZONE next-key-id ..
+  .. pdnssec deactivate-zone-key ZONE prev-key-id ..
+  .. pdnssec remove-zone-key ZONE prev-key-id ..
+  </para>
+  </section>
+  <section id="ksk-rollover"><title>KSK rollover</title>
+  <para>
+  .. pdnssec show-zone ZONE and communicatate duplicate DS ..
+  .. pdnssec activate-zone-key ZONE next-key-id ..
+  .. pdnssec deactivate-zone-key ZONE prev-key-id ..
+  .. pdnssec remove-zone-key ZONE prev-key-id ..
+  </para>
+  </section>
+  <section id="going-insecure"><title>Going insecure</title>
+  <para>
+  .. pdnssec disable-dnssec ..
+  </para>
+  </section>
+  <section id="nsec3-change"><title>NSEC(3) change</title>
+  <para>
+  .. pdnssec show-zone ZONE and communicatate duplicate DS ..
+  .. pdnssec activate-zone-key ZONE next-key-id ..
+  .. pdnssec deactivate-zone-key ZONE prev-key-id ..
+  .. pdnssec remove-zone-key ZONE prev-key-id ..
+  </para>
+  </section>
+  </section>
   <section id="dnssec-modes">
   <title>Modes of operation</title>
   <para>