From 0bdeb9688b1daade0ba905c584d63daba17e682c Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Wed, 22 Jul 2015 11:30:57 +0200 Subject: [PATCH] Docs: layout of authoritative/domainmetadata.md --- docs/markdown/authoritative/domainmetadata.md | 46 ++++++++++++++----- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/docs/markdown/authoritative/domainmetadata.md b/docs/markdown/authoritative/domainmetadata.md index 409b8f7a9..72ec344e4 100644 --- a/docs/markdown/authoritative/domainmetadata.md +++ b/docs/markdown/authoritative/domainmetadata.md @@ -1,12 +1,17 @@ # Per zone settings aka Domain Metadata -Starting with the PowerDNS Authoritative Server 3.0, each served zone can have "metadata". Such metadata determines how this zone behaves in certain circumstances. +Starting with the PowerDNS Authoritative Server 3.0, each served zone can have +"metadata". Such metadata determines how this zone behaves in certain circumstances. -**Warning**: Domain metadata is only available for DNSSEC capable backends! Make sure to enable the proper '-dnssec' setting to benefit, and to have performed the DNSSEC schema update. +**Warning**: Domain metadata is only available for DNSSEC capable backends! Make +sure to enable the proper '-dnssec' setting to benefit, and to have performed +the DNSSEC schema update. ## ALLOW-AXFR-FROM -Starting with the PowerDNS Authoritative Server 3.1, per-zone AXFR ACLs can be stored in the domainmetadata table. +Starting with the PowerDNS Authoritative Server 3.1, per-zone AXFR ACLs can be +stored in the domainmetadata table. -Each ACL row can list one subnet (v4 or v6), or the magical value 'AUTO-NS' that tries to allow all potential slaves in. +Each ACL row can list one subnet (v4 or v6), or the magical value 'AUTO-NS' that +tries to allow all potential slaves in. Example: @@ -27,10 +32,13 @@ See the documentation on [Dynamic DNS update](dnsupdate.md) When notifying this domain, also notify this nameserver (can occur multiple times). ## AXFR-MASTER-TSIG -Use this named TSIG key to retrieve this zone from its master (see [Provisioning signed notification and AXFR requests](modes-of-operation.md#provisioning-signed-notification-and-axfr-requests)). +Use this named TSIG key to retrieve this zone from its master (see +[Provisioning signed notification and AXFR requests](modes-of-operation.md#provisioning-signed-notification-and-axfr-requests)). ## GSS-ALLOW-AXFR-PRINCIPAL -Allow this GSS principal to perform AXFR retrieval. Most commonly it is host/something@REALM, DNS/something@REALM or user@REALM. (See [GSS-TSIG support](gss-tsig.md)). +Allow this GSS principal to perform AXFR retrieval. Most commonly it is +`host/something@REALM`, `DNS/something@REALM` or `user@REALM`. (See +[GSS-TSIG support](gss-tsig.md)). ## GSS-ACCEPTOR-PRINCIPAL Use this principal for accepting GSS context. (See [GSS-TSIG support](gss-tsig.md)). @@ -39,18 +47,31 @@ Use this principal for accepting GSS context. (See [GSS-TSIG support](gss-tsig.m Script to be used to edit incoming AXFRs, see [Modifying a slave zone using a script](modes-of-operation.md#modifying-a-slave-zone-using-a-script). ## NSEC3NARROW -Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode. See `set-nsec3` for [`pdnssec`](dnssec.md#pdnssec). +Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode. See +`set-nsec3` for [`pdnssec`](dnssec.md#pdnssec). ## NSEC3PARAM -NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM record. If present, NSEC3 is used, if not present, zones default to NSEC. See `set-nsec3` in [`pdnssec`](dnssec.md#pdnssec). Example content: "1 0 1 ab". +NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM +record. If present, NSEC3 is used, if not present, zones default to NSEC. See +`set-nsec3` in [`pdnssec`](dnssec.md#pdnssec). Example content: "1 0 1 ab". ## PRESIGNED -This zone carries DNSSEC RRSIGs (signatures), and is presigned. PowerDNS sets this flag automatically upon incoming zone transfers (AXFR) if it detects DNSSEC records in the zone. However, if you import a presigned zone using `zone2sql` or `pdnssec load-zone` you must explicitly set the zone to be `PRESIGNED`. Note that PowerDNS will not be able to correctly serve the zone if the imported data is bogus or incomplete. Also see `set-presigned` in [`pdnssec`](dnssec.md#pdnssec). +This zone carries DNSSEC RRSIGs (signatures), and is presigned. PowerDNS sets +this flag automatically upon incoming zone transfers (AXFR) if it detects DNSSEC +records in the zone. However, if you import a presigned zone using `zone2sql` or +`pdnssec load-zone` you must explicitly set the zone to be `PRESIGNED`. Note that +PowerDNS will not be able to correctly serve the zone if the imported data is +bogus or incomplete. Also see `set-presigned` in [`pdnssec`](dnssec.md#pdnssec). ## SOA-EDIT -When serving this zone, modify the SOA serial number in one of several ways. Mostly useful to get slaves to re-transfer a zone regularly to get fresh RRSIGs. +When serving this zone, modify the SOA serial number in one of several ways. +Mostly useful to get slaves to re-transfer a zone regularly to get fresh RRSIGs. -Inception refers to the time the RRSIGs got updated in [live-signing mode](dnssec.md#records-keys-signatures-hashes-within-powerdnssec-in-online-signing-mode). This happens every week (see [Signatures](dnssec.md#signatures)). The inception time does not depend on local timezone, but some modes below will use localtime for representation. +Inception refers to the time the RRSIGs got updated in +[live-signing mode](dnssec.md#records-keys-signatures-hashes-within-powerdnssec-in-online-signing-mode). +This happens every week (see [Signatures](dnssec.md#signatures)). The inception +time does not depend on local timezone, but some modes below will use localtime +for representation. Available modes are: @@ -65,4 +86,5 @@ Available modes are: Allow these named TSIG keys to AXFR this zone (see [Provisioning outbound AXFR access](modes-of-operation.md#provisioning-outbound-axfr-access)). ## TSIG-ALLOW-DNSUPDATE -This setting allows you to set the TSIG key required to do an DNS update. If GSS-TSIG is enabled, you can put kerberos principals here as well. +This setting allows you to set the TSIG key required to do an DNS update. If +GSS-TSIG is enabled, you can put kerberos principals here as well. -- 2.40.0