diff --git a/Cargo.toml b/Cargo.toml index 321bc787..15b7f6fe 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -109,16 +109,16 @@ assets = [ ["target/release/cascade", "usr/bin/", "755"], ["target/release/cascaded", "usr/bin/","755"], ["README.md","usr/share/doc/cascade/","644"], -["doc/cascade.1", "usr/share/man/man1/cascade.1", "644"], -["doc/cascade-config.1", "usr/share/man/man1/cascade-config.1", "644"], -["doc/cascade-hsm.1", "usr/share/man/man1/cascade-hsm.1", "644"], -["doc/cascade-keyset.1", "usr/share/man/man1/cascade-keyset.1", "644"], -["doc/cascade-policy.1", "usr/share/man/man1/cascade-policy.1", "644"], -["doc/cascade-template.1", "usr/share/man/man1/cascade-template.1", "644"], -["doc/cascade-zone.1", "usr/share/man/man1/cascade-zone.1", "644"], -["doc/cascaded.1", "usr/share/man/man1/cascaded.1", "644"], -["doc/cascaded-config.toml.5", "usr/share/man/man5/cascaded-config.toml.5", "644"], -["doc/cascaded-policy.toml.5", "usr/share/man/man5/cascaded-policy.toml.5", "644"], +["doc/manual/build/man/cascade.1", "usr/share/man/man1/cascade.1", "644"], +["doc/manual/build/man/cascade-config.1", "usr/share/man/man1/cascade-config.1", "644"], +["doc/manual/build/man/cascade-hsm.1", "usr/share/man/man1/cascade-hsm.1", "644"], +["doc/manual/build/man/cascade-keyset.1", "usr/share/man/man1/cascade-keyset.1", "644"], +["doc/manual/build/man/cascade-policy.1", "usr/share/man/man1/cascade-policy.1", "644"], +["doc/manual/build/man/cascade-template.1", "usr/share/man/man1/cascade-template.1", "644"], +["doc/manual/build/man/cascade-zone.1", "usr/share/man/man1/cascade-zone.1", "644"], +["doc/manual/build/man/cascaded.1", "usr/share/man/man1/cascaded.1", "644"], +["doc/manual/build/man/cascaded-config.toml.5", "usr/share/man/man5/cascaded-config.toml.5", "644"], +["doc/manual/build/man/cascaded-policy.toml.5", "usr/share/man/man5/cascaded-policy.toml.5", "644"], ["etc/config.system.toml", "etc/cascade/config.toml", "644"], ["pkg/common/service.preset","usr/lib/systemd/service-preset/50-cascaded.preset", "644"], ] @@ -160,16 +160,16 @@ assets = [ { source = "target/release/cascaded", dest = "/usr/bin/cascaded", mode = "755" }, { source = "target/rpm/cascaded.service", dest = "/usr/lib/systemd/system/cascaded.service", mode = "644" }, { source = "target/rpm/cascaded.socket", dest = "/usr/lib/systemd/system/cascaded.socket", mode = "644" }, -{ source = "doc/cascade.1", dest = "/usr/share/man/man1/cascade.1", mode = "644", doc = true}, -{ source = "doc/cascade-config.1", dest = "/usr/share/man/man1/cascade-config.1", mode = "644", doc = true}, -{ source = "doc/cascade-hsm.1", dest = "/usr/share/man/man1/cascade-hsm.1", mode = "644", doc = true}, -{ source = "doc/cascade-keyset.1", dest = "/usr/share/man/man1/cascade-keyset.1", mode = "644", doc = true}, -{ source = "doc/cascade-policy.1", dest = "/usr/share/man/man1/cascade-policy.1", mode = "644", doc = true}, -{ source = "doc/cascade-template.1", dest = "/usr/share/man/man1/cascade-template.1", mode = "644", doc = true}, -{ source = "doc/cascade-zone.1", dest = "/usr/share/man/man1/cascade-zone.1", mode = "644", doc = true}, -{ source = "doc/cascaded.1", dest = "/usr/share/man/man1/cascaded.1", mode = "644", doc = true}, -{ source = "doc/cascaded-config.toml.5", dest = "/usr/share/man/man5/cascaded-config.toml.5", mode = "644", doc = true}, -{ source = "doc/cascaded-policy.toml.5", dest = "/usr/share/man/man5/cascaded-policy.toml.5", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascade.1", dest = "/usr/share/man/man1/cascade.1", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascade-config.1", dest = "/usr/share/man/man1/cascade-config.1", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascade-hsm.1", dest = "/usr/share/man/man1/cascade-hsm.1", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascade-keyset.1", dest = "/usr/share/man/man1/cascade-keyset.1", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascade-policy.1", dest = "/usr/share/man/man1/cascade-policy.1", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascade-template.1", dest = "/usr/share/man/man1/cascade-template.1", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascade-zone.1", dest = "/usr/share/man/man1/cascade-zone.1", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascaded.1", dest = "/usr/share/man/man1/cascaded.1", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascaded-config.toml.5", dest = "/usr/share/man/man5/cascaded-config.toml.5", mode = "644", doc = true}, +{ source = "doc/manual/build/man/cascaded-policy.toml.5", dest = "/usr/share/man/man5/cascaded-policy.toml.5", mode = "644", doc = true}, { source = "etc/config.system.toml", dest = "/etc/cascade/config.toml", mode = "644", config = true }, { source = "pkg/common/service.preset", dest = "/usr/lib/systemd/system-preset/50-cascaded.preset", mode = "644" }, ] diff --git a/doc/manual/build/man/cascade-config.1 b/doc/manual/build/man/cascade-config.1 new file mode 100644 index 00000000..48406a97 --- /dev/null +++ b/doc/manual/build/man/cascade-config.1 @@ -0,0 +1,73 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADE-CONFIG" "1" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascade-config \- Manage configuration +.SH SYNOPSIS +.sp +\fBcascade config\fP \fB[OPTIONS]\fP \fB\fP +.SH DESCRIPTION +.sp +Manage Cascade\(aqs configuration. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with \fB\-\-help\fP). +.UNINDENT +.SH COMMANDS +.INDENT 0.0 +.TP +.B reload +Reload Cascade\(aqs configuration. +.sp +Note: Only some setting changes are honoured by Cascade at this point. +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascade\fP(1) +\fI\%Cascade CLI\fP +.TP +\fBcascaded\fP(1) +\fI\%Cascade Daemon\fP +.TP +\fBcascaded\-config.toml\fP(5) +\fI\%Configuration File Format\fP +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/manual/build/man/cascade-hsm.1 b/doc/manual/build/man/cascade-hsm.1 new file mode 100644 index 00000000..a28dff31 --- /dev/null +++ b/doc/manual/build/man/cascade-hsm.1 @@ -0,0 +1,242 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADE-HSM" "1" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascade-hsm \- Manage HSMs +.SH SYNOPSIS +.sp +\fBcascade hsm\fP \fB[OPTIONS]\fP \fB\fP +.sp +\fBcascade hsm\fP \fB[OPTIONS]\fP \fI\%add\fP \fB\fP \fB\fP +.sp +\fBcascade hsm\fP \fB[OPTIONS]\fP \fI\%show\fP \fB\fP +.sp +\fBcascade hsm\fP \fB[OPTIONS]\fP \fI\%list\fP +.SH DESCRIPTION +.sp +Manage HSM\(aqs. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with \fB\-\-help\fP). +.UNINDENT +.SH COMMANDS +.INDENT 0.0 +.TP +.B add +Add a KMIP server to use for key generation & signing. +.sp +Note: There are no commands to remove or modify KMIP servers yet. +.UNINDENT +.INDENT 0.0 +.TP +.B show +Get the details of an existing KMIP server. +.UNINDENT +.INDENT 0.0 +.TP +.B list +List all configured KMIP servers. +.UNINDENT +.SH ARGUMENTS FOR HSM SHOW +.INDENT 0.0 +.TP +.B +The identifier of the KMIP server to show information about. +.UNINDENT +.SH HSM ADD +.sp +Add a KMIP server to use for key generation & signing instead of using +Ring/OpenSSL based key generation. +.SH ARGUMENTS FOR HSM ADD +.INDENT 0.0 +.TP +.B +An identifier to refer to the KMIP server by. +.sp +This identifier is used with other \fBcascade hsm\fP commands and Cascade +policy files. The identifier serves several purposes: +.sp +1. To make it easy at a glance to recognize which KMIP server a given key +was created on, by allowing operators to assign a meaningful name to the +server instead of whatever identity strings the server associates with +itself or by using hostnames or IP addresses as identifiers. +.sp +2. To refer to additional configuration elsewhere to avoid including +sensitive and/or verbose KMIP server credential or TLS client +certificate/key authentication data in each key identifier, and which +would be repeated in every key created on the same server. +.sp +3. To allow the actual location of the server and/or its access +credentials to be rotated without affecting key idenifiers, e.g. if +a server is assigned a new IP address or if access credentials change. +.UNINDENT +.INDENT 0.0 +.TP +.B +The hostname or IP address of the KMIP server. +.UNINDENT +.SH OPTIONS FOR HSM ADD +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with \fB\-\-help\fP). +.UNINDENT +.SS Server: +.INDENT 0.0 +.TP +.B \-\-port +TCP port to connect to the KMIP server on. +.sp +[default: 5696] +.UNINDENT +.SS Client Credentials: +.INDENT 0.0 +.TP +.B \-\-username +Optional username to authenticate to the KMIP server as. +.sp +Note: When using the Cascade \fBkmip2pkcs11\fP tool the username +set here will be used as the label of the PKCS#11 token to login +to. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-password +Optional password to authenticate to the KMIP server with. +.sp +Note: When using the Cascdee \fBkmip2pkcs11\fP tool the password +set here will be used as the PKCS#11 PIN to login with. +.UNINDENT +.SS Client Certificate Authentication: +.INDENT 0.0 +.TP +.B \-\-client\-cert +Optional path to a TLS certificate to authenticate to the KMIP server +with. The file will be read and sent to the server. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-client\-key +Optional path to a private key for client certificate authentication. +THe file will be read and sent to the server. +.sp +The private key is needed to be able to prove to the KMIP server that +you are the owner of the provided TLS client certificate. +.UNINDENT +.SS Server Certificate Verification: +.INDENT 0.0 +.TP +.B \-\-insecure +Whether to accept the KMIP server TLS certificate without +verifying it. +.sp +Use this option when your KMIP server uses a self\-signed TLS +certificate, e.g. in a test environment. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-server\-cert +Optional path to a TLS PEM certificate for the server. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-ca\-cert +Optional path to a TLS PEM certificate for a Certificate Authority. +.UNINDENT +.SS Client Limits: +.INDENT 0.0 +.TP +.B \-\-connect\-timeout +TCP connect timeout. +.sp +[default: 3s] +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-read\-timeout +TCP response read timeout. +.sp +[default: 30s] +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-write\-timeout +TCP request write timeout. +.sp +[default: 3s] +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-max\-response\-bytes +Maximum KMIP response size to accept (in bytes). +.sp +[default: 8192] +.UNINDENT +.SS Key Labels: +.INDENT 0.0 +.TP +.B \-\-key\-label\-prefix +Optional user supplied key label prefix. +.sp +Can be used to denote the s/w that created the key, and/or to +indicate which installation/environment it belongs to, e.g. dev, +test, prod, etc. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-key\-label\-max\-bytes +Maximum label length (in bytes) permitted by the HSM. Key labels +longer than this will be truncated to fit. +.sp +[default: 32] +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascade\fP(1) +\fI\%Cascade CLI\fP +.TP +\fBcascaded\fP(1) +\fI\%Cascade Daemon\fP +.TP +\fBkmip2pkcs11\fP(1) +KMIP to PKCS#11 relay documentation +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/manual/build/man/cascade-keyset.1 b/doc/manual/build/man/cascade-keyset.1 new file mode 100644 index 00000000..10b43f93 --- /dev/null +++ b/doc/manual/build/man/cascade-keyset.1 @@ -0,0 +1,146 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADE-KEYSET" "1" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascade-keyset \- Execute manual key roll or key removal commands +.SH SYNOPSIS +.sp +\fBcascade keyset\fP \fB[OPTIONS]\fP \fBksk|zsk|csk|algorithm\fP \fB\fP \fB[OPTIONS]\fP +.sp +\fBcascade keyset\fP \fB[OPTIONS]\fP \fI\%remove\-key\fP \fB[OPTIONS]\fP \fB\fP +.SH DESCRIPTION +.sp +Execute manual key roll or key removal commands. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with \fB\-\-help\fP). +.UNINDENT +.SH COMMANDS +.INDENT 0.0 +.TP +.B ksk +Command for KSK rolls. +.UNINDENT +.INDENT 0.0 +.TP +.B zsk +Command for ZSK rolls. +.UNINDENT +.INDENT 0.0 +.TP +.B csk +Command for CSK rolls. +.UNINDENT +.INDENT 0.0 +.TP +.B algorithm +Command for algorithm rolls. +.UNINDENT +.INDENT 0.0 +.TP +.B remove\-key +Remove a key from the key set. +.UNINDENT +.SH KEY ROLL COMMANDS FOR KSK|ZSK|CSK|ALGORITHM +.INDENT 0.0 +.TP +.B start\-roll +Start a key roll. +.UNINDENT +.INDENT 0.0 +.TP +.B propagation1\-complete +Inform keyset that the changed RRsets and signatures have propagated. +.sp +TTL is the maximum TTL of the zone. +.UNINDENT +.INDENT 0.0 +.TP +.B cache\-expired1 +Inform keyset that enough time has passed that caches should have expired. +.UNINDENT +.INDENT 0.0 +.TP +.B propagation2\-complete +Inform keyset that the changed RRsets and signatures have propagated. +.sp +TTL is the maximum TTL of the zone. +.UNINDENT +.INDENT 0.0 +.TP +.B cache\-expired2 +Inform keyset that enough time has passed that caches should have expired. +.UNINDENT +.INDENT 0.0 +.TP +.B roll\-done +Report that the final changes have propagated and the roll is done +.UNINDENT +.SH ARGUMENTS FOR KEYSET REMOVE-KEY +.INDENT 0.0 +.TP +.B +The key to remove. This is the key\(aqs URI as reported by \fBcascade zone +status\fP\&. +.UNINDENT +.SH OPTIONS FOR KEYSET REMOVE-KEY +.INDENT 0.0 +.TP +.B \-\-force +Force a key to be removed even if the key is not stale. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-continue +Continue when removing the underlying keys fails. +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascade\fP(1) +\fI\%Cascade CLI\fP +.TP +\fBcascaded\fP(1) +\fI\%Cascade Daemon\fP +.TP +\fBcascade\-dnst\-keyset\fP(1) +Further documentation of the key roll commands (and more) +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/manual/build/man/cascade-policy.1 b/doc/manual/build/man/cascade-policy.1 new file mode 100644 index 00000000..713c719a --- /dev/null +++ b/doc/manual/build/man/cascade-policy.1 @@ -0,0 +1,90 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADE-POLICY" "1" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascade-policy \- Manage policies +.SH SYNOPSIS +.sp +\fBcascade policy\fP \fB[OPTIONS]\fP \fB\fP +.sp +\fBcascade policy\fP \fB[OPTIONS]\fP \fI\%list\fP +.sp +\fBcascade policy\fP \fB[OPTIONS]\fP \fI\%show\fP \fB\fP +.sp +\fBcascade policy\fP \fB[OPTIONS]\fP \fI\%reload\fP +.SH DESCRIPTION +.sp +Manage Cascade\(aqs policies. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with \fB\-\-help\fP). +.UNINDENT +.SH COMMANDS +.INDENT 0.0 +.TP +.B list +List registered policies. +.UNINDENT +.INDENT 0.0 +.TP +.B show +Show the settings contained in a policy. +.UNINDENT +.INDENT 0.0 +.TP +.B reload +Reload all the policies from the files. +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascade\fP(1) +\fI\%Cascade CLI\fP +.TP +\fBcascaded\fP(1) +\fI\%Cascade Daemon\fP +.TP +\fBcascaded\-config.toml\fP(5) +\fI\%Configuration File Format\fP +.TP +\fBcascaded\-policy.toml\fP(5) +\fI\%Policy File Format\fP +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/manual/build/man/cascade-template.1 b/doc/manual/build/man/cascade-template.1 new file mode 100644 index 00000000..6e7b8027 --- /dev/null +++ b/doc/manual/build/man/cascade-template.1 @@ -0,0 +1,79 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADE-TEMPLATE" "1" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascade-template \- Print example config or policy files +.SH SYNOPSIS +.sp +\fBcascade template\fP \fB[OPTIONS]\fP \fB\fP +.SH DESCRIPTION +.sp +Print example config or policy files. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with \fB\-\-help\fP). +.UNINDENT +.SH COMMANDS +.INDENT 0.0 +.TP +.B config +Generate a config template. +.UNINDENT +.INDENT 0.0 +.TP +.B policy +Generate a policy template. +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascade\fP(1) +\fI\%Cascade CLI\fP +.TP +\fBcascaded\fP(1) +\fI\%Cascade Daemon\fP +.TP +\fBcascaded\-config.toml\fP(5) +\fI\%Configuration File Format\fP +.TP +\fBcascaded\-policy.toml\fP(5) +\fI\%Policy File Format\fP +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/manual/build/man/cascade-zone.1 b/doc/manual/build/man/cascade-zone.1 new file mode 100644 index 00000000..acfb3d1f --- /dev/null +++ b/doc/manual/build/man/cascade-zone.1 @@ -0,0 +1,185 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADE-ZONE" "1" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascade-zone \- Manage zones +.SH SYNOPSIS +.sp +\fBcascade zone\fP \fB[OPTIONS]\fP \fB\fP +.sp +\fBcascade zone\fP \fB[OPTIONS]\fP \fI\%add\fP \fB[OPTIONS]\fP \fB\-\-source \fP \fB\-\-policy \fP \fB\fP +.sp +\fBcascade zone\fP \fB[OPTIONS]\fP \fI\%remove\fP \fB\fP +.sp +\fBcascade zone\fP \fB[OPTIONS]\fP \fI\%list\fP +.sp +\fBcascade zone\fP \fB[OPTIONS]\fP \fI\%reload\fP \fB\fP +.sp +\fBcascade zone\fP \fB[OPTIONS]\fP \fI\%status\fP \fB[\-\-detailed]\fP \fB\fP +.sp +\fBcascade zone\fP \fB[OPTIONS]\fP \fI\%history\fP \fB\fP +.SH DESCRIPTION +.sp +Manage Cascade\(aqs zones. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with \fB\-\-help\fP). +.UNINDENT +.SH COMMANDS +.INDENT 0.0 +.TP +.B add +Register a new zone. +.UNINDENT +.INDENT 0.0 +.TP +.B remove +Remove a zone. +.UNINDENT +.INDENT 0.0 +.TP +.B list +List registered zones. +.UNINDENT +.INDENT 0.0 +.TP +.B reload +Reload a zone. +.UNINDENT +.INDENT 0.0 +.TP +.B status +Get the status of a single zone. +.UNINDENT +.INDENT 0.0 +.TP +.B history +Get the history of a single zone. +.UNINDENT +.SH OPTIONS FOR ZONE ADD +.INDENT 0.0 +.TP +.B \-\-source +The zone source can be an IP address (with or without port, defaults to port +53) or a file path. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-policy +Policy to use for this zone. +.sp +Note: At present to use a HSM with a zone the HSM must exist and be +configured in the policy used by the zone when the zone is added. It is not +possible to change it later in this alpha version of Cascade. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-import\-public\-key +Import a public key to be included in the DNSKEY RRset. +.sp +This needs to be a file path accessible by the Cascade daemon. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-import\-ksk\-file +Import a key pair as a KSK. +.sp +The file path needs to be the public key file of the KSK. The private key +file name is derived from the public key file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-import\-zsk\-file +Import a key pair as a ZSK. +.sp +The file path needs to be the public key file of the ZSK. The private key +file name is derived from the public key file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-import\-csk\-file +Import a key pair as a CSK. +.sp +The file path needs to be the public key file of the CSK. The private key +file name is derived from the public key file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-import\-ksk\-kmip +Import a KSK from an HSM. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-import\-zsk\-kmip +Import a ZSK from an HSM. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-import\-csk\-kmip +Import a CSK from an HSM. +.UNINDENT +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with \fB\-\-help\fP). +.UNINDENT +.SH OPTIONS FOR ZONE STATUS +.INDENT 0.0 +.TP +.B \-\-detailed +Print detailed information about the zone, including a zone\(aqs DNSSEC key +identifiers in use, as well as the new DNSKEY records during key rolls. +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascade\fP(1) +\fI\%Cascade CLI\fP +.TP +\fBcascaded\fP(1) +\fI\%Cascade Daemon\fP +.TP +\fBcascaded\-config.toml\fP(5) +\fI\%Configuration File Format\fP +.TP +\fBcascaded\-policy.toml\fP(5) +\fI\%Policy File Format\fP +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/manual/build/man/cascade.1 b/doc/manual/build/man/cascade.1 new file mode 100644 index 00000000..72da750e --- /dev/null +++ b/doc/manual/build/man/cascade.1 @@ -0,0 +1,102 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADE" "1" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascade \- Cascade CLI +.SH SYNOPSIS +.sp +\fBcascade\fP \fB[OPTIONS]\fP \fB\fP +.SH DESCRIPTION +.sp +\fBcascade\fP is the CLI to the \fI\%Cascade Daemon\fP\&. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-s, \-\-server +The cascade server instance to connect to [default: 127.0.0.1:4539]. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-log\-level +The minimum severity of messages to log [default: warning] [possible values: +trace, debug, info, warning, error, critical]. +.UNINDENT +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with \fB\-\-help\fP). +.UNINDENT +.INDENT 0.0 +.TP +.B \-V, \-\-version +Print version. +.UNINDENT +.SH COMMANDS +.INDENT 0.0 +.TP +\fBcascade\-config\fP(1) +Manage Cascade\(aqs configuration. +.TP +\fBcascade\-zone\fP(1) +Manage zones. +.TP +\fBcascade\-policy\fP(1) +Manage policies. +.TP +\fBcascade\-keyset\fP(1) +Execute manual key roll or key removal commands. +.TP +\fBcascade\-hsm\fP(1) +Manage HSMs. +.TP +\fBcascade\-template\fP(1) +Print example config or policy files. +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascaded\fP(1) +\fI\%Cascade Daemon\fP +.TP +\fBcascaded\-config.toml\fP(5) +\fI\%Configuration File Format\fP +.TP +\fBcascaded\-policy.toml\fP(5) +\fI\%Policy File Format\fP +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/manual/build/man/cascaded-config.toml.5 b/doc/manual/build/man/cascaded-config.toml.5 new file mode 100644 index 00000000..20eee872 --- /dev/null +++ b/doc/manual/build/man/cascaded-config.toml.5 @@ -0,0 +1,387 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADED-CONFIG.TOML" "5" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascaded-config.toml \- Cascade configuration file +.sp +Cascade uses the TOML format for its configuration file. A template can be +generated using \fBcascade template config\fP\&. The provided values to the options +below are the default values and are serving as a hint to the option\(aqs format. +.SH EXAMPLE +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +version = \(dqv1\(dq +policy\-dir = \(dq/etc/cascade/policies\(dq +zone\-state\-dir = \(dq/var/lib/cascade/zone\-state\(dq +tsig\-store\-path = \(dq/var/lib/cascade/tsig\-keys.db\(dq +kmip\-credentials\-store\-path = \(dq/var/lib/cascade/kmip/credentials.db\(dq +keys\-dir = \(dq/var/lib/cascade/keys\(dq +kmip\-server\-state\-dir = \(dq/var/lib/cascade/kmip\(dq +dnst\-binary\-path = \(dq/usr/libexec/cascade/cascade\-dnst\(dq + +[daemon] +log\-level = \(dqinfo\(dq +log\-target = { type = \(dqfile\(dq, path = \(dq/dev/stdout\(dq } +daemonize = false + +[remote\-control] +servers = [\(dq127.0.0.1:4539\(dq, \(dq[::1]:4539\(dq] + +[loader] +notify\-listeners = [\(dq127.0.0.1:4540\(dq, \(dq[::1]:4540\(dq] + +[loader.review] +servers = [\(dq127.0.0.1:4541\(dq, \(dq[::1]:4541\(dq] + +[signer] +[signer.review] +servers = [\(dq127.0.0.1:4542\(dq, \(dq[::1]:4542\(dq] + +[key\-manager] + +[server] +servers = [\(dq127.0.0.1:4543\(dq, \(dq[::1]:4543\(dq] +.ft P +.fi +.UNINDENT +.UNINDENT +.SH OPTIONS +.SS Global Options +.INDENT 0.0 +.TP +.B version = \(dqv1\(dq +The configuration file version. (REQUIRED) +.sp +This is the only required option. All other settings, and their defaults, +are associated with this version number. More versions may be added in the +future and Cascade may drop support for older versions over time. +.INDENT 7.0 +.IP \(bu 2 +\fBv1\fP: This format. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B policy\-dir = \(dq/etc/cascade/policies\(dq +The directory storing zone policies. +.sp +Zone policies are user\-managed files configuring groups of zones. You can +modify them as you like, then ask Cascade to reload them with \fBcascade +policy reload\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B zone\-state\-dir = \(dq/var/lib/cascade/zone\-state\(dq +The directory storing per\-zone state files. +.sp +Cascade maintains an internal state file for every known zone here. These +files should not be modified manually, but they can be backed up and +restored in the event of filesystem corruption. +.UNINDENT +.INDENT 0.0 +.TP +.B tsig\-store\-path = \(dq/var/lib/cascade/tsig\-keys.db\(dq +The file storing TSIG key secrets. +.sp +This is an internal state file containing sensitive cryptographic material. +It should not be modified manually, but it can be backed up and restored in +the event of filesystem corruption. Carefully consider its security. +.sp +Note: This setting is not used at present as the alpha version of Cascade +does not yet support TSIG keys. +.UNINDENT +.INDENT 0.0 +.TP +.B kmip\-credentials\-store\-path = \(dq/var/lib/cascade/kmip/credentials.db\(dq +The file storing KMIP credentials. +.sp +This is an internal state file containing sensitive KMIP server login +credentials. It should not be modified manually, but it can be backed up +and restored in the event of filesystem corruption. Carefully consider +its security. +.UNINDENT +.INDENT 0.0 +.TP +.B keys\-dir = \(dq/var/lib/cascade/keys\(dq +The directory storing rollover states and on\-disk DNSSEC keys. +.sp +For every zone, the state of its DNSSEC keys (which keys are used, on\-going +rollovers, etc.) are stored here. If on\-disk keys are used to sign zones, +they are stored also here. +.sp +The organization of this directory (file names and file formats) constitutes +internal implementation details. It should not be modified manually, but it +can be backed up and restored in the event of filesystem corruption. +Carefully consider its security. +.UNINDENT +.INDENT 0.0 +.TP +.B kmip\-server\-state\-dir = \(dq/var/lib/cascade/kmip\(dq +The directory containing KMIP server state. +.sp +Information about known KMIP servers is stored in this directory. +.sp +The organization of this directory (file names and file formats) constitutes +internal implementation details. It should not be modified manually, but it +can be backed up and restored in the event of filesystem corruption. +.UNINDENT +.INDENT 0.0 +.TP +.B dnst\-binary\-path = \(dq/usr/libexec/cascade/cascade\-dnst\(dq +The path to the dnst binary Cascade should use. +.sp +Cascade relies on a Cascade specific verison of the (not yet officially +released) \fBdnst\fP program (<\fI\%https://github.com/NLnetLabs/dnst\fP>) in order +to perform DNSSEC key management. You can specify an absolute path here, or +just \fBdnst\fP if it is in $PATH. +.UNINDENT +.SS Settings relevant to any daemon program. +.sp +The \fB[daemon]\fP section. +.INDENT 0.0 +.TP +.B log\-level = \(dqinfo\(dq +The minimum severity of the messages logged by the daemon. +.sp +Messages at or above the specified severity level will be logged. The +following levels are defined: +.INDENT 7.0 +.IP \(bu 2 +\fBtrace\fP: A function or variable was interacted with, for debugging. +.IP \(bu 2 +\fBdebug\fP: Something occurred that may be relevant to debugging. +.IP \(bu 2 +\fBinfo\fP: Things are proceeding as expected. +.IP \(bu 2 +\fBwarning\fP: Something does not appear to be correct. +.IP \(bu 2 +\fBerror\fP: Something went wrong (but Cascade can recover). +.IP \(bu 2 +\fBcritical\fP: Something went wrong and Cascade can\(aqt function at all. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B log\-target = { type = \(dqfile\(dq, path = \(dq/dev/stdout\(dq } +.UNINDENT +.INDENT 0.0 +.TP +.B log\-target = { type = \(dqsyslog\(dq } +The location the daemon writes logs to. +.INDENT 7.0 +.IP \(bu 2 +type \fBfile\fP: Logs are appended line\-by\-line to the specified file path. +.sp +It can be set to \fB/dev/stdout\fP or \fB/dev/stderr\fP for standard output and +error, respectively. If it is a terminal, ANSI escape codes may be used +to style the output. +.IP \(bu 2 +type \fBsyslog\fP: Logs are written to the UNIX syslog. +.sp +This option is only supported on UNIX systems. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B daemonize = false +Whether to apply internal daemonization. +.sp +\(aqDaemonization\(aq involves several steps: +.INDENT 7.0 +.IP \(bu 2 +Forking the process to disconnect it from the terminal +.IP \(bu 2 +Tracking the new process\(aq PID (by storing it in a file) +.IP \(bu 2 +Binding privileged ports (below 1024) as configured +.IP \(bu 2 +Dropping administrator privileges +.UNINDENT +.sp +These features may be provided by an external system service manager, such +as systemd. If no such service manager is being used, Cascade can provide +such features itself, by setting this option to \fBtrue\fP\&. This will also +enable the \fBpid\-file\fP and \fBidentity\fP settings (although they remain +optional). +.UNINDENT +.INDENT 0.0 +.TP +.B pid\-file = \(dq/var/run/cascade.pid\(dq +The path to a PID file to maintain, if any. +.sp +If specified, Cascade will maintain a PID file at this location; it will be +a simple plain\-text file containing the PID number of the daemon process. +This option is only supported if \fBdaemonize\fP is true. +.UNINDENT +.INDENT 0.0 +.TP +.B identity = \(dqcascade:cascade\(dq +An identity (user and group) to assume after startup. +.sp +Cascade will assume the specified identity after initialization. Note that +this will fail if Cascade is started without administrator privileges. This +option is only supported if \fBdaemonize\fP is \fBtrue\fP\&. +.sp +The identity can be specified as \fB:\fP or just \fB\fP; in the +latter case, the identically named group will be used. Numeric IDs are not +supported; only names can be used. +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +When using systemd, you should rely on its \(aqUser=\(aq and \(aqGroup=\(aq +options instead. See <\fI\%https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#User=\fP>. +.UNINDENT +.UNINDENT +.UNINDENT +.SS How Cascade is controlled. +.sp +The \fB[remote\-control]\fP section. +.INDENT 0.0 +.TP +.B servers = [\(dq127.0.0.1:4539\(dq, \(dq[::1]:4539\(dq] +Where to serve Cascade\(aqs HTTP API. +.sp +The HTTP API can be used to monitor and control Cascade. The addresses +refer to TCP sockets that will be listened on for HTTP requests. At the +moment, security mechanisms like TLS are not supported. +.sp +These sockets may be bound by systemd and passed into Cascade. If systemd +does not provide them, Cascade will bind them itself (and will do so before +dropping privileges, if that is enabled). +.UNINDENT +.SS How zones are loaded. +.sp +The \fB[loader]\fP section. +.INDENT 0.0 +.TP +.B notify\-listeners = [\(dq127.0.0.1:4540\(dq, \(dq[::1]:4540\(dq] +Where to listen for zone change notifications. +.sp +A DNS server will be bound to these addresses. If a DNS NOTIFY message for +a known zone is received there, the zone will be reloaded appropriately. +.sp +Unless explicitly specified (e.g. \fBudp://localhost:4540\fP), each address will +be served over UDP and TCP. An empty array will disable listening entirely. +.sp +These sockets may be bound by systemd and passed into Cascade. If systemd +does not provide them, Cascade will bind them itself (and will do so before +dropping privileges, if that is enabled). +.UNINDENT +.SS How loaded zones are reviewed. +.sp +The \fB[loader.review]\fP section. +.INDENT 0.0 +.TP +.B servers = [\(dq127.0.0.1:4541\(dq, \(dq[::1]:4541\(dq] +Where to serve loaded zones for review. +.sp +A DNS server will be bound to these addresses, and will serve the contents +of all loaded zones. This can be used to verify the consistency of these +zones. +.sp +Unless explicitly specified (e.g. \fBudp://localhost:4541\fP), each address will +be served over UDP and TCP. An empty array will disable serving entirely. +.sp +These sockets may be bound by systemd and passed into Cascade. If systemd +does not provide them, Cascade will bind them itself (and will do so before +dropping privileges, if that is enabled). +.UNINDENT +.SS How zones are signed. +.sp +The \fB[signer]\fP section. (This only includes the \fB[signer.review]\fP section +below, for now). +.SS How signed zones are reviewed. +.sp +The \fB[signer.review]\fP section. +.INDENT 0.0 +.TP +.B servers = [\(dq127.0.0.1:4542\(dq, \(dq[::1]:4542\(dq] +Where to serve signed zones for review. +.sp +A DNS server will be bound to these addresses, and will serve the contents +of all signed (but not necessarily published) zones. This can be used to +check the correctness of the signer. +.sp +Unless explicitly specified (e.g. \fBudp://localhost:4542\fP), each address will +be served over UDP and TCP. An empty array will disable serving entirely. +.sp +These sockets may be bound by systemd and passed into Cascade. If systemd +does not provide them, Cascade will bind them itself (and will do so before +dropping privileges, if that is enabled). +.UNINDENT +.SS DNSSEC key management. +.sp +The \fB[key\-manager]\fP section. (Currently without options) +.SS How zones are published. +.sp +The \fB[server]\fP section. +.INDENT 0.0 +.TP +.B servers = [\(dq127.0.0.1:4543\(dq, \(dq[::1]:4543\(dq] +Where to serve published zones. +.sp +A DNS server will be bound to these addresses, and will serve the contents +of all published zones. This is the final output from Cascade. +.sp +Unless explicitly specified (e.g. \fBudp://localhost:4543\fP), each address will +be served over UDP and TCP. At least one address must be specified. +.sp +These sockets may be bound by systemd and passed into Cascade. If systemd +does not provide them, Cascade will bind them itself (and will do so before +dropping privileges, if that is enabled). +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B /etc/cascade/config.toml +Default Cascade config file +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascade\fP(1) +\fI\%Cascade CLI\fP +.TP +\fBcascaded\fP(1) +\fI\%Cascade Daemon\fP +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/manual/build/man/cascaded-policy.toml.5 b/doc/manual/build/man/cascaded-policy.toml.5 new file mode 100644 index 00000000..ce11ebe5 --- /dev/null +++ b/doc/manual/build/man/cascaded-policy.toml.5 @@ -0,0 +1,626 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADED-POLICY.TOML" "5" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascaded-policy.toml \- Cascade policy file format +.sp +A policy is a collection of settings that apply to a group of zones known to +Cascade. Policy controls how Cascade operates on those zones, e.g. how they +are signed. This page describes all possible settings and their defaults. You +can generate a template with these default values using \fBcascade template +policy\fP\&. +.sp +Policy files are managed by the user, and are stored at a configurable path +(by default, \fB/etc/cascade/policies\fP). You can add, modify, and remove +policy files, then update Cascade with \fBcascade policy reload\fP\&. Note that: +.INDENT 0.0 +.IP \(bu 2 +Cascade maintains an internal copy of all policies, and will use this until +\fBcascade policy reload\fP is used. If reloading fails, Cascade will continue +to use its existing internal copy. It won\(aqt reload policies if it restarts. +.IP \(bu 2 +Policies cannot be removed if they are attached to zones; those zones need +to be deleted or shifted to a different policy first. If you remove a used +policy and reload policies in Cascade, it will fail and continue to use its +internal copy of the policy. +.IP \(bu 2 +Only policy files stored in the configured policy directory and having a +\fB\&.toml\fP extension will be loaded by Cascade.\(ga +.UNINDENT +.SH EXAMPLE +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +version = \(dqv1\(dq + +[loader] +[loader.review] +required = false + +[key\-manager] +ksk.validity = \(dq31536000\(dq +zsk.validity = \(dq2592000\(dq +csk.validity = \(dq31536000\(dq +ksk.auto\-start = true +zsk.auto\-start = true +csk.auto\-start = true +algorithm.auto\-start = true +ksk.auto\-report = true +zsk.auto\-report = true +csk.auto\-report = true +algorithm.auto\-report = true +ksk.auto\-expire = true +zsk.auto\-expire = true +csk.auto\-expire = true +algorithm.auto\-expire = true +ksk.auto\-done = true +zsk.auto\-done = true +csk.auto\-done = true +algorithm.auto\-done = true +ds\-algorithm = \(dqSHA256\(dq +auto\-remove = true + +[key\-manager.records] +ttl = 3600 +dnskey.signature\-inception\-offset = 86400 +cds.signature\-inception\-offset = 86400 +dnskey.signature\-lifetime = 1209600 +cds.signature\-lifetime = 1209600 +dnskey.signature\-remain\-time = 604800 +cds.signature\-remain\-time = 604800 + +[key\-manager.generation] +use\-csk = false +algorithm = \(dqECDSAP256SHA256\(dq + +[signer] +serial\-policy = \(dqdate\-counter\(dq +signature\-inception\-offset = 86400 +signature\-lifetime = 1209600 +signature\-remain\-time = 604800 + +[signer.denial] +type = \(dqnsec\(dq + +[signer.review] +required = false + +[server.outbound] +send\-notify\-to = [] +.ft P +.fi +.UNINDENT +.UNINDENT +.SH OPTIONS +.SS Global Options +.INDENT 0.0 +.TP +.B version = \(dqv1\(dq +The policy file version. (REQUIRED) +.sp +This is the only required option. All other settings, and their defaults, +are associated with this version number. More versions may be added in the +future and Cascade may drop support for older versions over time. +.INDENT 7.0 +.IP \(bu 2 +\fBv1\fP: This format. +.UNINDENT +.UNINDENT +.SS How zones are loaded. +.sp +The \fB[loader]\fP section. +.SS How loaded zones are reviewed. +.sp +The \fB[loader.review]\fP section. +.sp +Review offers an opportunity to perform external checks on the zone contents +loaded by Cascade. +.INDENT 0.0 +.TP +.B required = false +Whether review is required. +.sp +If this is \fBtrue\fP, a loaded version of a zone will not be signed or +published until it is approved. If it is \fBfalse\fP, loaded zones will be +signed immediately. At the moment, the review hook will only be run if this +is set to true. +.UNINDENT +.INDENT 0.0 +.TP +.B cmd\-hook = \(dq\(dq +A hook for reviewing a loaded zone. This is a path to an executable. +.sp +This command string will be executed in the user\(aqs shell when a new version +of a zone is loaded. At the moment, it will only be run if \fBrequired\fP is +true. +.sp +It will receive the following information via environment variables: +.INDENT 7.0 +.IP \(bu 2 +\fBCASCADE_ZONE\fP: The name of the zone, formatted without a trailing dot. +.IP \(bu 2 +\fBCASCADE_SERIAL\fP: The serial number of the zone (decimal integer). +.IP \(bu 2 +\fBCASCADE_SERVER\fP: The TCP/UDP port where Cascade is serving the zone for +review, formatted \fB:\fP\&. +.IP \(bu 2 +\fBCASCADE_CONTROL\fP: The address of Cascade\(aqs HTTP API server, for sending +approvals and rejections. +.UNINDENT +.sp +The command will be called from an unspecified directory, and it must be +accessible to Cascade (i.e. after it has dropped privileges). Its exit code +will determine whether the zone is approved or not. +.UNINDENT +.SS DNSSEC key management. +.sp +The \fB[key\-manager]\fP section. +.INDENT 0.0 +.TP +.B ksk.validity = \(dq31536000\(dq +.UNINDENT +.INDENT 0.0 +.TP +.B zsk.validity = \(dq2592000\(dq +.UNINDENT +.INDENT 0.0 +.TP +.B csk.validity = \(dq31536000\(dq +How long keys are considered valid for. +.sp +If a key has been used for longer than this time, it is considered expired, +and (if enabled) it will automatically be rolled over to a new key. Even if +automatic rollovers are not enabled, the key will be reported as expired. +This is a soft condition \-\- DNSSEC does not have a concept of key expiry, +and it will not break DNSSEC validation, but it is usually important to the +security of the zone. +.sp +Independent validity times are set for KSKs, ZSKs, and CSKs. An integer +value will be interpreted as seconds; \fBforever\fP means keys never expire. +.UNINDENT +.INDENT 0.0 +.TP +.B ksk.auto\-start = true +.UNINDENT +.INDENT 0.0 +.TP +.B zsk.auto\-start = true +.UNINDENT +.INDENT 0.0 +.TP +.B csk.auto\-start = true +.UNINDENT +.INDENT 0.0 +.TP +.B algorithm.auto\-start = true +Whether to automatically start key rollovers. +.sp +If this is enabled, Cascade will automatically start rolling over keys when +they expire (as per \fBvalidity\fP). When using this setting, \fBvalidity\fP must +not be set to \fBforever\fP\&. +.sp +The first step in a rollover will be to generate new keys to replace old +ones. By disabling this setting, the user can manually control how new keys +are generated, and when rollovers happen. +.UNINDENT +.INDENT 0.0 +.TP +.B ksk.auto\-report = true +.UNINDENT +.INDENT 0.0 +.TP +.B zsk.auto\-report = true +.UNINDENT +.INDENT 0.0 +.TP +.B csk.auto\-report = true +.UNINDENT +.INDENT 0.0 +.TP +.B algorithm.auto\-report = true +Whether to automatically check for record propagation. +.sp +If this is enabled, Cascade will automatically contact public DNS servers to +detect when new records (e.g. DNSKEY) are visible globally. It is necessary +to wait until some records are visible globally to progress key rollovers. If +this is disabled, the user will have to inform Cascade when these conditions +are reached manually. +.sp +For this setting to work, Cascade must have network access to the zone\(aqs +public nameservers and the parent zone\(aqs public nameservers. +.UNINDENT +.INDENT 0.0 +.TP +.B ksk.auto\-expire = true +.UNINDENT +.INDENT 0.0 +.TP +.B zsk.auto\-expire = true +.UNINDENT +.INDENT 0.0 +.TP +.B csk.auto\-expire = true +.UNINDENT +.INDENT 0.0 +.TP +.B algorithm.auto\-expire = true +Whether to automatically wait for cache expiry. +.sp +If this is enabled, Cascade will automatically progress through key rollover +steps that need to wait for downstream users\(aq DNS caches to expire. It will +estimate the right amount of time to wait based on record TTLs. +.UNINDENT +.INDENT 0.0 +.TP +.B ksk.auto\-done = true +.UNINDENT +.INDENT 0.0 +.TP +.B zsk.auto\-done = true +.UNINDENT +.INDENT 0.0 +.TP +.B csk.auto\-done = true +.UNINDENT +.INDENT 0.0 +.TP +.B algorithm.auto\-done = true +Whether to automatically check for rollover completion. +.sp +Like \fBauto\-report\fP, if this setting is enabled, Cascade will automatically +contact public DNS servers to detect when new records are visible globally. +\fBauto\-done\fP specifically affects automatic checks for the last step of key +rollovers, and is independent from \fBauto\-report\fP\&. +.sp +For this setting to work, Cascade must have network access to the zone\(aqs +public nameservers and the parent zone\(aqs public nameservers. +.UNINDENT +.INDENT 0.0 +.TP +.B ds\-algorithm = \(dqSHA\-256\(dq +The hash algorithm used by the parent zones\(aq DS records. +.sp +Supported options: +.INDENT 7.0 +.IP \(bu 2 +\fBSHA\-256\fP: SHA\-256. +.IP \(bu 2 +\fBSHA\-384\fP: SHA\-384. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B auto\-remove = true +Whether to automatically remove expired keys. +.sp +If this is set, expired keys will be removed automatically (by deleting the +files for on\-disk keys or removing it from the HSM). +.UNINDENT +.SS The management of DNS records by the key manager. +.sp +The \fB[key\-manager.records]\fP section. +.sp +The key manager generates and signs several records (DNSKEY and CDS). This +section controls its behaviour towards them. +.INDENT 0.0 +.TP +.B ttl = 3600 +The TTL for the generated records. +.UNINDENT +.INDENT 0.0 +.TP +.B dnskey.signature\-inception\-offset = 86400 +.UNINDENT +.INDENT 0.0 +.TP +.B cds.signature\-inception\-offset = 86400 +The offset for generated signature inceptions. +.sp +Record signatures have a fixed inception time, from when they are considered +valid. An imprecise computer clock could cause signatures to be considered +invalid, because their inception point appears to be some time in the future. +To prevent such cases, this setting allows the inception time to be offset +into the past. +.sp +Independent offsets can be set for each type of record. An integer value is +intepreted as seconds; inception times will be calculated as \fBnow \- offset\fP +at the time of signing. +.UNINDENT +.INDENT 0.0 +.TP +.B dnskey.signature\-lifetime = 1209600 +.UNINDENT +.INDENT 0.0 +.TP +.B cds.signature\-lifetime = 1209600 +The lifetime of generated signatures. +.sp +Record signatures have a fixed lifetime, after which they are considered +invalid. To keep the zone valid, the signatures should be regenerated before +they expire; see \fBsignature\-remain\-time\fP to control regeneration time. +.sp +Independent lifetimes can be set for each type of record. An integer value is +interpreted as seconds. +.UNINDENT +.INDENT 0.0 +.TP +.B dnskey.signature\-remain\-time = 604800 +.UNINDENT +.INDENT 0.0 +.TP +.B cds.signature\-remain\-time = 604800 +The amount of time remaining before expiry when signatures will be +regenerated. +.sp +In order to prevent a zone\(aqs signatures from appearing invalid, they +have to be regenerated before they expire. That hard limit is set by +\fBsignature\-lifetime\fP above. This setting controls how long before expiry +signatures will be regenerated; it must be less than the \fBsignature\-lifetime\fP +setting. +.sp +Independent waiting times can be set for each type of record. An integer +value is interpreted as seconds. +.UNINDENT +.SS How keys are generated. +.sp +The \fB[key\-manager.generation]\fP section. +.INDENT 0.0 +.TP +.B hsm\-server\-id = \(dq\(dq +The HSM server to use. +.sp +If this is set, the named HSM server (which must be configured via \fBcascade +hsm add\fP) will be used for generating new DNSSEC keys. +.sp +See \fI\%https://cascade.docs.nlnetlabs.nl/en/latest/hsms.html\fP for more +information. +.UNINDENT +.INDENT 0.0 +.TP +.B use\-csk = false +Whether to generate CSKs, instead of separate ZSKs and KSKs. +.sp +A CSK (Combined Signing Key) takes the role of both ZSK and KSK for a zone, +unlike the standard practice of using separate keys for ZSK and KSK. This +setting does not affect how DNSSEC validation is performed, only procedures +for key rollovers. +.sp +If this is enabled, Cascade will generate CSKs for the associated zones. +.UNINDENT +.INDENT 0.0 +.TP +.B algorithm = \(dqECDSAP256SHA256\(dq +The cryptographic algorithm (and parameters) for generated keys. +.sp +DNSSEC supports various cryptographic algorithms for signatures; one must be +selected, and for some algorithms, additional parameters are also necessary. +The same algorithm and parameters will be applied to the ZSK and KSK. +.INDENT 7.0 +.IP \(bu 2 +\fBRSASHA256[:]\fP, algorithm 8, with a public key size of +\fB\fP (default 2048) bits. +.IP \(bu 2 +\fBRSASHA512[:]\fP, algorithm 10, with a public key size of +\fB\fP (default 2048) bits. +.IP \(bu 2 +\fBECDSAP256SHA256\fP, algorithm 13. +.IP \(bu 2 +\fBECDSAP384SHA384\fP, algorithm 14. +.IP \(bu 2 +\fBED25519\fP, algorithm 15. +.IP \(bu 2 +\fBED448\fP, algorithm 16. +.UNINDENT +.sp +There are additional algorithms, but many are now considered insecure, and +it is recommended or mandated to avoid them. In addition, RSA keys smaller +than 2048 bits are not recommended. +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +At the moment, only RSASHA256 and ECDSAP256SHA256 work with HSMs. +Other algorithms cannot be used with HSMs, and will cause generation +failures. +.UNINDENT +.UNINDENT +.UNINDENT +.SS How zones are signed. +.sp +The \fB[signer]\fP section. +.sp +Note that certain records (e.g. DNSKEY and CDS records at the apex of the +zone) are signed by the key manager, rather than the zone signer; see the +\fB[key\-manager.records]\fP section for configuring the signing of those records. +.INDENT 0.0 +.TP +.B serial\-policy = \(dqdate\-counter\(dq +How SOA serial numbers are generated for signed zones. +.sp +Supported options: +.INDENT 7.0 +.IP \(bu 2 +\fBkeep\fP: use the same serial number as the unsigned zone. +.IP \(bu 2 +\fBcounter\fP: increment the serial number every time. +.IP \(bu 2 +\fBunixtime\fP: use the current Unix time, in seconds. +.IP \(bu 2 +\fBdate\-counter\fP: format the number as \fB
\fP in decimal. +\fB\fP is a simple counter to allow up to 100 versions per day. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B signature\-inception\-offset = 86400 +The offset for generated signature inceptions. +.sp +Record signatures have a fixed inception time, from when they are considered +valid. An imprecise computer clock could cause signatures to be considered +invalid, because their inception point appears to be some time in the +future. To prevent such cases, this setting allows the inception time to be +offset into the past. +.sp +An integer value is interpreted as seconds; inception times will be +calculated as \fBnow \- offset\fP at the time of signing. +.UNINDENT +.INDENT 0.0 +.TP +.B signature\-lifetime = 1209600 +The lifetime of generated signatures. +.sp +Record signatures have a fixed lifetime, after which they are considered +invalid. To keep the zone valid, the signatures should be regenerated before +they expire; see \fBsignature\-remain\-time\fP to control regeneration time. +.sp +An integer value is interpreted as seconds. +.UNINDENT +.INDENT 0.0 +.TP +.B signature\-remain\-time = 604800 +The amount of time remaining before expiry when signatures will be +regenerated. +.sp +In order to prevent a zone\(aqs signatures from appearing invalid, they +have to be regenerated before they expire. That hard limit is set by +\fBsignature\-lifetime\fP above. This setting controls how long before expiry +signatures will be regenerated; it must be less than the \fBsignature\-lifetime\fP +setting. +.sp +An integer value is interpreted as seconds. +.UNINDENT +.SS How denial\-of\-existence records are generated. +.sp +The \fB[signer.denial]\fP section. +.INDENT 0.0 +.TP +.B type = \(dqnsec\(dq +The type of denial\-of\-existence records to generate. +.sp +Supported options: +\- \fBnsec\fP: Use NSEC records (RFC 4034). +\- \fBnsec3\fP: Use NSEC3 records (RFC 5155). +.UNINDENT +.INDENT 0.0 +.TP +.B opt\-out = false +(Only set when using NSEC3) +.sp +Whether to skip NSEC3 records for unsigned delegations. +.sp +This enables the NSEC3 Opt\-Out flag, and skips delegations to unsigned zones +when generating NSEC3 records. This affects the security of the zone, so be +careful if you wish to enable it. +.UNINDENT +.SS How signed zones are reviewed. +.sp +The \fB[signer.review]\fP section. +.INDENT 0.0 +.TP +.B [signer.review] +How signed zones are reviewed. +.UNINDENT +.INDENT 0.0 +.TP +.B required = false +Whether review is required. +.sp +If this is \fBtrue\fP, a signed version of a zone will not be published until it +is approved. If it is \fBfalse\fP, signed zones will be published immediately. +At the moment, the review hook will only be run if this is set to true. +.UNINDENT +.INDENT 0.0 +.TP +.B cmd\-hook = \(dq\(dq +A hook for reviewing a signed zone. This is a path to an executable. +.sp +This command string will be executed in the user\(aqs shell when a new version of +a zone is signed. At the moment, it will only be run if \fBrequired\fP is true. +.sp +It will receive the following information via environment variables: +.INDENT 7.0 +.IP \(bu 2 +\fBCASCADE_ZONE\fP: The name of the zone, formatted without a trailing dot. +.IP \(bu 2 +\fBCASCADE_SERIAL\fP: The serial number of the signed zone (decimal integer). +.IP \(bu 2 +\fBCASCADE_SERVER\fP: The TCP/UDP port where Cascade is serving the zone for +review, formatted \fB:\fP\&. +.UNINDENT +.sp +The command will be called from an unspecified directory, and it must be +accessible to Cascade (i.e. after it has dropped privileges). Its exit code +will determine whether the zone is approved or not. +.UNINDENT +.SS How published zones are served. +.sp +The \fB[server.outbound]\fP section. +.INDENT 0.0 +.TP +.B send\-notify\-to = [] +The set of nameservers to which NOTIFY messages should be sent. +.sp +If empty, no NOTIFY messages will be sent. +.sp +A collection of \fBIP:[port]\fP, defaulting to port 53 when not specified, e.g.: +\fBsend\-notify\-to = [\(dq[::1]:53\(dq]\fP +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B /etc/cascade/config.toml +Default Cascade config file +.TP +.B /etc/cascade/policies +Default policies directory +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascade\fP(1) +\fI\%Cascade CLI\fP +.TP +\fBcascaded\fP(1) +\fI\%Cascade Daemon\fP +.TP +\fBcascaded\-config.toml\fP(5) +\fI\%Configuration File Format\fP +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/manual/build/man/cascaded.1 b/doc/manual/build/man/cascaded.1 new file mode 100644 index 00000000..911356b1 --- /dev/null +++ b/doc/manual/build/man/cascaded.1 @@ -0,0 +1,137 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "CASCADED" "1" "Oct 06, 2025" "0.1.0-rc1" "Cascade" +.SH NAME +cascaded \- DNSSEC signer +.SH SYNOPSIS +.sp +\fBcascaded\fP \fB[OPTIONS]\fP +.SH DESCRIPTION +.sp +\fBcascaded\fP is the daemon process of Cascade, a friendly DNSSEC signing +solution. +.sp +For more information about Cascade, please refer to the Cascade documentation +at \fI\%https://cascade.docs.nlnetlabs.nl\fP\&. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-\-check\-config +Check the configuration and exit. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-state +The global state file to use. +.UNINDENT +.INDENT 0.0 +.TP +.B \-c, \-\-config +The configuration file to load. Defaults to +\fB/etc/cascade/config.toml\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-log\-level +The minimum severity of messages to log [possible values: trace, +debug, info, warning, error, critical]. +.sp +Defaults to \fBinfo\fP, unless set in the config file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-l, \-\-log +Where logs should be written to [possible values: stdout, stderr, +file:, syslog]. +.UNINDENT +.INDENT 0.0 +.TP +.B \-d, \-\-daemonize +Whether Cascade should fork on startup. +.UNINDENT +.INDENT 0.0 +.TP +.B \-h, \-\-help +Print the help text (short summary with \fB\-h\fP, long help with +\fB\-\-help\fP). +.UNINDENT +.INDENT 0.0 +.TP +.B \-V, \-\-version +Print version. +.UNINDENT +.SH FILES +.INDENT 0.0 +.TP +.B /etc/cascade/config.toml +Default Cascade config file +.TP +.B /etc/cascade/policies +Default policies directory +.TP +.B /var/lib/cascade/zone\-state +Default zone state directory +.TP +.B /var/lib/cascade/tsig\-keys.db +Default file for stored TSIG keys +.TP +.B /var/lib/cascade/keys +Default directory for on\-disk zone keys +.TP +.B /usr/libexec/cascade/cascade\-dnst +Default (Cascade\-specific) dnst binary for use by Cascade +.TP +.B /var/lib/cascade/kmip/credentials.db +Default file for KMIP credentials +.TP +.B /var/lib/cascade/kmip +Default directory for KMIP state files +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.TP +.B \fI\%https://cascade.docs.nlnetlabs.nl\fP +Cascade online documentation +.TP +\fBcascade\fP(1) +\fI\%Cascade CLI\fP +.TP +\fBcascaded\-config.toml\fP(5) +\fI\%Configuration File Format\fP +.TP +\fBcascaded\-policy.toml\fP(5) +\fI\%Policy File Format\fP +.UNINDENT +.SH AUTHOR +NLnet Labs +.SH COPYRIGHT +2025–2025, NLnet Labs +.\" Generated by docutils manpage writer. +.