Merge pull request #69 from dnsviz/obsoletealg

Obsoletealg
author: Casey Deccio <casey@deccio.net> 2021-01-09 03:29:50 +0300
committer: GitHub <noreply@github.com> 2021-01-09 03:29:50 +0300
commit: bdaa08fb28b4821f11a3f82c775b26f11ac56b80 (patch)
tree: e03caa4a161530cc2dd9150460a62aef0d8ebd42 /doc/man/dnsviz-graph.1
parent: 2e3cb9b0893e16fc764cb45c0676dcd009d8cfc0 (diff)
parent: f0e697b1d837f63299aa79d6152742bfd2dc9926 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/doc/man/dnsviz-graph.1 b/doc/man/dnsviz-graph.1
index 2e49755..6971750 100644
--- a/doc/man/dnsviz-graph.1
+++ b/doc/man/dnsviz-graph.1
@@ -93,6 +93,14 @@ unknown.  Additionally, when a zone has only DS records with unsupported digest
 algorithms, the zone is treated as "insecure", assuming the DS records are
 properly authenticated.
 .TP
+.B -b, --validate-prohibited-algs
+Validate algorithms for which validation is otherwise prohibited.  Current
+DNSSEC specification prohibits validators from validating older, weaker
+algorithms associated with DNSKEY and DS records (see RFC 8624).  If this
+option is used, then a warning will be still be issued for DNSSEC records that
+use these older algorithms, but the code will still assess their cryptographic
+status, rather than ignoring them.
+.TP
 .B -C, --enforce-cookies
 Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
 when a query contains a COOKIE option with no server cookie or with an invalid
author	Casey Deccio <casey@deccio.net>	2021-01-09 03:29:50 +0300
committer	GitHub <noreply@github.com>	2021-01-09 03:29:50 +0300
commit	bdaa08fb28b4821f11a3f82c775b26f11ac56b80 (patch)
tree	e03caa4a161530cc2dd9150460a62aef0d8ebd42 /doc/man/dnsviz-graph.1
parent	2e3cb9b0893e16fc764cb45c0676dcd009d8cfc0 (diff)
parent	f0e697b1d837f63299aa79d6152742bfd2dc9926 (diff)