diff options
author | Casey Deccio <casey@deccio.net> | 2021-01-09 03:29:50 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-09 03:29:50 +0300 |
commit | bdaa08fb28b4821f11a3f82c775b26f11ac56b80 (patch) | |
tree | e03caa4a161530cc2dd9150460a62aef0d8ebd42 /doc/man/dnsviz-graph.1 | |
parent | 2e3cb9b0893e16fc764cb45c0676dcd009d8cfc0 (diff) | |
parent | f0e697b1d837f63299aa79d6152742bfd2dc9926 (diff) |
Merge pull request #69 from dnsviz/obsoletealg
Obsoletealg
Diffstat (limited to 'doc/man/dnsviz-graph.1')
-rw-r--r-- | doc/man/dnsviz-graph.1 | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/doc/man/dnsviz-graph.1 b/doc/man/dnsviz-graph.1 index 2e49755..6971750 100644 --- a/doc/man/dnsviz-graph.1 +++ b/doc/man/dnsviz-graph.1 @@ -93,6 +93,14 @@ unknown. Additionally, when a zone has only DS records with unsupported digest algorithms, the zone is treated as "insecure", assuming the DS records are properly authenticated. .TP +.B -b, --validate-prohibited-algs +Validate algorithms for which validation is otherwise prohibited. Current +DNSSEC specification prohibits validators from validating older, weaker +algorithms associated with DNSKEY and DS records (see RFC 8624). If this +option is used, then a warning will be still be issued for DNSSEC records that +use these older algorithms, but the code will still assess their cryptographic +status, rather than ignoring them. +.TP .B -C, --enforce-cookies Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response when a query contains a COOKIE option with no server cookie or with an invalid |