From 3d066288ad6c6fe2ec2a54475f541a305a085068 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 3 Sep 2014 19:00:03 -0700
Subject: [PATCH] [master] [rt37069] update NTA limit to a week

3940.	[func]		"rndc nta" now allows negative trust anchors to be
			set for up to one week. [RT #37069]
---
 CHANGES                        | 3 +++
 bin/named/server.c             | 4 ++--
 bin/rndc/rndc.docbook          | 2 +-
 bin/tests/system/rndc/tests.sh | 6 ++++++
 doc/arm/Bv9ARM-book.xml        | 2 +-
 5 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 43ed8c5199..a8f9db11e7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3940.	[func]		"rndc nta" now allows negative trust anchors to be
+			set for up to one week. [RT #37069]
+
 3939.	[func]		Improve UPDATE forwarding performance by allowing TCP
 			connections to be shared. [RT #37039]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index 22cdd68f65..c1b06e3771 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9921,8 +9921,8 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t *text) {
 				CHECK(result);
 			}
 
-			if (ntattl > 86400) {
-				msg = "NTA lifetime cannot exceed one day";
+			if (ntattl > 604800) {
+				msg = "NTA lifetime cannot exceed one week";
 				CHECK(ISC_R_RANGE);
 			}
 
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index b26f765ff4..daf299ed77 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -608,7 +608,7 @@
             <option>lifetime</option>.  The default lifetime is
             configured in <file>named.conf</file> via the
             <option>nta-lifetime</option>, and defaults to
-            one hour.  The lifetime cannot exceed one day.
+            one hour.  The lifetime cannot exceed one week.
           </para>
           <para>
             A negative trust anchor selectively disables
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 8a22990eb3..8cc8992c14 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -378,5 +378,11 @@ grep "query: foo9876.bind CH TXT" ns4/named.run > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:testing rndc nta time limits"
+ret=0
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 2h nta1.example 2>&1 | grep "Negative trust anchor added" > /dev/null || ret=1
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 1d nta2.example 2>&1 | grep "Negative trust anchor added" > /dev/null || ret=1
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 1w nta3.example 2>&1 | grep "Negative trust anchor added" > /dev/null || ret=1
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf nta -l 8d nta4.example 2>&1 | grep "NTA lifetime cannot exceed one week" > /dev/null || ret=1
 echo "I:exit status: $status"
 exit $status
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 906c890eca..a76c19673c 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5737,7 +5737,7 @@ options {
 		  For convenience, TTL-style time unit suffixes can be
 		  used to specify the NTA lifetime in seconds, minutes
 		  or hours.  <option>nta-lifetime</option> defaults to
-		  one hour.  It cannot exceed one day.
+		  one hour.  It cannot exceed one week.
 		</para>
 	    </listitem>
 	  </varlistentry>