2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00

Change some dnssec-policy defaults

Suggested by Tony Finch, these seem to be more reasonable defaults.
This commit is contained in:
Matthijs Mekking 2019-12-05 12:17:19 +01:00
parent 0f9d45a5b8
commit 4b66c0ebf4
4 changed files with 11 additions and 9 deletions

View File

@ -1,3 +1,6 @@
5334. [doc] Update documentation with dnssec-policy clarifications.
Also change some defaults.
5333. [bug] Fix duration printing on Solaris when value is not
an ISO 8601 duration. [GL #1460]

View File

@ -11146,8 +11146,8 @@ example.com CNAME rpz-tcp-only.
<para>
A margin that is added to the publish interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <constant>PT5M</constant>
(5 minutes).
unforeseen events. Default is <constant>PT1H</constant>
(1 hour).
</para>
</listitem>
</varlistentry>
@ -11158,8 +11158,8 @@ example.com CNAME rpz-tcp-only.
<para>
A margin that is added to the retire interval in key
timing equations to give some extra time to cover
unforeseen events. Default is <constant>PT5M</constant>
(5 minutes).
unforeseen events. Default is <constant>PT1H</constant>
(1 hour).
</para>
</listitem>
</varlistentry>
@ -11251,7 +11251,7 @@ example.com CNAME rpz-tcp-only.
<listitem>
<para>
The TTL of the DS RRset that the parent uses. Default is
<constant>PT1H</constant> (1 hour).
<constant>P1D</constant> (1 day).
</para>
</listitem>
</varlistentry>

View File

@ -13,7 +13,6 @@
<programlisting>
<command>dnssec-policy</command> <replaceable>string</replaceable> {
<<<<<<< HEAD
<command>dnskey-ttl</command> <replaceable>duration</replaceable>;
<command>keys</command> { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
<command>parent-ds-ttl</command> <replaceable>duration</replaceable>;

View File

@ -99,9 +99,9 @@ struct dns_kasp {
#define DNS_KASP_SIG_VALIDITY (86400*14)
#define DNS_KASP_SIG_VALIDITY_DNSKEY (86400*14)
#define DNS_KASP_KEY_TTL (3600)
#define DNS_KASP_DS_TTL (3600)
#define DNS_KASP_PUBLISH_SAFETY (300)
#define DNS_KASP_RETIRE_SAFETY (300)
#define DNS_KASP_DS_TTL (86400)
#define DNS_KASP_PUBLISH_SAFETY (3600)
#define DNS_KASP_RETIRE_SAFETY (3600)
#define DNS_KASP_ZONE_MAXTTL (86400)
#define DNS_KASP_ZONE_PROPDELAY (300)
#define DNS_KASP_PARENT_PROPDELAY (3600)