Change some dnssec-policy defaults

Suggested by Tony Finch, these seem to be more reasonable defaults.
2025-08-30 05:57:52 +00:00 · 2019-12-05 12:17:19 +01:00 · 2019-12-05 12:17:19 +01:00 · 4b66c0ebf4
commit 4b66c0ebf4
parent 0f9d45a5b8
4 changed files with 11 additions and 9 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+5334.	[doc]		Update documentation with dnssec-policy clarifications.
+			Also change some defaults.
+
 5333.	[bug]		Fix duration printing on Solaris when value is not
 			an ISO 8601 duration. [GL #1460]

--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@ -11146,8 +11146,8 @@ example.com                 CNAME   rpz-tcp-only.
 		<para>
 		  A margin that is added to the publish interval in key
 		  timing equations to give some extra time to cover
-		  unforeseen events.  Default is <constant>PT5M</constant>
-		  (5 minutes).
+		  unforeseen events.  Default is <constant>PT1H</constant>
+		  (1 hour).
 		</para>
 	      </listitem>
 	    </varlistentry>
@ -11158,8 +11158,8 @@ example.com                 CNAME   rpz-tcp-only.
 		<para>
 		  A margin that is added to the retire interval in key
 		  timing equations to give some extra time to cover
-		  unforeseen events.  Default is <constant>PT5M</constant>
-		  (5 minutes).
+		  unforeseen events.  Default is <constant>PT1H</constant>
+		  (1 hour).
 		</para>
 	      </listitem>
 	    </varlistentry>
@ -11251,7 +11251,7 @@ example.com                 CNAME   rpz-tcp-only.
 	      <listitem>
 		<para>
 		  The TTL of the DS RRset that the parent uses.  Default is
-		  <constant>PT1H</constant> (1 hour).
+		  <constant>P1D</constant> (1 day).
 		</para>
 	      </listitem>
 	    </varlistentry>
--- a/doc/arm/dnssec-policy.grammar.xml
+++ b/doc/arm/dnssec-policy.grammar.xml
@ -13,7 +13,6 @@

 <programlisting>
 <command>dnssec-policy</command> <replaceable>string</replaceable> {
-<<<<<<< HEAD
    <command>dnskey-ttl</command> <replaceable>duration</replaceable>;
    <command>keys</command> { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
    <command>parent-ds-ttl</command> <replaceable>duration</replaceable>;
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@ -99,9 +99,9 @@ struct dns_kasp {
 #define DNS_KASP_SIG_VALIDITY		(86400*14)
 #define DNS_KASP_SIG_VALIDITY_DNSKEY	(86400*14)
 #define DNS_KASP_KEY_TTL		(3600)
-#define DNS_KASP_DS_TTL			(3600)
-#define DNS_KASP_PUBLISH_SAFETY		(300)
-#define DNS_KASP_RETIRE_SAFETY		(300)
+#define DNS_KASP_DS_TTL			(86400)
+#define DNS_KASP_PUBLISH_SAFETY		(3600)
+#define DNS_KASP_RETIRE_SAFETY		(3600)
 #define DNS_KASP_ZONE_MAXTTL		(86400)
 #define DNS_KASP_ZONE_PROPDELAY		(300)
 #define DNS_KASP_PARENT_PROPDELAY	(3600)