diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index f9696fa3fa..61016b6094 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -1015,7 +1015,7 @@ zone string [ class ] {
dnssec-policy string {
dnskey-ttl ttlval;
- keys { ( csk | ksk | zsk ) key-directory duration integer [ integer ] ; ... };
+ keys { ( csk | ksk | zsk ) key-directory lifetime duration algorithm integer [ integer ] ; ... };
parent-ds-ttl duration;
parent-propagation-delay duration;
parent-registration-delay duration;
diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf
index 804637a345..041e6bfae8 100644
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -17,9 +17,9 @@
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
- ksk key-directory P1Y 13 256;
- zsk key-directory P30D 13;
- csk key-directory P30D 8 2048;
+ ksk key-directory lifetime P1Y algorithm 13 256;
+ zsk key-directory lifetime P30D algorithm 13;
+ csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
diff --git a/bin/tests/system/kasp/kasp.conf b/bin/tests/system/kasp/kasp.conf
index 2ef71b3f4d..5b09682fcf 100644
--- a/bin/tests/system/kasp/kasp.conf
+++ b/bin/tests/system/kasp/kasp.conf
@@ -17,9 +17,9 @@ dnssec-policy "kasp" {
dnskey-ttl 200;
keys {
- csk key-directory P1Y 13;
- ksk key-directory P1Y 8;
- zsk key-directory P30D 8 1024;
- zsk key-directory P6M 8 2000;
+ csk key-directory lifetime P1Y algorithm 13;
+ ksk key-directory lifetime P1Y algorithm 8;
+ zsk key-directory lifetime P30D algorithm 8 1024;
+ zsk key-directory lifetime P6M algorithm 8 2000;
};
};
diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf b/bin/tests/system/kasp/ns3/policies/autosign.conf
index 3a0d028d00..f04d219e6d 100644
--- a/bin/tests/system/kasp/ns3/policies/autosign.conf
+++ b/bin/tests/system/kasp/ns3/policies/autosign.conf
@@ -18,8 +18,8 @@ dnssec-policy "autosign" {
dnskey-ttl 300;
keys {
- ksk key-directory P2Y 13;
- zsk key-directory P1Y 13;
+ ksk key-directory lifetime P2Y algorithm 13;
+ zsk key-directory lifetime P1Y algorithm 13;
};
};
@@ -34,8 +34,8 @@ dnssec-policy "zsk-prepub" {
retire-safety P2D;
keys {
- ksk key-directory P2Y 13;
- zsk key-directory P30D 13;
+ ksk key-directory lifetime P2Y algorithm 13;
+ zsk key-directory lifetime P30D algorithm 13;
};
zone-propagation-delay PT1H;
@@ -53,8 +53,8 @@ dnssec-policy "ksk-doubleksk" {
retire-safety P2D;
keys {
- ksk key-directory P60D 13;
- zsk key-directory P1Y 13;
+ ksk key-directory lifetime P60D algorithm 13;
+ zsk key-directory lifetime P1Y algorithm 13;
};
zone-propagation-delay PT1H;
diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf b/bin/tests/system/kasp/ns3/policies/kasp.conf
index 547c5c0429..fa60476e65 100644
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf
@@ -13,9 +13,9 @@ dnssec-policy "rsasha1" {
dnskey-ttl 1234;
keys {
- ksk key-directory P10Y 5;
- zsk key-directory P5Y 5;
- zsk key-directory P1Y 5 2000;
+ ksk key-directory lifetime P10Y algorithm 5;
+ zsk key-directory lifetime P5Y algorithm 5;
+ zsk key-directory lifetime P1Y algorithm 5 2000;
};
};
@@ -23,9 +23,9 @@ dnssec-policy "rsasha1-nsec3" {
dnskey-ttl 1234;
keys {
- ksk key-directory P10Y 7;
- zsk key-directory P5Y 7;
- zsk key-directory P1Y 7 2000;
+ ksk key-directory lifetime P10Y algorithm 7;
+ zsk key-directory lifetime P5Y algorithm 7;
+ zsk key-directory lifetime P1Y algorithm 7 2000;
};
};
@@ -33,9 +33,9 @@ dnssec-policy "rsasha256" {
dnskey-ttl 1234;
keys {
- ksk key-directory P10Y 8;
- zsk key-directory P5Y 8;
- zsk key-directory P1Y 8 2000;
+ ksk key-directory lifetime P10Y algorithm 8;
+ zsk key-directory lifetime P5Y algorithm 8;
+ zsk key-directory lifetime P1Y algorithm 8 2000;
};
};
@@ -43,9 +43,9 @@ dnssec-policy "rsasha512" {
dnskey-ttl 1234;
keys {
- ksk key-directory P10Y 10;
- zsk key-directory P5Y 10;
- zsk key-directory P1Y 10 2000;
+ ksk key-directory lifetime P10Y algorithm 10;
+ zsk key-directory lifetime P5Y algorithm 10;
+ zsk key-directory lifetime P1Y algorithm 10 2000;
};
};
@@ -53,9 +53,9 @@ dnssec-policy "ecdsa256" {
dnskey-ttl 1234;
keys {
- ksk key-directory P10Y 13;
- zsk key-directory P5Y 13;
- zsk key-directory P1Y 13 256;
+ ksk key-directory lifetime P10Y algorithm 13;
+ zsk key-directory lifetime P5Y algorithm 13;
+ zsk key-directory lifetime P1Y algorithm 13 256;
};
};
@@ -63,8 +63,8 @@ dnssec-policy "ecdsa384" {
dnskey-ttl 1234;
keys {
- ksk key-directory P10Y 14;
- zsk key-directory P5Y 14;
- zsk key-directory P1Y 14 384;
+ ksk key-directory lifetime P10Y algorithm 14;
+ zsk key-directory lifetime P5Y algorithm 14;
+ zsk key-directory lifetime P1Y algorithm 14 384;
};
};
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index d0c21560d9..2562c1f348 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -11059,9 +11059,9 @@ example.com CNAME rpz-tcp-only.
keys {
- ksk key-directory P5Y 8 2048;
- zsk key-directory P30D 8;
- csk key-directory P6MT12H3M15S 13;
+ ksk key-directory lifetime P5Y algorithm 8 2048;
+ zsk key-directory lifetime P30D algorithm 8;
+ csk key-directory lifetime P6MT12H3M15S algorithm 13;
};
diff --git a/doc/arm/dnssec.xml b/doc/arm/dnssec.xml
index be702849c3..3c0cf4dfec 100644
--- a/doc/arm/dnssec.xml
+++ b/doc/arm/dnssec.xml
@@ -54,7 +54,7 @@
dnssec-policy csk {
keys {
- csk key-directory P5Y 13;
+ csk key-directory lifetime P5Y algorithm 13;
};
};
diff --git a/doc/design/dnssec-policy b/doc/design/dnssec-policy
index 3e695a2c39..73f032b77d 100644
--- a/doc/design/dnssec-policy
+++ b/doc/design/dnssec-policy
@@ -199,9 +199,9 @@ is referred to as a CSK. Below is an example configuration for the three types
of keys:
```
keys {
- ksk key-directory P5Y ECDSAP256SHA256;
- zsk key-directory P30D ECDSAP256SHA256;
- csk key-directory PT0S 8 2048;
+ ksk key-directory lifetime P5Y algorithm ECDSAP256SHA256;
+ zsk key-directory lifetime P30D algorithm ECDSAP256SHA256;
+ csk key-directory lifetime PT0S algorithm 8 2048;
};
```
diff --git a/doc/misc/options b/doc/misc/options
index cb00923715..61dad9bbba 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -27,7 +27,7 @@ dnssec-keys { ( static-key |
dnssec-policy {
dnskey-ttl ;
- keys { ( csk | ksk | zsk ) key-directory
+ keys { ( csk | ksk | zsk ) key-directory lifetime algorithm
[ ]; ... };
parent-ds-ttl ;
parent-propagation-delay ;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 7d0dd467db..746ee47a23 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -502,11 +502,23 @@ static cfg_type_t cfg_type_dnsseckeystore = {
/*%
* A dnssec key, as used in the "keys" statement in a "dnssec-policy".
*/
+static keyword_type_t algorithm_kw = { "algorithm", &cfg_type_uint32 };
+static cfg_type_t cfg_type_algorithm = {
+ "algorithm", parse_keyvalue, print_keyvalue,
+ doc_keyvalue, &cfg_rep_uint32, &algorithm_kw
+};
+
+static keyword_type_t lifetime_kw = { "lifetime", &cfg_type_duration };
+static cfg_type_t cfg_type_lifetime = {
+ "lifetime", parse_keyvalue, print_keyvalue,
+ doc_keyvalue, &cfg_rep_duration, &lifetime_kw
+};
+
static cfg_tuplefielddef_t kaspkey_fields[] = {
{ "role", &cfg_type_dnsseckeyrole, 0 },
{ "keystore-type", &cfg_type_dnsseckeystore, 0 },
- { "lifetime", &cfg_type_duration, 0 },
- { "algorithm", &cfg_type_uint32, 0 },
+ { "lifetime", &cfg_type_lifetime, 0 },
+ { "algorithm", &cfg_type_algorithm, 0 },
{ "length", &cfg_type_optional_uint32, 0 },
{ NULL, NULL, 0 }
};
@@ -515,6 +527,9 @@ static cfg_type_t cfg_type_kaspkey = {
&cfg_rep_tuple, kaspkey_fields
};
+/*%
+ * Wild class, type, name.
+ */
static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
static cfg_type_t cfg_type_optional_wild_class = {