diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 5c609d5ee7..87c9254008 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -13,7 +13,7 @@ - 2019-08-12 + 2019-12-12 ISC @@ -111,6 +111,26 @@ dlz string { + DNSSEC-POLICY + +dnssec-policy string { + dnskey-ttl duration; + keys { ( csk | ksk | zsk ) ( key-directory ) lifetime duration + algorithm integer [ integer ]; ... }; + max-zone-ttl duration; + parent-ds-ttl duration; + parent-propagation-delay duration; + parent-registration-delay duration; + publish-safety duration; + retire-safety duration; + signatures-refresh duration; + signatures-validity duration; + signatures-validity-dnskey duration; + zone-propagation-delay duration; +}; + + + DYNDB dyndb string quoted_string { @@ -148,7 +168,7 @@ logging { MANAGED-KEYS - Deprecated - see TRUST-ANCHORS. + Deprecated - see DNSSEC-KEYS. managed-keys { string ( static-key | initial-key | static-ds | @@ -246,6 +266,7 @@ options { dnssec-dnskey-kskonly boolean; dnssec-loadkeys-interval integer; dnssec-must-be-secure string boolean; + dnssec-policy string; dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); @@ -395,8 +416,8 @@ options { integer; response-policy { zone string [ add-soa boolean ] [ log boolean ] [ max-policy-ttl duration ] [ min-update-interval - duration ] [ policy ( cname | disabled | drop | given | no-op | - nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ + duration ] [ policy ( cname | disabled | drop | given | no-op + | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ recursive-only boolean ] [ nsip-enable boolean ] [ nsdname-enable boolean ]; ... } [ add-soa boolean ] [ break-dnssec boolean ] [ max-policy-ttl duration ] [ @@ -529,7 +550,7 @@ trust-anchors { string ( static-key | TRUSTED-KEYS - Deprecated - see TRUST-ANCHORS. + Deprecated - see DNSSEC-KEYS. trusted-keys { string integer integer integer @@ -610,6 +631,7 @@ view string [ class ] { dnssec-dnskey-kskonly boolean; dnssec-loadkeys-interval integer; dnssec-must-be-secure string boolean; + dnssec-policy string; dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); @@ -733,8 +755,8 @@ view string [ class ] { integer; response-policy { zone string [ add-soa boolean ] [ log boolean ] [ max-policy-ttl duration ] [ min-update-interval - duration ] [ policy ( cname | disabled | drop | given | no-op | - nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ + duration ] [ policy ( cname | disabled | drop | given | no-op + | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ recursive-only boolean ] [ nsip-enable boolean ] [ nsdname-enable boolean ]; ... } [ add-soa boolean ] [ break-dnssec boolean ] [ max-policy-ttl duration ] [ @@ -1014,26 +1036,6 @@ zone string [ class ] { - DNSSEC-POLICY - - -dnssec-policy string { - dnskey-ttl duration; - keys { ( csk | ksk | zsk ) key-directory lifetime duration algorithm integer [ integer ] ; ... }; - parent-ds-ttl duration; - parent-propagation-delay duration; - parent-registration-delay duration; - publish-safety duration; - retire-safety duration; - signatures-refresh duration; - signatures-validity duration; - signatures-validity-dnskey duration; - zone-max-ttl duration; - zone-propagation-delay duration; -}; - - - FILES /etc/named.conf diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 35abe1e6ca..b4d3c1e562 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -21,16 +21,16 @@ dnssec-policy "test" { zsk key-directory lifetime P30D algorithm 13; csk key-directory lifetime P30D algorithm 8 2048; }; + max-zone-ttl 86400; + parent-ds-ttl 7200; + parent-propagation-delay PT1H; + parent-registration-delay P1D; publish-safety PT3600S; retire-safety PT3600S; signatures-refresh P3D; signatures-validity P2W; signatures-validity-dnskey P14D; - zone-max-ttl 86400; zone-propagation-delay PT5M; - parent-ds-ttl 7200; - parent-propagation-delay PT1H; - parent-registration-delay P1D; }; options { dnssec-policy "default"; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index 37d3de6504..2eb2850f10 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -21,16 +21,16 @@ dnssec-policy "test" { zsk key-directory lifetime P30D algorithm 13; csk key-directory lifetime P30D algorithm 8 2048; }; + max-zone-ttl 86400; + parent-ds-ttl 7200; + parent-propagation-delay PT1H; + parent-registration-delay P1D; publish-safety PT3600S; retire-safety PT3600S; signatures-refresh P3D; signatures-validity P2W; signatures-validity-dnskey P14D; - zone-max-ttl 86400; zone-propagation-delay PT5M; - parent-ds-ttl 7200; - parent-propagation-delay PT1H; - parent-registration-delay P1D; }; options { avoid-v4-udp-ports { diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf b/bin/tests/system/kasp/ns3/policies/autosign.conf index 664693a445..751783ee0e 100644 --- a/bin/tests/system/kasp/ns3/policies/autosign.conf +++ b/bin/tests/system/kasp/ns3/policies/autosign.conf @@ -39,7 +39,7 @@ dnssec-policy "zsk-prepub" { }; zone-propagation-delay PT1H; - zone-max-ttl 1d; + max-zone-ttl 1d; }; dnssec-policy "ksk-doubleksk" { @@ -58,7 +58,7 @@ dnssec-policy "ksk-doubleksk" { }; zone-propagation-delay PT1H; - zone-max-ttl 1d; + max-zone-ttl 1d; parent-ds-ttl 3600; parent-registration-delay P1D; @@ -80,7 +80,7 @@ dnssec-policy "csk-roll" { }; zone-propagation-delay 1h; - zone-max-ttl P1D; + max-zone-ttl P1D; parent-ds-ttl 1h; parent-registration-delay 1d; @@ -102,7 +102,7 @@ dnssec-policy "csk-roll2" { }; zone-propagation-delay PT1H; - zone-max-ttl 1d; + max-zone-ttl 1d; parent-ds-ttl PT1H; parent-registration-delay P1W; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 75731470c2..1fd3e16e63 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -11209,22 +11209,23 @@ example.com CNAME rpz-tcp-only. - zone-max-ttl + max-zone-ttl - Like max-zone-ttl, specifies the - maximum permissible TTL value in seconds. When loading a - zone file using a or + Like the max-zone-ttl zone option, + this specifies the maximum permissible TTL value in + seconds for the zone. When loading a zone file using + a of text or raw, any record encountered with a TTL higher than - will be capped to the + will be capped to the maximum permissible TTL value. This is needed in DNSSEC-maintained zones because when rolling to a new DNSKEY, the old key needs to remain available until RRSIG records have expired from caches. - The option guarantees that + The option guarantees that the largest TTL in the zone will be no higher than the set value. @@ -11235,8 +11236,8 @@ example.com CNAME rpz-tcp-only. The default value is PT24H (24 hours). - A of zero is treated as if - the default value is in use. + A of zero is treated as if + the default value were in use. diff --git a/doc/arm/dnssec-policy.grammar.xml b/doc/arm/dnssec-policy.grammar.xml index ae3839cbf4..d3e21a4918 100644 --- a/doc/arm/dnssec-policy.grammar.xml +++ b/doc/arm/dnssec-policy.grammar.xml @@ -15,6 +15,7 @@ dnssec-policy string { dnskey-ttl duration; keys { ( csk | ksk | zsk ) key-directory lifetime duration algorithm integer [ integer ] ; ... }; + max-zone-ttl duration; parent-ds-ttl duration; parent-propagation-delay duration; parent-registration-delay duration; @@ -23,7 +24,6 @@ signatures-refresh duration; signatures-validity duration; signatures-validity-dnskey duration; - zone-max-ttl duration; zone-propagation-delay duration; }; diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml index 64a95defb4..f1e393fae8 100644 --- a/doc/arm/options.grammar.xml +++ b/doc/arm/options.grammar.xml @@ -90,6 +90,7 @@ dnssec-dnskey-kskonly boolean; dnssec-loadkeys-interval integer; dnssec-must-be-secure string boolean; + dnssec-policy string; dnssec-secure-to-insecure boolean; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); @@ -239,8 +240,8 @@ integer; response-policy { zone string [ add-soa boolean ] [ log boolean ] [ max-policy-ttl duration ] [ min-update-interval - duration ] [ policy ( cname | disabled | drop | given | no-op | - nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ + duration ] [ policy ( cname | disabled | drop | given | no-op + | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ recursive-only boolean ] [ nsip-enable boolean ] [ nsdname-enable boolean ]; ... } [ add-soa boolean ] [ break-dnssec boolean ] [ max-policy-ttl duration ] [ diff --git a/doc/design/dnssec-policy b/doc/design/dnssec-policy index 73f032b77d..ae16195518 100644 --- a/doc/design/dnssec-policy +++ b/doc/design/dnssec-policy @@ -156,7 +156,7 @@ dnssec-policy "nsec3" { zone-soa-ttl 3600; zone-soa-minimum 3600; zone-soa-serial-update-method unixtime; - zone-max-ttl 24h; + max-zone-ttl 24h; // Parent properties parent-propagation-delay PT24H; diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf index d94b2550f0..58283f2a0e 100644 --- a/doc/misc/dnssec-policy.default.conf +++ b/doc/misc/dnssec-policy.default.conf @@ -16,7 +16,7 @@ dnssec-policy "default" { signatures-validity-dnskey 14d; // Zone parameters - zone-max-ttl 86400; + max-zone-ttl 86400; zone-propagation-delay 300; // Parent parameters diff --git a/doc/misc/options b/doc/misc/options index c660e49c6d..57b2a4393a 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -25,6 +25,7 @@ dnssec-policy { dnskey-ttl ; keys { ( csk | ksk | zsk ) ( key-directory ) lifetime algorithm [ ]; ... }; + max-zone-ttl ; parent-ds-ttl ; parent-propagation-delay ; parent-registration-delay ; @@ -33,7 +34,6 @@ dnssec-policy { signatures-refresh ; signatures-validity ; signatures-validity-dnskey ; - zone-max-ttl ; zone-propagation-delay ; }; // may occur multiple times @@ -206,7 +206,7 @@ options { fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); // not configured + geoip-directory ( | none ); geoip-use-ecs ; // obsolete glue-cache ; has-old-clients ; // ancient @@ -227,7 +227,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; // non-operational + lmdb-mapsize ; lock-file ( | none ); maintain-ixfr-base ; // ancient managed-keys-directory ; @@ -581,7 +581,7 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; // non-operational + lmdb-mapsize ; maintain-ixfr-base ; // ancient managed-keys { ( static-key | initial-key diff --git a/doc/misc/options.active b/doc/misc/options.active index 58a9c90aff..0adfbfa9ec 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -25,6 +25,7 @@ dnssec-policy { dnskey-ttl ; keys { ( csk | ksk | zsk ) ( key-directory ) lifetime algorithm [ ]; ... }; + max-zone-ttl ; parent-ds-ttl ; parent-propagation-delay ; parent-registration-delay ; @@ -33,7 +34,6 @@ dnssec-policy { signatures-refresh ; signatures-validity ; signatures-validity-dnskey ; - zone-max-ttl ; zone-propagation-delay ; }; // may occur multiple times @@ -188,7 +188,7 @@ options { fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured - geoip-directory ( | none ); // not configured + geoip-directory ( | none ); glue-cache ; heartbeat-interval ; hostname ( | none ); @@ -205,7 +205,7 @@ options { listen-on-v6 [ port ] [ dscp ] { ; ... }; // may occur multiple times - lmdb-mapsize ; // non-operational + lmdb-mapsize ; lock-file ( | none ); managed-keys-directory ; masterfile-format ( map | raw | text ); @@ -522,7 +522,7 @@ view [ ] { }; // may occur multiple times key-directory ; lame-ttl ; - lmdb-mapsize ; // non-operational + lmdb-mapsize ; managed-keys { ( static-key | initial-key | static-ds | initial-ds diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 43d95f0875..3f0b3d372b 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -1042,7 +1042,7 @@ keymgr_transition_time(dns_dnsseckey_t* key, int type, * TTLsig is the maximum TTL of all zone RRSIG * records. This translates to: * - * Dsgn + zone-propragation-delay + zone-max-ttl. + * Dsgn + zone-propragation-delay + max-zone-ttl. * * We will also add the retire-safety interval. */ diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 75350ffa68..036761bdb0 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -191,7 +191,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx, ISC_INSIST(!(dns_kasp_keylist_empty(kasp))); /* Configuration: Zone settings */ - dns_kasp_setzonemaxttl(kasp, get_duration(maps, "zone-max-ttl", + dns_kasp_setzonemaxttl(kasp, get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL)); dns_kasp_setzonepropagationdelay(kasp, get_duration(maps, "zone-propagation-delay", diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index e8838a24a1..e8812e9e30 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2078,16 +2078,16 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = { { "dnskey-ttl", &cfg_type_duration, 0 }, { "keys", &cfg_type_kaspkeys, 0 }, + { "max-zone-ttl", &cfg_type_duration, 0 }, + { "parent-ds-ttl", &cfg_type_duration, 0 }, + { "parent-propagation-delay", &cfg_type_duration, 0 }, + { "parent-registration-delay", &cfg_type_duration, 0 }, { "publish-safety", &cfg_type_duration, 0 }, { "retire-safety", &cfg_type_duration, 0 }, { "signatures-refresh", &cfg_type_duration, 0 }, { "signatures-validity", &cfg_type_duration, 0 }, { "signatures-validity-dnskey", &cfg_type_duration, 0 }, - { "zone-max-ttl", &cfg_type_duration, 0 }, { "zone-propagation-delay", &cfg_type_duration, 0 }, - { "parent-ds-ttl", &cfg_type_duration, 0 }, - { "parent-propagation-delay", &cfg_type_duration, 0 }, - { "parent-registration-delay", &cfg_type_duration, 0 }, { NULL, NULL, 0 } };