rename 'zone-max-ttl' to 'max-zone-ttl' for consistency

bin/named/named.conf.docbook

@@ -13,7 +13,7 @@
 
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
   <info>
-    <date>2019-08-12</date>
+    <date>2019-12-12</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -111,6 +111,26 @@ dlz <replaceable>string</replaceable> {
 </literallayout>
   </refsection>
 
+  <refsection><info><title>DNSSEC-POLICY</title></info>
+    <literallayout class="normal">
+dnssec-policy <replaceable>string</replaceable> {
+	dnskey-ttl <replaceable>duration</replaceable>;
+	keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <replaceable>duration</replaceable>
+	    algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ]; ... };
+	max-zone-ttl <replaceable>duration</replaceable>;
+	parent-ds-ttl <replaceable>duration</replaceable>;
+	parent-propagation-delay <replaceable>duration</replaceable>;
+	parent-registration-delay <replaceable>duration</replaceable>;
+	publish-safety <replaceable>duration</replaceable>;
+	retire-safety <replaceable>duration</replaceable>;
+	signatures-refresh <replaceable>duration</replaceable>;
+	signatures-validity <replaceable>duration</replaceable>;
+	signatures-validity-dnskey <replaceable>duration</replaceable>;
+	zone-propagation-delay <replaceable>duration</replaceable>;
+};
+</literallayout>
+  </refsection>
+
   <refsection><info><title>DYNDB</title></info>
     <literallayout class="normal">
 dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
@@ -148,7 +168,7 @@ logging {
   </refsection>
 
   <refsection><info><title>MANAGED-KEYS</title></info>
-  <para>Deprecated - see TRUST-ANCHORS.</para>
+  <para>Deprecated - see DNSSEC-KEYS.</para>
     <literallayout class="normal">
 managed-keys { <replaceable>string</replaceable> ( static-key
     | initial-key | static-ds |
@@ -246,6 +266,7 @@ options {
 	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+	dnssec-policy <replaceable>string</replaceable>;
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	dnssec-update-mode ( maintain | no-resign );
 	dnssec-validation ( yes | no | auto );
@@ -395,8 +416,8 @@ options {
 	    <replaceable>integer</replaceable>;
 	response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
 	    <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [ min-update-interval
-	    <replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
+	    <replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op
-	    nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
+	    | nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
 	    recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
 	    nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
 	    break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [
@@ -529,7 +550,7 @@ trust-anchors { <replaceable>string</replaceable> ( static-key |
   </refsection>
 
   <refsection><info><title>TRUSTED-KEYS</title></info>
-  <para>Deprecated - see TRUST-ANCHORS.</para>
+  <para>Deprecated - see DNSSEC-KEYS.</para>
     <literallayout class="normal">
 trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
     <replaceable>integer</replaceable> <replaceable>integer</replaceable>
@@ -610,6 +631,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+	dnssec-policy <replaceable>string</replaceable>;
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	dnssec-update-mode ( maintain | no-resign );
 	dnssec-validation ( yes | no | auto );
@@ -733,8 +755,8 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	    <replaceable>integer</replaceable>;
 	response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
 	    <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [ min-update-interval
-	    <replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
+	    <replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op
-	    nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
+	    | nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
 	    recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
 	    nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
 	    break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [
@@ -1014,26 +1036,6 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 </literallayout>
   </refsection>
 
-  <refsection><info><title>DNSSEC-POLICY</title></info>
-
-    <literallayout class="normal">
-dnssec-policy <replaceable>string</replaceable> {
-	dnskey-ttl <replaceable>duration</replaceable>;
-	keys { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
-	parent-ds-ttl <replaceable>duration</replaceable>;
-	parent-propagation-delay <replaceable>duration</replaceable>;
-	parent-registration-delay <replaceable>duration</replaceable>;
-	publish-safety <replaceable>duration</replaceable>;
-	retire-safety <replaceable>duration</replaceable>;
-	signatures-refresh <replaceable>duration</replaceable>;
-	signatures-validity <replaceable>duration</replaceable>;
-	signatures-validity-dnskey <replaceable>duration</replaceable>;
-	zone-max-ttl <replaceable>duration</replaceable>;
-	zone-propagation-delay <replaceable>duration</replaceable>;
-};
-</literallayout>
-  </refsection>
-
   <refsection><info><title>FILES</title></info>
 
     <para><filename>/etc/named.conf</filename>

bin/tests/system/checkconf/good-kasp.conf

@@ -21,16 +21,16 @@ dnssec-policy "test" {
 		zsk key-directory lifetime P30D algorithm 13;
 		csk key-directory lifetime P30D algorithm 8 2048;
 	};
+	max-zone-ttl 86400;
+	parent-ds-ttl 7200;
+	parent-propagation-delay PT1H;
+	parent-registration-delay P1D;
 	publish-safety PT3600S;
 	retire-safety PT3600S;
 	signatures-refresh P3D;
 	signatures-validity P2W;
 	signatures-validity-dnskey P14D;
-	zone-max-ttl 86400;
 	zone-propagation-delay PT5M;
-	parent-ds-ttl 7200;
-	parent-propagation-delay PT1H;
-	parent-registration-delay P1D;
 };
 options {
 	dnssec-policy "default";

bin/tests/system/checkconf/good.conf

@@ -21,16 +21,16 @@ dnssec-policy "test" {
 		zsk key-directory lifetime P30D algorithm 13;
 		csk key-directory lifetime P30D algorithm 8 2048;
 	};
+	max-zone-ttl 86400;
+	parent-ds-ttl 7200;
+	parent-propagation-delay PT1H;
+	parent-registration-delay P1D;
 	publish-safety PT3600S;
 	retire-safety PT3600S;
 	signatures-refresh P3D;
 	signatures-validity P2W;
 	signatures-validity-dnskey P14D;
-	zone-max-ttl 86400;
 	zone-propagation-delay PT5M;
-	parent-ds-ttl 7200;
-	parent-propagation-delay PT1H;
-	parent-registration-delay P1D;
 };
 options {
 	avoid-v4-udp-ports {

bin/tests/system/kasp/ns3/policies/autosign.conf

@@ -39,7 +39,7 @@ dnssec-policy "zsk-prepub" {
 	};
 
 	zone-propagation-delay PT1H;
-	zone-max-ttl 1d;
+	max-zone-ttl 1d;
 };
 
 dnssec-policy "ksk-doubleksk" {
@@ -58,7 +58,7 @@ dnssec-policy "ksk-doubleksk" {
 	};
 
 	zone-propagation-delay PT1H;
-	zone-max-ttl 1d;
+	max-zone-ttl 1d;
 
 	parent-ds-ttl 3600;
 	parent-registration-delay P1D;
@@ -80,7 +80,7 @@ dnssec-policy "csk-roll" {
 	};
 
 	zone-propagation-delay 1h;
-	zone-max-ttl P1D;
+	max-zone-ttl P1D;
 
 	parent-ds-ttl 1h;
 	parent-registration-delay 1d;
@@ -102,7 +102,7 @@ dnssec-policy "csk-roll2" {
 	};
 
 	zone-propagation-delay PT1H;
-	zone-max-ttl 1d;
+	max-zone-ttl 1d;
 
 	parent-ds-ttl PT1H;
 	parent-registration-delay P1W;

doc/arm/Bv9ARM-book.xml

@@ -11209,22 +11209,23 @@ example.com                 CNAME   rpz-tcp-only.
 	    </varlistentry>
 
 	    <varlistentry>
-	      <term><command>zone-max-ttl</command></term>
+	      <term><command>max-zone-ttl</command></term>
 	      <listitem>
 		<para>
-		  Like <command>max-zone-ttl</command>, specifies the
+		  Like the <command>max-zone-ttl</command> zone option,
-		  maximum permissible TTL value in seconds. When loading a
+		  this specifies the maximum permissible TTL value in
-		  zone file using a <option>masterfile-format</option> or
+		  seconds for the zone. When loading a zone file using
+		  a <option>masterfile-format</option> of
 		  <constant>text</constant> or <constant>raw</constant>,
 		  any record encountered with a TTL higher than
-		  <option>zone-max-ttl</option> will be capped to the
+		  <option>max-zone-ttl</option> will be capped to the
 		  maximum permissible TTL value.
 		</para>
 		<para>
 		  This is needed in DNSSEC-maintained zones because when
 		  rolling to a new DNSKEY, the old key needs to remain
 		  available until RRSIG records have expired from caches.
-		  The <option>zone-max-ttl</option> option guarantees that
+		  The <option>max-zone-ttl</option> option guarantees that
 		  the largest TTL in the zone will be no higher than the
 		  set value.
 		</para>
@@ -11235,8 +11236,8 @@ example.com                 CNAME   rpz-tcp-only.
 		</para>
 		<para>
 		  The default value is <constant>PT24H</constant> (24 hours).
-		  A <option>zone-max-ttl</option> of zero is treated as if
+		  A <option>max-zone-ttl</option> of zero is treated as if
-		  the default value is in use.
+		  the default value were in use.
 		</para>
 	      </listitem>
 	    </varlistentry>

doc/arm/dnssec-policy.grammar.xml

@@ -15,6 +15,7 @@
 <command>dnssec-policy</command> <replaceable>string</replaceable> {
     <command>dnskey-ttl</command> <replaceable>duration</replaceable>;
     <command>keys</command> { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
+    <command>max-zone-ttl</command> <replaceable>duration</replaceable>;
     <command>parent-ds-ttl</command> <replaceable>duration</replaceable>;
     <command>parent-propagation-delay</command> <replaceable>duration</replaceable>;
     <command>parent-registration-delay</command> <replaceable>duration</replaceable>;
@@ -23,7 +24,6 @@
     <command>signatures-refresh</command> <replaceable>duration</replaceable>;
     <command>signatures-validity</command> <replaceable>duration</replaceable>;
     <command>signatures-validity-dnskey</command> <replaceable>duration</replaceable>;
-    <command>zone-max-ttl</command> <replaceable>duration</replaceable>;
     <command>zone-propagation-delay</command> <replaceable>duration</replaceable>;
 };
 </programlisting>

doc/arm/options.grammar.xml

@@ -90,6 +90,7 @@
 	<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
 	<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
 	<command>dnssec-must-be-secure</command> <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+	<command>dnssec-policy</command> <replaceable>string</replaceable>;
 	<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
 	<command>dnssec-update-mode</command> ( maintain | no-resign );
 	<command>dnssec-validation</command> ( yes | no | auto );
@@ -239,8 +240,8 @@
 	    <replaceable>integer</replaceable>;
 	<command>response-policy</command> { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
 	    <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [ min-update-interval
-	    <replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
+	    <replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op
-	    <command>nodata</command> | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
+	    | nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
 	    <command>recursive-only</command> <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
 	    <command>nsdname-enable</command> <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
 	    <command>break-dnssec</command> <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [

doc/design/dnssec-policy

@@ -156,7 +156,7 @@ dnssec-policy "nsec3" {
     zone-soa-ttl 3600;
     zone-soa-minimum 3600;
     zone-soa-serial-update-method unixtime;
-    zone-max-ttl 24h;
+    max-zone-ttl 24h;
 
     // Parent properties
     parent-propagation-delay PT24H;

doc/misc/dnssec-policy.default.conf

@@ -16,7 +16,7 @@ dnssec-policy "default" {
 	signatures-validity-dnskey 14d;
 	
 	// Zone parameters
-	zone-max-ttl 86400;
+	max-zone-ttl 86400;
 	zone-propagation-delay 300;
 
 	// Parent parameters

doc/misc/options

@@ -25,6 +25,7 @@ dnssec-policy <string> {
         dnskey-ttl <duration>;
         keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
             algorithm <integer> [ <integer> ]; ... };
+        max-zone-ttl <duration>;
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         parent-registration-delay <duration>;
@@ -33,7 +34,6 @@ dnssec-policy <string> {
         signatures-refresh <duration>;
         signatures-validity <duration>;
         signatures-validity-dnskey <duration>;
-        zone-max-ttl <duration>;
         zone-propagation-delay <duration>;
 }; // may occur multiple times
 
@@ -206,7 +206,7 @@ options {
         fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
         fstrm-set-output-queue-size <integer>; // not configured
         fstrm-set-reopen-interval <duration>; // not configured
-        geoip-directory ( <quoted_string> | none ); // not configured
+        geoip-directory ( <quoted_string> | none );
         geoip-use-ecs <boolean>; // obsolete
         glue-cache <boolean>;
         has-old-clients <boolean>; // ancient
@@ -227,7 +227,7 @@ options {
         listen-on-v6 [ port <integer> ] [ dscp
             <integer> ] {
             <address_match_element>; ... }; // may occur multiple times
-        lmdb-mapsize <sizeval>; // non-operational
+        lmdb-mapsize <sizeval>;
         lock-file ( <quoted_string> | none );
         maintain-ixfr-base <boolean>; // ancient
         managed-keys-directory <quoted_string>;
@@ -581,7 +581,7 @@ view <string> [ <class> ] {
         }; // may occur multiple times
         key-directory <quoted_string>;
         lame-ttl <duration>;
-        lmdb-mapsize <sizeval>; // non-operational
+        lmdb-mapsize <sizeval>;
         maintain-ixfr-base <boolean>; // ancient
         managed-keys { <string> (
             static-key | initial-key

doc/misc/options.active

@@ -25,6 +25,7 @@ dnssec-policy <string> {
         dnskey-ttl <duration>;
         keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
             algorithm <integer> [ <integer> ]; ... };
+        max-zone-ttl <duration>;
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         parent-registration-delay <duration>;
@@ -33,7 +34,6 @@ dnssec-policy <string> {
         signatures-refresh <duration>;
         signatures-validity <duration>;
         signatures-validity-dnskey <duration>;
-        zone-max-ttl <duration>;
         zone-propagation-delay <duration>;
 }; // may occur multiple times
 
@@ -188,7 +188,7 @@ options {
         fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
         fstrm-set-output-queue-size <integer>; // not configured
         fstrm-set-reopen-interval <duration>; // not configured
-        geoip-directory ( <quoted_string> | none ); // not configured
+        geoip-directory ( <quoted_string> | none );
         glue-cache <boolean>;
         heartbeat-interval <integer>;
         hostname ( <quoted_string> | none );
@@ -205,7 +205,7 @@ options {
         listen-on-v6 [ port <integer> ] [ dscp
             <integer> ] {
             <address_match_element>; ... }; // may occur multiple times
-        lmdb-mapsize <sizeval>; // non-operational
+        lmdb-mapsize <sizeval>;
         lock-file ( <quoted_string> | none );
         managed-keys-directory <quoted_string>;
         masterfile-format ( map | raw | text );
@@ -522,7 +522,7 @@ view <string> [ <class> ] {
         }; // may occur multiple times
         key-directory <quoted_string>;
         lame-ttl <duration>;
-        lmdb-mapsize <sizeval>; // non-operational
+        lmdb-mapsize <sizeval>;
         managed-keys { <string> (
             static-key | initial-key
             | static-ds | initial-ds

lib/dns/keymgr.c

@@ -1042,7 +1042,7 @@ keymgr_transition_time(dns_dnsseckey_t* key, int type,
 			 * TTLsig is the maximum TTL of all zone RRSIG
 			 * records.  This translates to:
 			 *
-			 *     Dsgn + zone-propragation-delay + zone-max-ttl.
+			 *     Dsgn + zone-propragation-delay + max-zone-ttl.
 			 *
 			 * We will also add the retire-safety interval.
 			 */

lib/isccfg/kaspconf.c

@@ -191,7 +191,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx,
 	ISC_INSIST(!(dns_kasp_keylist_empty(kasp)));
 
 	/* Configuration: Zone settings */
-	dns_kasp_setzonemaxttl(kasp, get_duration(maps, "zone-max-ttl",
+	dns_kasp_setzonemaxttl(kasp, get_duration(maps, "max-zone-ttl",
 						  DNS_KASP_ZONE_MAXTTL));
 	dns_kasp_setzonepropagationdelay(kasp, get_duration(maps,
 						       "zone-propagation-delay",

lib/isccfg/namedconf.c

@@ -2078,16 +2078,16 @@ static cfg_clausedef_t
 dnssecpolicy_clauses[] = {
 	{ "dnskey-ttl", &cfg_type_duration, 0 },
 	{ "keys", &cfg_type_kaspkeys, 0 },
+	{ "max-zone-ttl", &cfg_type_duration, 0 },
+	{ "parent-ds-ttl", &cfg_type_duration, 0 },
+	{ "parent-propagation-delay", &cfg_type_duration, 0 },
+	{ "parent-registration-delay", &cfg_type_duration, 0 },
 	{ "publish-safety", &cfg_type_duration, 0 },
 	{ "retire-safety", &cfg_type_duration, 0 },
 	{ "signatures-refresh", &cfg_type_duration, 0 },
 	{ "signatures-validity", &cfg_type_duration, 0 },
 	{ "signatures-validity-dnskey", &cfg_type_duration, 0 },
-	{ "zone-max-ttl", &cfg_type_duration, 0 },
 	{ "zone-propagation-delay", &cfg_type_duration, 0 },
-	{ "parent-ds-ttl", &cfg_type_duration, 0 },
-	{ "parent-propagation-delay", &cfg_type_duration, 0 },
-	{ "parent-registration-delay", &cfg_type_duration, 0 },
 	{ NULL, NULL, 0 }
 };