mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 08:05:21 +00:00
Code Issues Releases Wiki Activity

Update docs with durations, built-in dnssec-policy

Browse Source 
Clarify in the ARM that TTL-style options can also now take ISO
8601 durations.

Mention the built-in dnssec policies "default" and "none".  Mention
that "none" is the default.

Add a file documenting the default dnssec-policy configuration options.

Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml).
This commit is contained in:
Matthijs Mekking
2019-12-05 10:47:20 +01:00
parent 6f096f5245
commit a339a6df48
3 changed files with 92 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
dnssec-policy.default.conf Normal file
View File

@@ -0,0 +1,26 @@
dnssec-policy "default" {
// Keys
keys {
csk key-directory lifetime 0 algorithm 13;
};
// Key timings
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
// Signature timings
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
// Zone parameters
zone-max-ttl 86400;
zone-propagation-delay 300;
// Parent parameters
parent-ds-ttl 86400;
parent-registration-delay 24h;
parent-propagation-delay 1h;
};

95
doc/arm/Bv9ARM-book.xml
View File

@@ -4467,9 +4467,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The number of seconds to wait between attempts to The number of seconds to wait between attempts to
reopen a closed output stream. The minimum is 1 second, reopen a closed output stream. The minimum is 1 second,
the maximum is 600 seconds (10 minutes), and the default the maximum is 600 seconds (10 minutes), and the default
is 5 seconds. is 5 seconds. For convenience, TTL-style time unit
For convenience, TTL-style time unit suffixes may be suffixes may be used to specify the value. It also
used to specify the value. accepts ISO 8601 duration formats.
</simpara> </simpara>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@@ -5271,8 +5271,11 @@ options {
<para> <para>
For convenience, TTL-style time unit suffixes can be For convenience, TTL-style time unit suffixes can be
used to specify the NTA lifetime in seconds, minutes used to specify the NTA lifetime in seconds, minutes
or hours. <option>nta-lifetime</option> defaults to or hours. It also accepts ISO 8601 duration formats.
one hour. It cannot exceed one week. </para>
<para>
<option>nta-lifetime</option> defaults to one hour. It
cannot exceed one week.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -5305,9 +5308,13 @@ options {
<para> <para>
For convenience, TTL-style time unit suffixes can be For convenience, TTL-style time unit suffixes can be
used to specify the NTA recheck interval in seconds, used to specify the NTA recheck interval in seconds,
minutes or hours. The default is five minutes. It minutes or hours. It also accepts ISO 8601 duration
cannot be longer than <option>nta-lifetime</option> formats.
(which cannot be longer than a week). </para>
<para>
The default is five minutes. It cannot be longer than
<option>nta-lifetime</option> (which cannot be longer
than a week).
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -5318,7 +5325,10 @@ options {
<para> <para>
Specifies a maximum permissible TTL value in seconds. Specifies a maximum permissible TTL value in seconds.
For convenience, TTL-style time unit suffixes may be For convenience, TTL-style time unit suffixes may be
used to specify the maximum value. used to specify the maximum value. It also
accepts ISO 8601 duration formats.
</para>
<para>
When loading a zone file using a When loading a zone file using a
<option>masterfile-format</option> of <option>masterfile-format</option> of
<constant>text</constant> or <constant>raw</constant>, <constant>text</constant> or <constant>raw</constant>,
@@ -8463,7 +8473,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<command>listen-on</command> configuration), and <command>listen-on</command> configuration), and
will stop listening on interfaces that have gone away. will stop listening on interfaces that have gone away.
For convenience, TTL-style time unit suffixes may be For convenience, TTL-style time unit suffixes may be
used to specify the value. used to specify the value. It also accepts ISO 8601
duration formats.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -8744,9 +8755,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
stores negative answers. <command>min-ncache-ttl</command> is stores negative answers. <command>min-ncache-ttl</command> is
used to set a minimum retention time for these answers in the used to set a minimum retention time for these answers in the
server in seconds. For convenience, TTL-style time unit server in seconds. For convenience, TTL-style time unit
suffixes may be used to specify the value. The default suffixes may be used to specify the value. It also
<command>min-ncache-ttl</command> is <literal>0</literal> accepts ISO 8601 duration formats.
seconds. <command>min-ncache-ttl</command> cannot exceed 90 </para>
<para>
The default <command>min-ncache-ttl</command> is
<literal>0</literal> seconds.
<command>min-ncache-ttl</command> cannot exceed 90
seconds and will be truncated to 90 seconds if set to a seconds and will be truncated to 90 seconds if set to a
greater value. greater value.
</para> </para>
@@ -8758,10 +8773,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<listitem> <listitem>
<para> <para>
Sets the minimum time for which the server will cache ordinary Sets the minimum time for which the server will cache ordinary
(positive) answers in seconds. For convenience, TTL-style time (positive) answers in seconds. For convenience, TTL-style
unit suffixes may be used to specify the value. The default time unit suffixes may be used to specify the value. It also
<command>min-cache-ttl</command> is <literal>0</literal> accepts ISO 8601 duration formats.
seconds. <command>min-cache-ttl</command> cannot exceed 90 </para>
<para>
The default <command>min-cache-ttl</command> is
<literal>0</literal> seconds.
<command>min-cache-ttl</command> cannot exceed 90
seconds and will be truncated to 90 seconds if set to a seconds and will be truncated to 90 seconds if set to a
greater value. greater value.
</para> </para>
@@ -8773,15 +8792,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<listitem> <listitem>
<para> <para>
To reduce network traffic and increase performance, To reduce network traffic and increase performance,
the server stores negative answers. <command>max-ncache-ttl</command> is the server stores negative answers.
<command>max-ncache-ttl</command> is
used to set a maximum retention time for these answers in used to set a maximum retention time for these answers in
the server in seconds. the server in seconds. For convenience, TTL-style time unit
For convenience, TTL-style time unit suffixes may be suffixes may be used to specify the value. It also accepts
used to specify the value. The default ISO 8601 duration formats.
<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours). </para>
<command>max-ncache-ttl</command> cannot exceed <para>
7 days and will The default <command>max-ncache-ttl</command> is
be silently truncated to 7 days if set to a greater value. <literal>10800</literal> seconds (3 hours).
<command>max-ncache-ttl</command> cannot exceed 7 days and
will be silently truncated to 7 days if set to a greater
value.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -8793,7 +8816,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
Sets the maximum time for which the server will Sets the maximum time for which the server will
cache ordinary (positive) answers in seconds. cache ordinary (positive) answers in seconds.
For convenience, TTL-style time unit suffixes may be For convenience, TTL-style time unit suffixes may be
used to specify the value. used to specify the value. It also accepts ISO 8601
duration formats.
</para>
<para>
The default is 604800 (one week). The default is 604800 (one week).
A value of zero may cause all queries to return A value of zero may cause all queries to return
SERVFAIL, because of lost caches of intermediate SERVFAIL, because of lost caches of intermediate
@@ -10099,7 +10125,9 @@ deny-answer-aliases { "example.net"; };
The <command>max-policy-ttl</command> clause changes the The <command>max-policy-ttl</command> clause changes the
maximum seconds from its default of 5. maximum seconds from its default of 5.
For convenience, TTL-style time unit suffixes may be For convenience, TTL-style time unit suffixes may be
used to specify the value. used to specify the value. It also accepts ISO 8601 duration
formats.
</para> </para>
<para> <para>
@@ -10195,7 +10223,8 @@ example.com CNAME rpz-tcp-only.
recent update, then the changes will not be carried out until this recent update, then the changes will not be carried out until this
interval has elapsed. The default is <literal>60</literal> seconds. interval has elapsed. The default is <literal>60</literal> seconds.
For convenience, TTL-style time unit suffixes may be For convenience, TTL-style time unit suffixes may be
used to specify the value. used to specify the value. It also accepts ISO 8601 duration
formats.
</para> </para>
</section> </section>
@@ -12131,9 +12160,13 @@ view "external" {
<term><command>dnssec-policy</command></term> <term><command>dnssec-policy</command></term>
<listitem> <listitem>
<para> <para>
The key and signing policy for this zone. Set to The key and signing policy for this zone. This is a string
<userinput>"default"</userinput> if you want to make use referring to a <command>dnssec-policy</command> statement.
of the default policy. There are two built-in policies:
<userinput>"default"</userinput> allows you to use the
default policy, and <userinput>"none"</userinput> means
not to use any DNSSEC policy, keeping the zone unsigned.
The default is <userinput>"none"</userinput>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

3
doc/arm/dnssec-policy.grammar.xml
View File

@@ -13,8 +13,9 @@
<programlisting> <programlisting>
<command>dnssec-policy</command> <replaceable>string</replaceable> { <command>dnssec-policy</command> <replaceable>string</replaceable> {
<<<<<<< HEAD
<command>dnskey-ttl</command> <replaceable>duration</replaceable>; <command>dnskey-ttl</command> <replaceable>duration</replaceable>;
<command>keys</command> { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... }; <command>keys</command> { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
<command>parent-ds-ttl</command> <replaceable>duration</replaceable>; <command>parent-ds-ttl</command> <replaceable>duration</replaceable>;
<command>parent-propagation-delay</command> <replaceable>duration</replaceable>; <command>parent-propagation-delay</command> <replaceable>duration</replaceable>;
<command>parent-registration-delay</command> <replaceable>duration</replaceable>; <command>parent-registration-delay</command> <replaceable>duration</replaceable>;