diff --git a/CHANGES b/CHANGES
index a590558886..da00868330 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5334. [doc] Update documentation with dnssec-policy clarifications.
+ Also change some defaults.
+
5333. [bug] Fix duration printing on Solaris when value is not
an ISO 8601 duration. [GL #1460]
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index e4e207758c..604fd90f53 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -724,7 +724,7 @@ status=$((status+ret))
#
zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
# The first keys are immediately published and activated.
# Because lifetime > 0, retired timing is also set.
@@ -997,7 +997,7 @@ check_subdomain
#
zone_properties "ns3" "inherit.kasp" "rsasha1" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
# The first keys are immediately published and activated.
# Because lifetime > 0, retired timing is also set.
@@ -1107,7 +1107,7 @@ status=$((status+ret))
#
zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no"
# key_timings and key_states same as above.
check_keys
@@ -1120,7 +1120,7 @@ dnssec_verify
#
zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no"
# key_timings and key_states same as above.
check_keys
@@ -1133,7 +1133,7 @@ dnssec_verify
#
zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no"
# key_timings and key_states same as above.
check_keys
diff --git a/dnssec-policy.default.conf b/dnssec-policy.default.conf
new file mode 100644
index 0000000000..d94b2550f0
--- /dev/null
+++ b/dnssec-policy.default.conf
@@ -0,0 +1,26 @@
+dnssec-policy "default" {
+
+ // Keys
+ keys {
+ csk key-directory lifetime 0 algorithm 13;
+ };
+
+ // Key timings
+ dnskey-ttl 3600;
+ publish-safety 1h;
+ retire-safety 1h;
+
+ // Signature timings
+ signatures-refresh 5d;
+ signatures-validity 14d;
+ signatures-validity-dnskey 14d;
+
+ // Zone parameters
+ zone-max-ttl 86400;
+ zone-propagation-delay 300;
+
+ // Parent parameters
+ parent-ds-ttl 86400;
+ parent-registration-delay 24h;
+ parent-propagation-delay 1h;
+};
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index f57a1dcd0a..c730866b9b 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -4467,9 +4467,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The number of seconds to wait between attempts to
reopen a closed output stream. The minimum is 1 second,
the maximum is 600 seconds (10 minutes), and the default
- is 5 seconds.
- For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ is 5 seconds. For convenience, TTL-style time unit
+ suffixes may be used to specify the value. It also
+ accepts ISO 8601 duration formats.
@@ -5271,8 +5271,11 @@ options {
For convenience, TTL-style time unit suffixes can be
used to specify the NTA lifetime in seconds, minutes
- or hours. defaults to
- one hour. It cannot exceed one week.
+ or hours. It also accepts ISO 8601 duration formats.
+
+
+ defaults to one hour. It
+ cannot exceed one week.
@@ -5305,9 +5308,13 @@ options {
For convenience, TTL-style time unit suffixes can be
used to specify the NTA recheck interval in seconds,
- minutes or hours. The default is five minutes. It
- cannot be longer than
- (which cannot be longer than a week).
+ minutes or hours. It also accepts ISO 8601 duration
+ formats.
+
+
+ The default is five minutes. It cannot be longer than
+ (which cannot be longer
+ than a week).
@@ -5318,7 +5325,10 @@ options {
Specifies a maximum permissible TTL value in seconds.
For convenience, TTL-style time unit suffixes may be
- used to specify the maximum value.
+ used to specify the maximum value. It also
+ accepts ISO 8601 duration formats.
+
+
When loading a zone file using a
of
text or raw,
@@ -8463,7 +8473,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
listen-on configuration), and
will stop listening on interfaces that have gone away.
For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ used to specify the value. It also accepts ISO 8601
+ duration formats.
@@ -8744,9 +8755,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
stores negative answers. min-ncache-ttl is
used to set a minimum retention time for these answers in the
server in seconds. For convenience, TTL-style time unit
- suffixes may be used to specify the value. The default
- min-ncache-ttl is 0
- seconds. min-ncache-ttl cannot exceed 90
+ suffixes may be used to specify the value. It also
+ accepts ISO 8601 duration formats.
+
+
+ The default min-ncache-ttl is
+ 0 seconds.
+ min-ncache-ttl cannot exceed 90
seconds and will be truncated to 90 seconds if set to a
greater value.
@@ -8758,10 +8773,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
Sets the minimum time for which the server will cache ordinary
- (positive) answers in seconds. For convenience, TTL-style time
- unit suffixes may be used to specify the value. The default
- min-cache-ttl is 0
- seconds. min-cache-ttl cannot exceed 90
+ (positive) answers in seconds. For convenience, TTL-style
+ time unit suffixes may be used to specify the value. It also
+ accepts ISO 8601 duration formats.
+
+
+ The default min-cache-ttl is
+ 0 seconds.
+ min-cache-ttl cannot exceed 90
seconds and will be truncated to 90 seconds if set to a
greater value.
@@ -8773,15 +8792,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
To reduce network traffic and increase performance,
- the server stores negative answers. max-ncache-ttl is
+ the server stores negative answers.
+ max-ncache-ttl is
used to set a maximum retention time for these answers in
- the server in seconds.
- For convenience, TTL-style time unit suffixes may be
- used to specify the value. The default
- max-ncache-ttl is 10800 seconds (3 hours).
- max-ncache-ttl cannot exceed
- 7 days and will
- be silently truncated to 7 days if set to a greater value.
+ the server in seconds. For convenience, TTL-style time unit
+ suffixes may be used to specify the value. It also accepts
+ ISO 8601 duration formats.
+
+
+ The default max-ncache-ttl is
+ 10800 seconds (3 hours).
+ max-ncache-ttl cannot exceed 7 days and
+ will be silently truncated to 7 days if set to a greater
+ value.
@@ -8793,7 +8816,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
Sets the maximum time for which the server will
cache ordinary (positive) answers in seconds.
For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ used to specify the value. It also accepts ISO 8601
+ duration formats.
+
+
The default is 604800 (one week).
A value of zero may cause all queries to return
SERVFAIL, because of lost caches of intermediate
@@ -10099,7 +10125,9 @@ deny-answer-aliases { "example.net"; };
The max-policy-ttl clause changes the
maximum seconds from its default of 5.
For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ used to specify the value. It also accepts ISO 8601 duration
+ formats.
+
@@ -10195,7 +10223,8 @@ example.com CNAME rpz-tcp-only.
recent update, then the changes will not be carried out until this
interval has elapsed. The default is 60 seconds.
For convenience, TTL-style time unit suffixes may be
- used to specify the value.
+ used to specify the value. It also accepts ISO 8601 duration
+ formats.
@@ -11117,8 +11146,8 @@ example.com CNAME rpz-tcp-only.
A margin that is added to the publish interval in key
timing equations to give some extra time to cover
- unforeseen events. Default is PT5M
- (5 minutes).
+ unforeseen events. Default is PT1H
+ (1 hour).
@@ -11129,8 +11158,8 @@ example.com CNAME rpz-tcp-only.
A margin that is added to the retire interval in key
timing equations to give some extra time to cover
- unforeseen events. Default is PT5M
- (5 minutes).
+ unforeseen events. Default is PT1H
+ (1 hour).
@@ -11222,7 +11251,7 @@ example.com CNAME rpz-tcp-only.
The TTL of the DS RRset that the parent uses. Default is
- PT1H (1 hour).
+ P1D (1 day).
@@ -12131,9 +12160,13 @@ view "external" {
dnssec-policy
- The key and signing policy for this zone. Set to
- "default" if you want to make use
- of the default policy.
+ The key and signing policy for this zone. This is a string
+ referring to a dnssec-policy statement.
+ There are two built-in policies:
+ "default" allows you to use the
+ default policy, and "none" means
+ not to use any DNSSEC policy, keeping the zone unsigned.
+ The default is "none".
diff --git a/doc/arm/dnssec-policy.grammar.xml b/doc/arm/dnssec-policy.grammar.xml
index 20bc930097..ae3839cbf4 100644
--- a/doc/arm/dnssec-policy.grammar.xml
+++ b/doc/arm/dnssec-policy.grammar.xml
@@ -14,7 +14,7 @@
dnssec-policystring {
dnskey-ttlduration;
- keys { ( csk | ksk | zsk ) key-directory durationinteger [ integer ] ; ... };
+ keys { ( csk | ksk | zsk ) key-directory lifetime duration algorithm integer [ integer ] ; ... };
parent-ds-ttlduration;
parent-propagation-delayduration;
parent-registration-delayduration;
diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 396ef5cade..e98a486e06 100644
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -99,9 +99,9 @@ struct dns_kasp {
#define DNS_KASP_SIG_VALIDITY (86400*14)
#define DNS_KASP_SIG_VALIDITY_DNSKEY (86400*14)
#define DNS_KASP_KEY_TTL (3600)
-#define DNS_KASP_DS_TTL (3600)
-#define DNS_KASP_PUBLISH_SAFETY (300)
-#define DNS_KASP_RETIRE_SAFETY (300)
+#define DNS_KASP_DS_TTL (86400)
+#define DNS_KASP_PUBLISH_SAFETY (3600)
+#define DNS_KASP_RETIRE_SAFETY (3600)
#define DNS_KASP_ZONE_MAXTTL (86400)
#define DNS_KASP_ZONE_PROPDELAY (300)
#define DNS_KASP_PARENT_PROPDELAY (3600)
diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 1784b46be0..373dec9cc0 100644
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -395,10 +395,8 @@ dns_kasp_key_size(dns_kasp_key_t *key) {
if (size > 4096) {
size = 4096;
}
- } else if (key->role & DNS_KASP_KEY_ROLE_KSK) {
- size = 2048;
} else {
- size = 1024;
+ size = 2048;
}
break;
case DNS_KEYALG_ECDSA256: