Commit 9dc63001 authored by Evan Hunt's avatar Evan Hunt
Browse files

rename 'zone-max-ttl' to 'max-zone-ttl' for consistency

parent f862b974
......@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2019-08-12</date>
<date>2019-12-12</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
......@@ -111,6 +111,26 @@ dlz <replaceable>string</replaceable> {
</literallayout>
</refsection>
<refsection><info><title>DNSSEC-POLICY</title></info>
<literallayout class="normal">
dnssec-policy <replaceable>string</replaceable> {
dnskey-ttl <replaceable>duration</replaceable>;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <replaceable>duration</replaceable>
algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ]; ... };
max-zone-ttl <replaceable>duration</replaceable>;
parent-ds-ttl <replaceable>duration</replaceable>;
parent-propagation-delay <replaceable>duration</replaceable>;
parent-registration-delay <replaceable>duration</replaceable>;
publish-safety <replaceable>duration</replaceable>;
retire-safety <replaceable>duration</replaceable>;
signatures-refresh <replaceable>duration</replaceable>;
signatures-validity <replaceable>duration</replaceable>;
signatures-validity-dnskey <replaceable>duration</replaceable>;
zone-propagation-delay <replaceable>duration</replaceable>;
};
</literallayout>
</refsection>
<refsection><info><title>DYNDB</title></info>
<literallayout class="normal">
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
......@@ -148,7 +168,7 @@ logging {
</refsection>
<refsection><info><title>MANAGED-KEYS</title></info>
<para>Deprecated - see TRUST-ANCHORS.</para>
<para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal">
managed-keys { <replaceable>string</replaceable> ( static-key
| initial-key | static-ds |
......@@ -246,6 +266,7 @@ options {
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-policy <replaceable>string</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
......@@ -395,8 +416,8 @@ options {
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [ min-update-interval
<replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
<replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op
| nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [
......@@ -529,7 +550,7 @@ trust-anchors { <replaceable>string</replaceable> ( static-key |
</refsection>
<refsection><info><title>TRUSTED-KEYS</title></info>
<para>Deprecated - see TRUST-ANCHORS.</para>
<para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
......@@ -610,6 +631,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-policy <replaceable>string</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
......@@ -733,8 +755,8 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [ min-update-interval
<replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
<replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op
| nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [
......@@ -1014,26 +1036,6 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
</literallayout>
</refsection>
<refsection><info><title>DNSSEC-POLICY</title></info>
<literallayout class="normal">
dnssec-policy <replaceable>string</replaceable> {
dnskey-ttl <replaceable>duration</replaceable>;
keys { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
parent-ds-ttl <replaceable>duration</replaceable>;
parent-propagation-delay <replaceable>duration</replaceable>;
parent-registration-delay <replaceable>duration</replaceable>;
publish-safety <replaceable>duration</replaceable>;
retire-safety <replaceable>duration</replaceable>;
signatures-refresh <replaceable>duration</replaceable>;
signatures-validity <replaceable>duration</replaceable>;
signatures-validity-dnskey <replaceable>duration</replaceable>;
zone-max-ttl <replaceable>duration</replaceable>;
zone-propagation-delay <replaceable>duration</replaceable>;
};
</literallayout>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/named.conf</filename>
......
......@@ -21,16 +21,16 @@ dnssec-policy "test" {
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
max-zone-ttl 86400;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
dnssec-policy "default";
......
......@@ -21,16 +21,16 @@ dnssec-policy "test" {
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
max-zone-ttl 86400;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
avoid-v4-udp-ports {
......
......@@ -39,7 +39,7 @@ dnssec-policy "zsk-prepub" {
};
zone-propagation-delay PT1H;
zone-max-ttl 1d;
max-zone-ttl 1d;
};
dnssec-policy "ksk-doubleksk" {
......@@ -58,7 +58,7 @@ dnssec-policy "ksk-doubleksk" {
};
zone-propagation-delay PT1H;
zone-max-ttl 1d;
max-zone-ttl 1d;
parent-ds-ttl 3600;
parent-registration-delay P1D;
......@@ -80,7 +80,7 @@ dnssec-policy "csk-roll" {
};
zone-propagation-delay 1h;
zone-max-ttl P1D;
max-zone-ttl P1D;
parent-ds-ttl 1h;
parent-registration-delay 1d;
......@@ -102,7 +102,7 @@ dnssec-policy "csk-roll2" {
};
zone-propagation-delay PT1H;
zone-max-ttl 1d;
max-zone-ttl 1d;
parent-ds-ttl PT1H;
parent-registration-delay P1W;
......
......@@ -11209,22 +11209,23 @@ example.com CNAME rpz-tcp-only.
</varlistentry>
 
<varlistentry>
<term><command>zone-max-ttl</command></term>
<term><command>max-zone-ttl</command></term>
<listitem>
<para>
Like <command>max-zone-ttl</command>, specifies the
maximum permissible TTL value in seconds. When loading a
zone file using a <option>masterfile-format</option> or
Like the <command>max-zone-ttl</command> zone option,
this specifies the maximum permissible TTL value in
seconds for the zone. When loading a zone file using
a <option>masterfile-format</option> of
<constant>text</constant> or <constant>raw</constant>,
any record encountered with a TTL higher than
<option>zone-max-ttl</option> will be capped to the
<option>max-zone-ttl</option> will be capped to the
maximum permissible TTL value.
</para>
<para>
This is needed in DNSSEC-maintained zones because when
rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from caches.
The <option>zone-max-ttl</option> option guarantees that
The <option>max-zone-ttl</option> option guarantees that
the largest TTL in the zone will be no higher than the
set value.
</para>
......@@ -11235,8 +11236,8 @@ example.com CNAME rpz-tcp-only.
</para>
<para>
The default value is <constant>PT24H</constant> (24 hours).
A <option>zone-max-ttl</option> of zero is treated as if
the default value is in use.
A <option>max-zone-ttl</option> of zero is treated as if
the default value were in use.
</para>
</listitem>
</varlistentry>
......
......@@ -15,6 +15,7 @@
<command>dnssec-policy</command> <replaceable>string</replaceable> {
<command>dnskey-ttl</command> <replaceable>duration</replaceable>;
<command>keys</command> { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
<command>max-zone-ttl</command> <replaceable>duration</replaceable>;
<command>parent-ds-ttl</command> <replaceable>duration</replaceable>;
<command>parent-propagation-delay</command> <replaceable>duration</replaceable>;
<command>parent-registration-delay</command> <replaceable>duration</replaceable>;
......@@ -23,7 +24,6 @@
<command>signatures-refresh</command> <replaceable>duration</replaceable>;
<command>signatures-validity</command> <replaceable>duration</replaceable>;
<command>signatures-validity-dnskey</command> <replaceable>duration</replaceable>;
<command>zone-max-ttl</command> <replaceable>duration</replaceable>;
<command>zone-propagation-delay</command> <replaceable>duration</replaceable>;
};
</programlisting>
......
......@@ -90,6 +90,7 @@
<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
<command>dnssec-must-be-secure</command> <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
<command>dnssec-policy</command> <replaceable>string</replaceable>;
<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
<command>dnssec-update-mode</command> ( maintain | no-resign );
<command>dnssec-validation</command> ( yes | no | auto );
......@@ -239,8 +240,8 @@
<replaceable>integer</replaceable>;
<command>response-policy</command> { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [ min-update-interval
<replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
<command>nodata</command> | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
<replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op
| nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
<command>recursive-only</command> <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
<command>nsdname-enable</command> <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
<command>break-dnssec</command> <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [
......
......@@ -156,7 +156,7 @@ dnssec-policy "nsec3" {
zone-soa-ttl 3600;
zone-soa-minimum 3600;
zone-soa-serial-update-method unixtime;
zone-max-ttl 24h;
max-zone-ttl 24h;
// Parent properties
parent-propagation-delay PT24H;
......
......@@ -16,7 +16,7 @@ dnssec-policy "default" {
signatures-validity-dnskey 14d;
// Zone parameters
zone-max-ttl 86400;
max-zone-ttl 86400;
zone-propagation-delay 300;
// Parent parameters
......
......@@ -25,6 +25,7 @@ dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
algorithm <integer> [ <integer> ]; ... };
max-zone-ttl <duration>;
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
parent-registration-delay <duration>;
......@@ -33,7 +34,6 @@ dnssec-policy <string> {
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
zone-max-ttl <duration>;
zone-propagation-delay <duration>;
}; // may occur multiple times
......@@ -206,7 +206,7 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <duration>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured
geoip-directory ( <quoted_string> | none );
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
......@@ -227,7 +227,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
......@@ -581,7 +581,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <duration>;
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> (
static-key | initial-key
......
......@@ -25,6 +25,7 @@ dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) ( key-directory ) lifetime <duration>
algorithm <integer> [ <integer> ]; ... };
max-zone-ttl <duration>;
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
parent-registration-delay <duration>;
......@@ -33,7 +34,6 @@ dnssec-policy <string> {
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
zone-max-ttl <duration>;
zone-propagation-delay <duration>;
}; // may occur multiple times
......@@ -188,7 +188,7 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <duration>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured
geoip-directory ( <quoted_string> | none );
glue-cache <boolean>;
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
......@@ -205,7 +205,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
lock-file ( <quoted_string> | none );
managed-keys-directory <quoted_string>;
masterfile-format ( map | raw | text );
......@@ -522,7 +522,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <duration>;
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
managed-keys { <string> (
static-key | initial-key
| static-ds | initial-ds
......
......@@ -1042,7 +1042,7 @@ keymgr_transition_time(dns_dnsseckey_t* key, int type,
* TTLsig is the maximum TTL of all zone RRSIG
* records. This translates to:
*
* Dsgn + zone-propragation-delay + zone-max-ttl.
* Dsgn + zone-propragation-delay + max-zone-ttl.
*
* We will also add the retire-safety interval.
*/
......
......@@ -191,7 +191,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx,
ISC_INSIST(!(dns_kasp_keylist_empty(kasp)));
/* Configuration: Zone settings */
dns_kasp_setzonemaxttl(kasp, get_duration(maps, "zone-max-ttl",
dns_kasp_setzonemaxttl(kasp, get_duration(maps, "max-zone-ttl",
DNS_KASP_ZONE_MAXTTL));
dns_kasp_setzonepropagationdelay(kasp, get_duration(maps,
"zone-propagation-delay",
......
......@@ -2078,16 +2078,16 @@ static cfg_clausedef_t
dnssecpolicy_clauses[] = {
{ "dnskey-ttl", &cfg_type_duration, 0 },
{ "keys", &cfg_type_kaspkeys, 0 },
{ "max-zone-ttl", &cfg_type_duration, 0 },
{ "parent-ds-ttl", &cfg_type_duration, 0 },
{ "parent-propagation-delay", &cfg_type_duration, 0 },
{ "parent-registration-delay", &cfg_type_duration, 0 },
{ "publish-safety", &cfg_type_duration, 0 },
{ "retire-safety", &cfg_type_duration, 0 },
{ "signatures-refresh", &cfg_type_duration, 0 },
{ "signatures-validity", &cfg_type_duration, 0 },
{ "signatures-validity-dnskey", &cfg_type_duration, 0 },
{ "zone-max-ttl", &cfg_type_duration, 0 },
{ "zone-propagation-delay", &cfg_type_duration, 0 },
{ "parent-ds-ttl", &cfg_type_duration, 0 },
{ "parent-propagation-delay", &cfg_type_duration, 0 },
{ "parent-registration-delay", &cfg_type_duration, 0 },
{ NULL, NULL, 0 }
};
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment