Commit a339a6df authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Update docs with durations, built-in dnssec-policy

Clarify in the ARM that TTL-style options can also now take ISO
8601 durations.

Mention the built-in dnssec policies "default" and "none".  Mention
that "none" is the default.

Add a file documenting the default dnssec-policy configuration options.

Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml).
parent 6f096f52
dnssec-policy "default" {
// Keys
keys {
csk key-directory lifetime 0 algorithm 13;
};
// Key timings
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
// Signature timings
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
// Zone parameters
zone-max-ttl 86400;
zone-propagation-delay 300;
// Parent parameters
parent-ds-ttl 86400;
parent-registration-delay 24h;
parent-propagation-delay 1h;
};
......@@ -4467,9 +4467,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The number of seconds to wait between attempts to
reopen a closed output stream. The minimum is 1 second,
the maximum is 600 seconds (10 minutes), and the default
is 5 seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
is 5 seconds. For convenience, TTL-style time unit
suffixes may be used to specify the value. It also
accepts ISO 8601 duration formats.
</simpara>
</listitem>
</itemizedlist>
......@@ -5271,8 +5271,11 @@ options {
<para>
For convenience, TTL-style time unit suffixes can be
used to specify the NTA lifetime in seconds, minutes
or hours. <option>nta-lifetime</option> defaults to
one hour. It cannot exceed one week.
or hours. It also accepts ISO 8601 duration formats.
</para>
<para>
<option>nta-lifetime</option> defaults to one hour. It
cannot exceed one week.
</para>
</listitem>
</varlistentry>
......@@ -5305,9 +5308,13 @@ options {
<para>
For convenience, TTL-style time unit suffixes can be
used to specify the NTA recheck interval in seconds,
minutes or hours. The default is five minutes. It
cannot be longer than <option>nta-lifetime</option>
(which cannot be longer than a week).
minutes or hours. It also accepts ISO 8601 duration
formats.
</para>
<para>
The default is five minutes. It cannot be longer than
<option>nta-lifetime</option> (which cannot be longer
than a week).
</para>
</listitem>
</varlistentry>
......@@ -5318,7 +5325,10 @@ options {
<para>
Specifies a maximum permissible TTL value in seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the maximum value.
used to specify the maximum value. It also
accepts ISO 8601 duration formats.
</para>
<para>
When loading a zone file using a
<option>masterfile-format</option> of
<constant>text</constant> or <constant>raw</constant>,
......@@ -8463,7 +8473,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<command>listen-on</command> configuration), and
will stop listening on interfaces that have gone away.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
used to specify the value. It also accepts ISO 8601
duration formats.
</para>
</listitem>
</varlistentry>
......@@ -8744,9 +8755,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
stores negative answers. <command>min-ncache-ttl</command> is
used to set a minimum retention time for these answers in the
server in seconds. For convenience, TTL-style time unit
suffixes may be used to specify the value. The default
<command>min-ncache-ttl</command> is <literal>0</literal>
seconds. <command>min-ncache-ttl</command> cannot exceed 90
suffixes may be used to specify the value. It also
accepts ISO 8601 duration formats.
</para>
<para>
The default <command>min-ncache-ttl</command> is
<literal>0</literal> seconds.
<command>min-ncache-ttl</command> cannot exceed 90
seconds and will be truncated to 90 seconds if set to a
greater value.
</para>
......@@ -8758,10 +8773,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<listitem>
<para>
Sets the minimum time for which the server will cache ordinary
(positive) answers in seconds. For convenience, TTL-style time
unit suffixes may be used to specify the value. The default
<command>min-cache-ttl</command> is <literal>0</literal>
seconds. <command>min-cache-ttl</command> cannot exceed 90
(positive) answers in seconds. For convenience, TTL-style
time unit suffixes may be used to specify the value. It also
accepts ISO 8601 duration formats.
</para>
<para>
The default <command>min-cache-ttl</command> is
<literal>0</literal> seconds.
<command>min-cache-ttl</command> cannot exceed 90
seconds and will be truncated to 90 seconds if set to a
greater value.
</para>
......@@ -8773,15 +8792,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<listitem>
<para>
To reduce network traffic and increase performance,
the server stores negative answers. <command>max-ncache-ttl</command> is
the server stores negative answers.
<command>max-ncache-ttl</command> is
used to set a maximum retention time for these answers in
the server in seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the value. The default
<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
<command>max-ncache-ttl</command> cannot exceed
7 days and will
be silently truncated to 7 days if set to a greater value.
the server in seconds. For convenience, TTL-style time unit
suffixes may be used to specify the value. It also accepts
ISO 8601 duration formats.
</para>
<para>
The default <command>max-ncache-ttl</command> is
<literal>10800</literal> seconds (3 hours).
<command>max-ncache-ttl</command> cannot exceed 7 days and
will be silently truncated to 7 days if set to a greater
value.
</para>
</listitem>
</varlistentry>
......@@ -8793,7 +8816,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
Sets the maximum time for which the server will
cache ordinary (positive) answers in seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
used to specify the value. It also accepts ISO 8601
duration formats.
</para>
<para>
The default is 604800 (one week).
A value of zero may cause all queries to return
SERVFAIL, because of lost caches of intermediate
......@@ -10099,7 +10125,9 @@ deny-answer-aliases { "example.net"; };
The <command>max-policy-ttl</command> clause changes the
maximum seconds from its default of 5.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
used to specify the value. It also accepts ISO 8601 duration
formats.
</para>
 
<para>
......@@ -10195,7 +10223,8 @@ example.com CNAME rpz-tcp-only.
recent update, then the changes will not be carried out until this
interval has elapsed. The default is <literal>60</literal> seconds.
For convenience, TTL-style time unit suffixes may be
used to specify the value.
used to specify the value. It also accepts ISO 8601 duration
formats.
</para>
</section>
 
......@@ -12131,9 +12160,13 @@ view "external" {
<term><command>dnssec-policy</command></term>
<listitem>
<para>
The key and signing policy for this zone. Set to
<userinput>"default"</userinput> if you want to make use
of the default policy.
The key and signing policy for this zone. This is a string
referring to a <command>dnssec-policy</command> statement.
There are two built-in policies:
<userinput>"default"</userinput> allows you to use the
default policy, and <userinput>"none"</userinput> means
not to use any DNSSEC policy, keeping the zone unsigned.
The default is <userinput>"none"</userinput>.
</para>
</listitem>
</varlistentry>
......
......@@ -13,8 +13,9 @@
<programlisting>
<command>dnssec-policy</command> <replaceable>string</replaceable> {
<<<<<<< HEAD
<command>dnskey-ttl</command> <replaceable>duration</replaceable>;
<command>keys</command> { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
<command>keys</command> { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
<command>parent-ds-ttl</command> <replaceable>duration</replaceable>;
<command>parent-propagation-delay</command> <replaceable>duration</replaceable>;
<command>parent-registration-delay</command> <replaceable>duration</replaceable>;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment