doc: add warning about timers infuencing zsk key lifetime

doc/man/knot.conf.5in

@@ -505,13 +505,13 @@ policy:
     zsk\-size: SIZE
     dnskey\-ttl: TIME
     zsk\-lifetime: TIME
+    propagation\-delay: TIME
     rrsig\-lifetime: TIME
     rrsig\-refresh: TIME
     nsec3: BOOL
     nsec3\-iterations: INT
     nsec3\-salt\-length: INT
     nsec3\-salt\-lifetime: TIME
-    propagation\-delay: TIME
 .ft P
 .fi
 .UNINDENT
@@ -550,11 +550,38 @@ A length of newly generated ZSK keys.
 A TTL value for DNSKEY records added into zone apex.
 .sp
 \fIDefault:\fP zone SOA TTL
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+has infuence over ZSK key lifetime
+.UNINDENT
+.UNINDENT
 .SS zsk\-lifetime
 .sp
 A period between ZSK publication and the next rollover initiation.
 .sp
 \fIDefault:\fP 30 days
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+ZSK key lifetime is also infuenced by propagation\-delay and dnskey\-ttl
+.UNINDENT
+.UNINDENT
+.SS propagation\-delay
+.sp
+An extra delay added for each key rollover step. This value should be high
+enough to cover propagation of data from the master server to all slaves.
+.sp
+\fIDefault:\fP 1 day
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+has infuence over ZSK key lifetime
+.UNINDENT
+.UNINDENT
 .SS rrsig\-lifetime
 .sp
 A validity period of newly issued signatures.
@@ -586,12 +613,6 @@ name before hashing.
 A validity period of newly issued salt field.
 .sp
 \fIDefault:\fP 30 days
-.SS propagation\-delay
-.sp
-An extra delay added for each key rollover step. This value should be high
-enough to cover propagation of data from the master server to all slaves.
-.sp
-\fIDefault:\fP 1 day
 .SH REMOTE SECTION
 .sp
 Definitions of remote servers for outgoing connections (source of a zone

doc/reference.rst

@@ -571,13 +571,13 @@ DNSSEC policy configuration.
      zsk-size: SIZE
      dnskey-ttl: TIME
      zsk-lifetime: TIME
+     propagation-delay: TIME
      rrsig-lifetime: TIME
      rrsig-refresh: TIME
      nsec3: BOOL
      nsec3-iterations: INT
      nsec3-salt-length: INT
      nsec3-salt-lifetime: TIME
-     propagation-delay: TIME
 
 .. _policy_id:
 
@@ -641,6 +641,9 @@ A TTL value for DNSKEY records added into zone apex.
 
 *Default:* zone SOA TTL
 
+.. NOTE::
+   has infuence over ZSK key lifetime
+
 .. _policy_zsk-lifetime:
 
 zsk-lifetime
@@ -650,6 +653,22 @@ A period between ZSK publication and the next rollover initiation.
 
 *Default:* 30 days
 
+.. NOTE::
+   ZSK key lifetime is also infuenced by propagation-delay and dnskey-ttl
+
+.. _policy_propagation-delay:
+
+propagation-delay
+-----------------
+
+An extra delay added for each key rollover step. This value should be high
+enough to cover propagation of data from the master server to all slaves.
+
+*Default:* 1 day
+
+.. NOTE::
+   has infuence over ZSK key lifetime
+
 .. _policy_rrsig-lifetime:
 
 rrsig-lifetime
@@ -705,16 +724,6 @@ A validity period of newly issued salt field.
 
 *Default:* 30 days
 
-.. _policy_propagation-delay:
-
-propagation-delay
------------------
-
-An extra delay added for each key rollover step. This value should be high
-enough to cover propagation of data from the master server to all slaves.
-
-*Default:* 1 day
-
 .. _Remote section:
 
 Remote section

src/knot/conf/scheme.c

@@ -172,6 +172,8 @@ static const yp_item_t desc_policy[] = {
 	                                   CONF_IO_FRLD_ZONES },
 	{ C_ZSK_LIFETIME,        YP_TINT,  YP_VINT = { 1, UINT32_MAX, DAYS(30), YP_STIME },
 	                                   CONF_IO_FRLD_ZONES },
+	{ C_PROPAG_DELAY,        YP_TINT,  YP_VINT = { 0, UINT32_MAX, HOURS(1), YP_STIME },
+					   CONF_IO_FRLD_ZONES },
 	{ C_RRSIG_LIFETIME,      YP_TINT,  YP_VINT = { 1, UINT32_MAX, DAYS(14), YP_STIME },
 	                                   CONF_IO_FRLD_ZONES },
 	{ C_RRSIG_REFRESH,       YP_TINT,  YP_VINT = { 1, UINT32_MAX, DAYS(7), YP_STIME },
@@ -181,8 +183,6 @@ static const yp_item_t desc_policy[] = {
 	{ C_NSEC3_SALT_LEN,      YP_TINT,  YP_VINT = { 0, UINT8_MAX, 8 }, CONF_IO_FRLD_ZONES },
 	{ C_NSEC3_SALT_LIFETIME, YP_TINT,  YP_VINT = { 1, UINT32_MAX, DAYS(30), YP_STIME },
 	                                   CONF_IO_FRLD_ZONES },
-	{ C_PROPAG_DELAY,        YP_TINT,  YP_VINT = { 0, UINT32_MAX, HOURS(1), YP_STIME },
-	                                   CONF_IO_FRLD_ZONES },
 	{ C_COMMENT,             YP_TSTR,  YP_VNONE },
 	{ NULL }
 };

src/knot/dnssec/context.c

@@ -78,6 +78,9 @@ static int policy_load(void *ctx, dnssec_kasp_policy_t *policy)
 	val = conf_rawid_get(conf(), C_POLICY, C_ZSK_LIFETIME, id, id_len);
 	policy->zsk_lifetime = conf_int(&val);
 
+	val = conf_rawid_get(conf(), C_POLICY, C_PROPAG_DELAY, id, id_len);
+	policy->propagation_delay = conf_int(&val);
+
 	val = conf_rawid_get(conf(), C_POLICY, C_RRSIG_LIFETIME, id, id_len);
 	policy->rrsig_lifetime = conf_int(&val);
 
@@ -96,9 +99,6 @@ static int policy_load(void *ctx, dnssec_kasp_policy_t *policy)
 	val = conf_rawid_get(conf(), C_POLICY, C_NSEC3_SALT_LIFETIME, id, id_len);
 	policy->nsec3_salt_lifetime = conf_int(&val);
 
-	val = conf_rawid_get(conf(), C_POLICY, C_PROPAG_DELAY, id, id_len);
-	policy->propagation_delay = conf_int(&val);
-
 	return DNSSEC_EOK;
 }