From e64cd096150aa3b34af1480282e56fa659b12cb0 Mon Sep 17 00:00:00 2001
From: Filip Siroky <filip.siroky@nic.cz>
Date: Wed, 2 Nov 2016 11:09:01 +0100
Subject: [PATCH] doc: add warning about timers infuencing zsk key lifetime
---
doc/man/knot.conf.5in | 35 ++++++++++++++++++++++++++++-------
doc/reference.rst | 31 ++++++++++++++++++++-----------
src/knot/conf/scheme.c | 4 ++--
src/knot/dnssec/context.c | 6 +++---
4 files changed, 53 insertions(+), 23 deletions(-)
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
index dd777a90bf..72634ca847 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -505,13 +505,13 @@ policy:
zsk\-size: SIZE
dnskey\-ttl: TIME
zsk\-lifetime: TIME
+ propagation\-delay: TIME
rrsig\-lifetime: TIME
rrsig\-refresh: TIME
nsec3: BOOL
nsec3\-iterations: INT
nsec3\-salt\-length: INT
nsec3\-salt\-lifetime: TIME
- propagation\-delay: TIME
.ft P
.fi
.UNINDENT
@@ -550,11 +550,38 @@ A length of newly generated ZSK keys.
A TTL value for DNSKEY records added into zone apex.
.sp
\fIDefault:\fP zone SOA TTL
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+has infuence over ZSK key lifetime
+.UNINDENT
+.UNINDENT
.SS zsk\-lifetime
.sp
A period between ZSK publication and the next rollover initiation.
.sp
\fIDefault:\fP 30 days
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+ZSK key lifetime is also infuenced by propagation\-delay and dnskey\-ttl
+.UNINDENT
+.UNINDENT
+.SS propagation\-delay
+.sp
+An extra delay added for each key rollover step. This value should be high
+enough to cover propagation of data from the master server to all slaves.
+.sp
+\fIDefault:\fP 1 day
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+has infuence over ZSK key lifetime
+.UNINDENT
+.UNINDENT
.SS rrsig\-lifetime
.sp
A validity period of newly issued signatures.
@@ -586,12 +613,6 @@ name before hashing.
A validity period of newly issued salt field.
.sp
\fIDefault:\fP 30 days
-.SS propagation\-delay
-.sp
-An extra delay added for each key rollover step. This value should be high
-enough to cover propagation of data from the master server to all slaves.
-.sp
-\fIDefault:\fP 1 day
.SH REMOTE SECTION
.sp
Definitions of remote servers for outgoing connections (source of a zone
diff --git a/doc/reference.rst b/doc/reference.rst
index bc77c6fd3f..0b3fc56f32 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -571,13 +571,13 @@ DNSSEC policy configuration.
zsk-size: SIZE
dnskey-ttl: TIME
zsk-lifetime: TIME
+ propagation-delay: TIME
rrsig-lifetime: TIME
rrsig-refresh: TIME
nsec3: BOOL
nsec3-iterations: INT
nsec3-salt-length: INT
nsec3-salt-lifetime: TIME
- propagation-delay: TIME
.. _policy_id:
@@ -641,6 +641,9 @@ A TTL value for DNSKEY records added into zone apex.
*Default:* zone SOA TTL
+.. NOTE::
+ has infuence over ZSK key lifetime
+
.. _policy_zsk-lifetime:
zsk-lifetime
@@ -650,6 +653,22 @@ A period between ZSK publication and the next rollover initiation.
*Default:* 30 days
+.. NOTE::
+ ZSK key lifetime is also infuenced by propagation-delay and dnskey-ttl
+
+.. _policy_propagation-delay:
+
+propagation-delay
+-----------------
+
+An extra delay added for each key rollover step. This value should be high
+enough to cover propagation of data from the master server to all slaves.
+
+*Default:* 1 day
+
+.. NOTE::
+ has infuence over ZSK key lifetime
+
.. _policy_rrsig-lifetime:
rrsig-lifetime
@@ -705,16 +724,6 @@ A validity period of newly issued salt field.
*Default:* 30 days
-.. _policy_propagation-delay:
-
-propagation-delay
------------------
-
-An extra delay added for each key rollover step. This value should be high
-enough to cover propagation of data from the master server to all slaves.
-
-*Default:* 1 day
-
.. _Remote section:
Remote section
diff --git a/src/knot/conf/scheme.c b/src/knot/conf/scheme.c
index a7ccaa8dc9..155b494af4 100644
--- a/src/knot/conf/scheme.c
+++ b/src/knot/conf/scheme.c
@@ -172,6 +172,8 @@ static const yp_item_t desc_policy[] = {
CONF_IO_FRLD_ZONES },
{ C_ZSK_LIFETIME, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(30), YP_STIME },
CONF_IO_FRLD_ZONES },
+ { C_PROPAG_DELAY, YP_TINT, YP_VINT = { 0, UINT32_MAX, HOURS(1), YP_STIME },
+ CONF_IO_FRLD_ZONES },
{ C_RRSIG_LIFETIME, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(14), YP_STIME },
CONF_IO_FRLD_ZONES },
{ C_RRSIG_REFRESH, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(7), YP_STIME },
@@ -181,8 +183,6 @@ static const yp_item_t desc_policy[] = {
{ C_NSEC3_SALT_LEN, YP_TINT, YP_VINT = { 0, UINT8_MAX, 8 }, CONF_IO_FRLD_ZONES },
{ C_NSEC3_SALT_LIFETIME, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(30), YP_STIME },
CONF_IO_FRLD_ZONES },
- { C_PROPAG_DELAY, YP_TINT, YP_VINT = { 0, UINT32_MAX, HOURS(1), YP_STIME },
- CONF_IO_FRLD_ZONES },
{ C_COMMENT, YP_TSTR, YP_VNONE },
{ NULL }
};
diff --git a/src/knot/dnssec/context.c b/src/knot/dnssec/context.c
index 020f87aa06..3e0db4bcf8 100644
--- a/src/knot/dnssec/context.c
+++ b/src/knot/dnssec/context.c
@@ -78,6 +78,9 @@ static int policy_load(void *ctx, dnssec_kasp_policy_t *policy)
val = conf_rawid_get(conf(), C_POLICY, C_ZSK_LIFETIME, id, id_len);
policy->zsk_lifetime = conf_int(&val);
+ val = conf_rawid_get(conf(), C_POLICY, C_PROPAG_DELAY, id, id_len);
+ policy->propagation_delay = conf_int(&val);
+
val = conf_rawid_get(conf(), C_POLICY, C_RRSIG_LIFETIME, id, id_len);
policy->rrsig_lifetime = conf_int(&val);
@@ -96,9 +99,6 @@ static int policy_load(void *ctx, dnssec_kasp_policy_t *policy)
val = conf_rawid_get(conf(), C_POLICY, C_NSEC3_SALT_LIFETIME, id, id_len);
policy->nsec3_salt_lifetime = conf_int(&val);
- val = conf_rawid_get(conf(), C_POLICY, C_PROPAG_DELAY, id, id_len);
- policy->propagation_delay = conf_int(&val);
-
return DNSSEC_EOK;
}
--
GitLab