Set default max-zone-ttl to "unlimited"

Now that the keymgr tracks the maximum TTL used in a zone, we no longer
need an artifical value when calculating key rollover timings. The
max-zone-ttl value can be set to 0 (unlimited) by default.

This means that the built-in "default" and "insecure" can now be used
on zones that have TTL values higher than 1 day (and no longer fail
to load the zone).

You can still set the max-zone-ttl value to ensure that the loaded
zone does not have a too high TTL (causing the zone fail to load, and
to limit the TTL on incoming updates).
This commit is contained in:
Matthijs Mekking
2023-05-09 15:02:54 +02:00
committed by Mark Andrews
parent fd95bf67c6
commit 8863ab9503
3 changed files with 3 additions and 3 deletions

View File

@@ -15,7 +15,7 @@ dnssec-policy <string> {
cds-digest-types { <string>; ... };
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
max-zone-ttl ( unlimited | <duration> );
nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;

View File

@@ -121,7 +121,7 @@ struct dns_kasp {
#define DNS_KASP_PUBLISH_SAFETY "3600"
#define DNS_KASP_PURGE_KEYS "P90D"
#define DNS_KASP_RETIRE_SAFETY "3600"
#define DNS_KASP_ZONE_MAXTTL "86400"
#define DNS_KASP_ZONE_MAXTTL "0"
#define DNS_KASP_ZONE_PROPDELAY "300"
#define DNS_KASP_PARENT_PROPDELAY "3600"

View File

@@ -2209,7 +2209,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
{ "cds-digest-types", &cfg_type_algorithmlist, 0 },
{ "dnskey-ttl", &cfg_type_duration, 0 },
{ "keys", &cfg_type_kaspkeys, 0 },
{ "max-zone-ttl", &cfg_type_duration, 0 },
{ "max-zone-ttl", &cfg_type_maxduration, 0 },
{ "nsec3param", &cfg_type_nsec3, 0 },
{ "parent-ds-ttl", &cfg_type_duration, 0 },
{ "parent-propagation-delay", &cfg_type_duration, 0 },