From a64197c80f41524eb8fc7640e61edae45c3ba2bd Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 4 Jan 2024 10:27:26 +0100 Subject: [PATCH 1/2] Fix ZSK lifetime minimum constraints documentation The ARM failed to mention that the ZSK lifetime minimum also depends on the signing delay. (cherry picked from commit 53f0541db6755f9106f0481e4dcb29b9e8c16d1e) --- doc/arm/reference.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index e958c50dc2..48a367c825 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6444,10 +6444,11 @@ The following options can be specified in a :any:`dnssec-policy` statement: must be more than the publication interval (which is the sum of :any:`dnskey-ttl`, :any:`publish-safety`, and :any:`zone-propagation-delay`). It must also be more than the retire interval (which is the sum of - :any:`max-zone-ttl`, :any:`retire-safety` and :any:`zone-propagation-delay` - for ZSKs, and the sum of :any:`parent-ds-ttl`, :any:`retire-safety`, and - :any:`parent-propagation-delay` for KSKs and CSKs). BIND 9 treats a key - lifetime that is too short as an error. + :any:`max-zone-ttl`, :any:`retire-safety`, :any:`zone-propagation-delay`, + and signing delay (:any:`signatures-validity` minus + :any:`signatures-refresh`) for ZSKs, and the sum of :any:`parent-ds-ttl`, + :any:`retire-safety`, and :any:`parent-propagation-delay` for KSKs and + CSKs). BIND 9 treats a key lifetime that is too short as an error. The ``algorithm`` parameter specifies the key's algorithm, expressed either as a string ("rsasha256", "ecdsa384", etc.) or as a decimal From 066b31667aa960c9271801914f5235eb8e680e20 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 4 Jan 2024 10:31:18 +0100 Subject: [PATCH 2/2] Add CHANGES for #4510 (cherry picked from commit 7e903c52be25e55ec6ae1a8f9e4e8f700548c7d0) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 1eec056345..457b397e2b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6328. [doc] Update ZSK minimum lifetime documentation in ARM, also + depends on signing delay. [GL #4510] + 6326. [func] Add workaround to enforce dynamic linker to pull jemalloc earlier than libc to ensure all memory allocations are done via jemalloc. [GL #4404]