Change some dnssec-policy defaults

Suggested by Tony Finch, these seem to be more reasonable defaults.

diff --git a/CHANGES b/CHANGES
index a59055888691fcc22edfd753669879c391c33f21..da00868330760a19a258b224234748d354c4427c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5334.  [doc]           Update documentation with dnssec-policy clarifications.
+                       Also change some defaults.
+
 5333.  [bug]           Fix duration printing on Solaris when value is not
                        an ISO 8601 duration. [GL #1460]
 

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c352dbf30a91511e7e0ea6f2bd2737f1d1ee5ea3..c730866b9b7bd9f9eac87f05c927bc6ee3d0190b 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -11146,8 +11146,8 @@ example.com                 CNAME   rpz-tcp-only.
                <para>
                  A margin that is added to the publish interval in key
                  timing equations to give some extra time to cover
-                 unforeseen events.  Default is <constant>PT5M</constant>
-                 (5 minutes).
+                 unforeseen events.  Default is <constant>PT1H</constant>
+                 (1 hour).
                </para>
              </listitem>
            </varlistentry>
@@ -11158,8 +11158,8 @@ example.com                 CNAME   rpz-tcp-only.
                <para>
                  A margin that is added to the retire interval in key
                  timing equations to give some extra time to cover
-                 unforeseen events.  Default is <constant>PT5M</constant>
-                 (5 minutes).
+                 unforeseen events.  Default is <constant>PT1H</constant>
+                 (1 hour).
                </para>
              </listitem>
            </varlistentry>
@@ -11251,7 +11251,7 @@ example.com                 CNAME   rpz-tcp-only.
              <listitem>
                <para>
                  The TTL of the DS RRset that the parent uses.  Default is
-                 <constant>PT1H</constant> (1 hour).
+                 <constant>P1D</constant> (1 day).
                </para>
              </listitem>
            </varlistentry>

diff --git a/doc/arm/dnssec-policy.grammar.xml b/doc/arm/dnssec-policy.grammar.xml
index 2055f30dfab2c9535c3ddede511d4d463fc207a5..ae3839cbf4389f0d347011cf24ff5fafbdff2aba 100644 (file)
--- a/doc/arm/dnssec-policy.grammar.xml
+++ b/doc/arm/dnssec-policy.grammar.xml
@@ -13,7 +13,6 @@
 
 <programlisting>
 <command>dnssec-policy</command> <replaceable>string</replaceable> {
-<<<<<<< HEAD
     <command>dnskey-ttl</command> <replaceable>duration</replaceable>;
     <command>keys</command> { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
     <command>parent-ds-ttl</command> <replaceable>duration</replaceable>;

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 396ef5cade00d9d432805a2e4935ed0f12699a7a..e98a486e068e7ece320c3ce4678928937a644150 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -99,9 +99,9 @@ struct dns_kasp {
 #define DNS_KASP_SIG_VALIDITY          (86400*14)
 #define DNS_KASP_SIG_VALIDITY_DNSKEY   (86400*14)
 #define DNS_KASP_KEY_TTL               (3600)
-#define DNS_KASP_DS_TTL                        (3600)
-#define DNS_KASP_PUBLISH_SAFETY                (300)
-#define DNS_KASP_RETIRE_SAFETY         (300)
+#define DNS_KASP_DS_TTL                        (86400)
+#define DNS_KASP_PUBLISH_SAFETY                (3600)
+#define DNS_KASP_RETIRE_SAFETY         (3600)
 #define DNS_KASP_ZONE_MAXTTL           (86400)
 #define DNS_KASP_ZONE_PROPDELAY                (300)
 #define DNS_KASP_PARENT_PROPDELAY      (3600)