Make 'parent-registration-delay' obsolete

With the introduction of 'checkds', the 'parent-registration-delay'
option becomes obsolete.

diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index f66c485ad6740d81f1050b9d46bc729607ac3b8c..fe109031fc90c21ee2dd09a85f2776900218a721 100644 (file)
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -68,7 +68,6 @@ DNSSEC-POLICY
        max-zone-ttl duration;
        parent-ds-ttl duration;
        parent-propagation-delay duration;
-       parent-registration-delay duration;
        publish-safety duration;
        retire-safety duration;
        signatures-refresh duration;

diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf
index ae4c319e088161012bb5ec9b63d4d084e7972c6e..094ad56b06640c679920bf8b607b5237e551ecd7 100644 (file)
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -24,7 +24,6 @@ dnssec-policy "test" {
        max-zone-ttl 86400;
        parent-ds-ttl 7200;
        parent-propagation-delay PT1H;
-       parent-registration-delay P1D;
        publish-safety PT3600S;
        retire-safety PT3600S;
        signatures-refresh P3D;

diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index f083dae2d0ef951d1256ffdf2b10d6cae13683a0..01226b457f703e622a979d403440e857234a1159 100644 (file)
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -24,7 +24,6 @@ dnssec-policy "test" {
        max-zone-ttl 86400;
        parent-ds-ttl 7200;
        parent-propagation-delay PT1H;
-       parent-registration-delay P1D;
        publish-safety PT3600S;
        retire-safety PT3600S;
        signatures-refresh P3D;

diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf b/bin/tests/system/kasp/ns3/policies/autosign.conf
index aa11f8b43d5113d8d086727c0e5c40f24643fa69..48e78a51a06d6bff99fa9d5063990890ecf31c3e 100644 (file)
--- a/bin/tests/system/kasp/ns3/policies/autosign.conf
+++ b/bin/tests/system/kasp/ns3/policies/autosign.conf
@@ -36,7 +36,6 @@ dnssec-policy "enable-dnssec" {
        publish-safety PT5M;
 
        parent-propagation-delay 1h;
-       parent-registration-delay P1D;
        parent-ds-ttl 2h;
 
        keys {
@@ -82,7 +81,6 @@ dnssec-policy "ksk-doubleksk" {
        max-zone-ttl 1d;
 
        parent-ds-ttl 3600;
-       parent-registration-delay P1D;
        parent-propagation-delay PT1H;
 };
 
@@ -104,7 +102,6 @@ dnssec-policy "csk-roll" {
        max-zone-ttl P1D;
 
        parent-ds-ttl 1h;
-       parent-registration-delay 1d;
        parent-propagation-delay 1h;
 };
 
@@ -126,6 +123,5 @@ dnssec-policy "csk-roll2" {
        max-zone-ttl 1d;
 
        parent-ds-ttl PT1H;
-       parent-registration-delay PT0S;
        parent-propagation-delay P1W;
 };

diff --git a/bin/tests/system/kasp/ns6/policies/csk1.conf b/bin/tests/system/kasp/ns6/policies/csk1.conf
index 8f93444807cd44e50dca04d05a86c9626c573841..e31b0f902e8562da71459306c304a6060edb932a 100644 (file)
--- a/bin/tests/system/kasp/ns6/policies/csk1.conf
+++ b/bin/tests/system/kasp/ns6/policies/csk1.conf
@@ -23,7 +23,6 @@ dnssec-policy "csk-algoroll" {
        retire-safety 2h;
        zone-propagation-delay 3600;
        max-zone-ttl 6h;
-       parent-registration-delay 1d;
        parent-propagation-delay pt1h;
        parent-ds-ttl 7200;
 };

diff --git a/bin/tests/system/kasp/ns6/policies/csk2.conf b/bin/tests/system/kasp/ns6/policies/csk2.conf
index f379c0574f106731f11ff7f940bcc3ce9be9ef45..e0d8807ac98ffdafec7c28d994447fbc9516ebe5 100644 (file)
--- a/bin/tests/system/kasp/ns6/policies/csk2.conf
+++ b/bin/tests/system/kasp/ns6/policies/csk2.conf
@@ -23,7 +23,6 @@ dnssec-policy "csk-algoroll" {
        retire-safety 2h;
        zone-propagation-delay 3600;
        max-zone-ttl 6h;
-       parent-registration-delay 1d;
        parent-propagation-delay pt1h;
        parent-ds-ttl 7200;
 };

diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf b/bin/tests/system/kasp/ns6/policies/kasp.conf
index a02d6816a7e6ac738d5bc5c94ccac57053f8f29e..91569cd59c819195561ed2622892f9ad35ccc2d4 100644 (file)
--- a/bin/tests/system/kasp/ns6/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns6/policies/kasp.conf
@@ -24,7 +24,6 @@ dnssec-policy "rsasha1" {
        retire-safety 2h;
        zone-propagation-delay 3600;
        max-zone-ttl 6h;
-       parent-registration-delay 1d;
        parent-propagation-delay pt1h;
        parent-ds-ttl 7200;
 };
@@ -44,7 +43,6 @@ dnssec-policy "ecdsa256" {
        retire-safety 2h;
        zone-propagation-delay 3600;
        max-zone-ttl 6h;
-       parent-registration-delay 1d;
        parent-propagation-delay pt1h;
        parent-ds-ttl 7200;
 };
@@ -74,8 +72,7 @@ dnssec-policy "migrate-nomatch-algnum" {
        zone-propagation-delay 3600;
        max-zone-ttl 11h;
 
-       // Together 24h
-       parent-registration-delay 21h;
+       // Together 3h
        parent-propagation-delay pt1h;
        parent-ds-ttl 7200;
 };
@@ -96,8 +93,7 @@ dnssec-policy "migrate-nomatch-alglen" {
        zone-propagation-delay 3600;
        max-zone-ttl 11h;
 
-       // Together 24h
-       parent-registration-delay 21h;
+       // Together 3h
        parent-propagation-delay pt1h;
        parent-ds-ttl 7200;
 };

diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 08540f2387586a311e59ace5739be046cdc9a4dc..44646e5f89de58025aad5642956479b0f0b8c1a0 100644 (file)
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -56,7 +56,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # ECDSAP256SHA256 keys.
 setup migrate-nomatch-algnum.kasp
 echo "$zone" >> zones
-Tds="now-24h"    # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
 Tkey="now-3900s" # DNSKEY TTL + propagation delay
 Tsig="now-12h"   # Zone's maximum TTL + propagation delay
 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
@@ -74,7 +74,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
 # dictates 2048 bits RSASHA1 keys.
 setup migrate-nomatch-alglen.kasp
 echo "$zone" >> zones
-Tds="now-24h"    # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
 Tkey="now-3900s" # DNSKEY TTL + propagation delay
 Tsig="now-12h"   # Zone's maximum TTL + propagation delay
 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index ce53559052b3e9081e1f4abd99651fcdfb77f03c..34915ff221c23a6712954783a514bd98c2726fb4 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -3958,12 +3958,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The KSK is immediately published and activated.
 # -P     : now-3900s
-# -P sync: now-24h
+# -P sync: now-3h
 # -A     : now-3900s
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
 set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
 # The ZSK is immediately published and activated.
 # -P: now-12h
 # -A: now-12h
@@ -4021,12 +4021,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # The KSK is immediately published and activated.
 # -P     : now-3900s
-# -P sync: now-24h
+# -P sync: now-3h
 # -A     : now-3900s
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
 set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
 # The ZSK is immediately published and activated.
 # -P: now-12h
 # -A: now-12h
@@ -4177,7 +4177,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # KSK must be retired since it no longer matches the policy.
 # -P     : now-3900s
-# -P sync: now-24h
+# -P sync: now-3h
 # -A     : now-3900s
 # The key is removed after the retire interval:
 # IretKSK = TTLds + DprpP + retire_safety.
@@ -4189,7 +4189,7 @@ IretKSK=14400
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
 set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
 keyfile=$(key_get KEY1 BASEFILE)
 grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
 retired=$(awk '{print $3}' < retired.test${n}.ksk)
@@ -4294,7 +4294,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
 
 # KSK must be retired since it no longer matches the policy.
 # -P     : now-3900s
-# -P sync: now-24h
+# -P sync: now-3h
 # -A     : now-3900s
 # The key is removed after the retire interval:
 # IretKSK = TTLds + DprpP + retire_safety.
@@ -4306,7 +4306,7 @@ IretKSK=14400
 created=$(key_get KEY1 CREATED)
 set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
 set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
 keyfile=$(key_get KEY1 BASEFILE)
 grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
 retired=$(awk '{print $3}' < retired.test${n}.ksk)

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 6a782a831f094965b9629f03e68a6cadf1fcbe58..37abaa182ef5a979b208883cc91488fd3d402a5a 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4901,12 +4901,6 @@ The following options can be specified in a ``dnssec-policy`` statement:
        is served by all of the parent zone's name servers.
        The default is ``PT1H`` (1 hour).
 
-     ``parent-registration-delay``
-       This is the expected registration delay from the time when a DS
-       RRset change is requested to the time when the DS RRset
-       is updated in the parent zone.  The default is
-       ``P1D`` (1 day).
-
 .. _managed-keys:
 
 ``managed-keys`` Statement Grammar

diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index 85f5b6d22a90a93b09fdc5297e83516dc835a0be..a5b954fdf6807d8819064ddab2a88f4a0adc58bc 100644 (file)
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -107,7 +107,6 @@ dnssec\-policy string {
       max\-zone\-ttl duration;
       parent\-ds\-ttl duration;
       parent\-propagation\-delay duration;
-      parent\-registration\-delay duration;
       publish\-safety duration;
       retire\-safety duration;
       signatures\-refresh duration;

diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
index 5baa8b1d0a43dc6af865e865e8f5cebf1bb5e3de..195516b40bcc9be93767bf4a960df3f46bc8cb16 100644 (file)
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@@ -20,6 +20,5 @@ dnssec-policy "default" {
 
        // Parent parameters
        parent-ds-ttl 86400;
-       parent-registration-delay 24h;
        parent-propagation-delay 1h;
 };

diff --git a/doc/misc/dnssec-policy.grammar.rst b/doc/misc/dnssec-policy.grammar.rst
index 76b653294e354a79e186fcc5222b1d63e4821fff..951983cf1d15cc45d7e3a61417cd45b6d7d39fdd 100644 (file)
--- a/doc/misc/dnssec-policy.grammar.rst
+++ b/doc/misc/dnssec-policy.grammar.rst
@@ -7,7 +7,6 @@
        max-zone-ttl <duration>;
        parent-ds-ttl <duration>;
        parent-propagation-delay <duration>;
-       parent-registration-delay <duration>;
        publish-safety <duration>;
        retire-safety <duration>;
        signatures-refresh <duration>;

diff --git a/doc/misc/named.conf.rst b/doc/misc/named.conf.rst
index 1de1a2a2c10bd09cdab4393a54c6769fb0c94d89..867389bfeec1a0f118718df2907a229714d3a6f5 100644 (file)
--- a/doc/misc/named.conf.rst
+++ b/doc/misc/named.conf.rst
@@ -78,7 +78,6 @@ DNSSEC-POLICY
        max-zone-ttl duration;
        parent-ds-ttl duration;
        parent-propagation-delay duration;
-       parent-registration-delay duration;
        publish-safety duration;
        retire-safety duration;
        signatures-refresh duration;

diff --git a/doc/misc/options b/doc/misc/options
index 7640b8d4c84b1c775e7d5a5d9be6e4384b6b74c7..39b9e91374ac59dc438a17b84967a5463e2133e2 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -28,7 +28,7 @@ dnssec-policy <string> {
         max-zone-ttl <duration>;
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
-        parent-registration-delay <duration>;
+        parent-registration-delay <duration>; // obsolete
         publish-safety <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;

diff --git a/doc/misc/options.active b/doc/misc/options.active
index 3deea19bb50a3e3aa76634b548d73c1820924744..0b50d4cb99cfe98ccceeebd002d92d7d60ca003c 100644 (file)
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -28,7 +28,6 @@ dnssec-policy <string> {
         max-zone-ttl <duration>;
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
-        parent-registration-delay <duration>;
         publish-safety <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 36e36911e6752c5a48b09fd349c6b7a6404d88e4..a78a95ed0ede41583c8463dce5a315efae74031b 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -86,7 +86,6 @@ struct dns_kasp {
        /* Parent settings */
        dns_ttl_t parent_ds_ttl;
        uint32_t  parent_propagation_delay;
-       uint32_t  parent_registration_delay;
 
        /* TODO: The rest of the KASP configuration */
 };
@@ -105,7 +104,6 @@ struct dns_kasp {
 #define DNS_KASP_ZONE_MAXTTL        (86400)
 #define DNS_KASP_ZONE_PROPDELAY             (300)
 #define DNS_KASP_PARENT_PROPDELAY    (3600)
-#define DNS_KASP_PARENT_REGDELAY     (86400)
 
 /* Key roles */
 #define DNS_KASP_KEY_ROLE_KSK 0x01
@@ -443,30 +441,6 @@ dns_kasp_setparentpropagationdelay(dns_kasp_t *kasp, uint32_t value);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
-uint32_t
-dns_kasp_parentregistrationdelay(dns_kasp_t *kasp);
-/*%<
- * Get parent registration delay for submitting new DS.
- *
- * Requires:
- *
- *\li   'kasp' is a valid, frozen kasp.
- *
- * Returns:
- *
- *\li   Parent registration delay.
- */
-
-void
-dns_kasp_setparentregistrationdelay(dns_kasp_t *kasp, uint32_t value);
-/*%<
- * Set parent registration delay.
- *
- * Requires:
- *
- *\li   'kasp' is a valid, thawed kasp.
- */
-
 isc_result_t
 dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp);
 /*%<

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 69c069e5f7018ce44f7eabb069430e707cbc2600..f31916c5ec9d4bf56b1c1fd557276d33d1c22e04 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -57,7 +57,6 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 
        kasp->parent_ds_ttl = DNS_KASP_DS_TTL;
        kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY;
-       kasp->parent_registration_delay = DNS_KASP_PARENT_REGDELAY;
 
        /* TODO: The rest of the KASP configuration */
 
@@ -298,22 +297,6 @@ dns_kasp_setparentpropagationdelay(dns_kasp_t *kasp, uint32_t value) {
        kasp->parent_propagation_delay = value;
 }
 
-uint32_t
-dns_kasp_parentregistrationdelay(dns_kasp_t *kasp) {
-       REQUIRE(DNS_KASP_VALID(kasp));
-       REQUIRE(kasp->frozen);
-
-       return (kasp->parent_registration_delay);
-}
-
-void
-dns_kasp_setparentregistrationdelay(dns_kasp_t *kasp, uint32_t value) {
-       REQUIRE(DNS_KASP_VALID(kasp));
-       REQUIRE(!kasp->frozen);
-
-       kasp->parent_registration_delay = value;
-}
-
 isc_result_t
 dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp) {
        dns_kasp_t *kasp = NULL;

diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index e08904ff8cf5a82507772d98bf84cbf35b651843..d1f450fb50fee276c9f056d6f1f7eba5787d3afc 100644 (file)
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -445,13 +445,11 @@ dns_kasp_key_zsk
 dns_kasp_keylist_empty
 dns_kasp_keys
 dns_kasp_parentpropagationdelay
-dns_kasp_parentregistrationdelay
 dns_kasp_publishsafety
 dns_kasp_retiresafety
 dns_kasp_setdnskeyttl
 dns_kasp_setdsttl
 dns_kasp_setparentpropagationdelay
-dns_kasp_setparentregistrationdelay
 dns_kasp_setpublishsafety
 dns_kasp_setretiresafety
 dns_kasp_setsigrefresh

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 4fc56fc401be60f178a388ee3f87a726b677096a..3099ed78ddceb27bb63e34de443f45f0c7669e50 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -258,9 +258,6 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx,
        dns_kasp_setparentpropagationdelay(
                kasp, get_duration(maps, "parent-propagation-delay",
                                   DNS_KASP_PARENT_PROPDELAY));
-       dns_kasp_setparentregistrationdelay(
-               kasp, get_duration(maps, "parent-registration-delay",
-                                  DNS_KASP_PARENT_REGDELAY));
 
        /* TODO: Rest of the configuration */
 

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 9084e63db515124e1e823dcdd4a231de2126767f..97dc0fdf54699ce272f3786ad690bd074f44c5e0 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2093,7 +2093,8 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
        { "max-zone-ttl", &cfg_type_duration, 0 },
        { "parent-ds-ttl", &cfg_type_duration, 0 },
        { "parent-propagation-delay", &cfg_type_duration, 0 },
-       { "parent-registration-delay", &cfg_type_duration, 0 },
+       { "parent-registration-delay", &cfg_type_duration,
+         CFG_CLAUSEFLAG_OBSOLETE },
        { "publish-safety", &cfg_type_duration, 0 },
        { "retire-safety", &cfg_type_duration, 0 },
        { "signatures-refresh", &cfg_type_duration, 0 },