upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-24 07:41:10 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix ZSK lifetime minimum constraints documentation

Browse source 
The ARM failed to mention that the ZSK lifetime minimum also depends
on the signing delay.

(cherry picked from commit 53f0541db6)
This commit is contained in:
Matthijs Mekking 2024-01-04 10:27:26 +01:00
parent f132740869
commit a64197c80f
1 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
doc/arm/reference.rst
View file

@ -6444,10 +6444,11 @@ The following options can be specified in a :any:`dnssec-policy` statement:
must be more than the publication interval (which is the sum of
:any:`dnskey-ttl`, :any:`publish-safety`, and :any:`zone-propagation-delay`).
It must also be more than the retire interval (which is the sum of
:any:`max-zone-ttl`, :any:`retire-safety` and :any:`zone-propagation-delay`
for ZSKs, and the sum of :any:`parent-ds-ttl`, :any:`retire-safety`, and
:any:`parent-propagation-delay` for KSKs and CSKs). BIND 9 treats a key
lifetime that is too short as an error.
:any:`max-zone-ttl`, :any:`retire-safety`, :any:`zone-propagation-delay`,
and signing delay (:any:`signatures-validity` minus
:any:`signatures-refresh`) for ZSKs, and the sum of :any:`parent-ds-ttl`,
:any:`retire-safety`, and :any:`parent-propagation-delay` for KSKs and
CSKs). BIND 9 treats a key lifetime that is too short as an error.
The ``algorithm`` parameter specifies the key's algorithm, expressed
either as a string ("rsasha256", "ecdsa384", etc.) or as a decimal