diff options
Diffstat (limited to '')
-rw-r--r-- | bin/tests/system/kasp/ns3/named-fips.conf.in | 519 |
1 files changed, 519 insertions, 0 deletions
diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in new file mode 100644 index 0000000..b14b142 --- /dev/null +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -0,0 +1,519 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "policies/kasp.conf"; +include "policies/autosign.conf"; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-policy "rsasha256"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* Zones that are getting initially signed */ + +/* The default case: No keys created, using default policy. */ +zone "default.kasp" { + type primary; + file "default.kasp.db"; + inline-signing yes; + dnssec-policy "default"; +}; + +/* checkds: Zone with one KSK. */ +zone "checkds-ksk.kasp" { + type primary; + file "checkds-ksk.kasp.db"; + inline-signing yes; + dnssec-policy "checkds-ksk"; +}; + +/* checkds: Zone with two KSKs. */ +zone "checkds-doubleksk.kasp" { + type primary; + file "checkds-doubleksk.kasp.db"; + inline-signing yes; + dnssec-policy "checkds-doubleksk"; +}; + +/* checkds: Zone with one CSK. */ +zone "checkds-csk.kasp" { + type primary; + file "checkds-csk.kasp.db"; + inline-signing yes; + dnssec-policy "checkds-csk"; +}; + +/* Key lifetime unlimited. */ +zone "unlimited.kasp" { + type primary; + file "unlimited.kasp.db"; + inline-signing yes; + dnssec-policy "unlimited"; +}; + +/* Manual rollover. */ +zone "manual-rollover.kasp" { + type primary; + file "manual-rollover.kasp.db"; + inline-signing yes; + dnssec-policy "manual-rollover"; +}; + +/* A zone that inherits dnssec-policy. */ +zone "inherit.kasp" { + type primary; + inline-signing yes; + file "inherit.kasp.db"; +}; + +/* A zone that overrides dnssec-policy. */ +zone "unsigned.kasp" { + type primary; + file "unsigned.kasp.db"; + inline-signing yes; + dnssec-policy "none"; +}; + +/* A zone that is initially set to insecure. */ +zone "insecure.kasp" { + type primary; + file "insecure.kasp.db"; + inline-signing yes; + dnssec-policy "insecure"; +}; + +/* A primary zone with dnssec-policy but keys already created. */ +zone "dnssec-keygen.kasp" { + type primary; + file "dnssec-keygen.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* A secondary zone with dnssec-policy. */ +zone "secondary.kasp" { + type secondary; + primaries { 10.53.0.2; }; + file "secondary.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* A dynamic zone with dnssec-policy. */ +zone "dynamic.kasp" { + type primary; + file "dynamic.kasp.db"; + dnssec-policy "default"; + allow-update { any; }; +}; + +/* A dynamic inline-signed zone with dnssec-policy. */ +zone "dynamic-inline-signing.kasp" { + type primary; + file "dynamic-inline-signing.kasp.db"; + dnssec-policy "default"; + allow-update { any; }; + inline-signing yes; +}; + +/* An inline-signed zone with dnssec-policy. */ +zone "inline-signing.kasp" { + type primary; + file "inline-signing.kasp.db"; + dnssec-policy "default"; + inline-signing yes; +}; + +/* + * A configured dnssec-policy but some keys already created. + */ +zone "some-keys.kasp" { + type primary; + file "some-keys.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* + * A configured dnssec-policy but some keys already in use. + */ +zone "legacy-keys.kasp" { + type primary; + file "legacy-keys.kasp.db"; + inline-signing yes; + dnssec-policy "migrate-to-dnssec-policy"; +}; + +/* + * A configured dnssec-policy with (too) many keys pregenerated. + */ +zone "pregenerated.kasp" { + type primary; + file "pregenerated.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* + * A configured dnssec-policy with one rumoured key. + * Bugfix case for GL #1593. + */ +zone "rumoured.kasp" { + type primary; + file "rumoured.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* RFC 8901 Multi-signer Model 2. */ +zone "multisigner-model2.kasp" { + type primary; + file "multisigner-model2.kasp.db"; + dnssec-policy "multisigner-model2"; + allow-update { any; }; +}; + +/* + * Different algorithms. + */ +zone "rsasha256.kasp" { + type primary; + file "rsasha256.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; +zone "rsasha512.kasp" { + type primary; + file "rsasha512.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha512"; +}; +zone "ecdsa256.kasp" { + type primary; + file "ecdsa256.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa256"; +}; +zone "ecdsa384.kasp" { + type primary; + file "ecdsa384.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa384"; +}; + +/* + * Zone with too high TTL. + */ +zone "max-zone-ttl.kasp" { + type primary; + file "max-zone-ttl.kasp.db"; + inline-signing yes; + dnssec-policy "ttl"; +}; + +/* + * Zone for testing GL #2375: Three is a crowd. + */ +zone "three-is-a-crowd.kasp" { + type primary; + file "three-is-a-crowd.kasp.db"; + inline-signing yes; + /* Use same policy as KSK rollover test zones. */ + dnssec-policy "ksk-doubleksk"; +}; + +/* + * Zones in different signing states. + */ + +/* + * Zone that has expired signatures. + */ +zone "expired-sigs.autosign" { + type primary; + file "expired-sigs.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has valid, fresh signatures. + */ +zone "fresh-sigs.autosign" { + type primary; + file "fresh-sigs.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has unfresh signatures. + */ +zone "unfresh-sigs.autosign" { + type primary; + file "unfresh-sigs.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has missing private KSK. + */ +zone "ksk-missing.autosign" { + type primary; + file "ksk-missing.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has missing private ZSK. + */ +zone "zsk-missing.autosign" { + type primary; + file "zsk-missing.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has inactive ZSK. + */ +zone "zsk-retired.autosign" { + type primary; + file "zsk-retired.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zones for testing enabling DNSSEC. + */ +zone "step1.enable-dnssec.autosign" { + type primary; + file "step1.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; +zone "step2.enable-dnssec.autosign" { + type primary; + file "step2.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; +zone "step3.enable-dnssec.autosign" { + type primary; + file "step3.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; +zone "step4.enable-dnssec.autosign" { + type primary; + file "step4.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; + +/* + * Zones for testing ZSK Pre-Publication steps. + */ +zone "step1.zsk-prepub.autosign" { + type primary; + file "step1.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step2.zsk-prepub.autosign" { + type primary; + file "step2.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step3.zsk-prepub.autosign" { + type primary; + file "step3.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step4.zsk-prepub.autosign" { + type primary; + file "step4.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step5.zsk-prepub.autosign" { + type primary; + file "step5.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step6.zsk-prepub.autosign" { + type primary; + file "step6.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; + +/* + * Zones for testing KSK Double-KSK steps. + */ +zone "step1.ksk-doubleksk.autosign" { + type primary; + file "step1.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step2.ksk-doubleksk.autosign" { + type primary; + file "step2.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step3.ksk-doubleksk.autosign" { + type primary; + file "step3.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step4.ksk-doubleksk.autosign" { + type primary; + file "step4.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step5.ksk-doubleksk.autosign" { + type primary; + file "step5.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step6.ksk-doubleksk.autosign" { + type primary; + file "step6.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; + +/* + * Zones for testing CSK rollover steps. + */ +zone "step1.csk-roll.autosign" { + type primary; + file "step1.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step2.csk-roll.autosign" { + type primary; + file "step2.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step3.csk-roll.autosign" { + type primary; + file "step3.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step4.csk-roll.autosign" { + type primary; + file "step4.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step5.csk-roll.autosign" { + type primary; + file "step5.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step6.csk-roll.autosign" { + type primary; + file "step6.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step7.csk-roll.autosign" { + type primary; + file "step7.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step8.csk-roll.autosign" { + type primary; + file "step8.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; + +zone "step1.csk-roll2.autosign" { + type primary; + file "step1.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step2.csk-roll2.autosign" { + type primary; + file "step2.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step3.csk-roll2.autosign" { + type primary; + file "step3.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step4.csk-roll2.autosign" { + type primary; + file "step4.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step5.csk-roll2.autosign" { + type primary; + file "step5.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step6.csk-roll2.autosign" { + type primary; + file "step6.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step7.csk-roll2.autosign" { + type primary; + file "step7.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; |