summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/nsec3/ns3/named.conf.in
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/nsec3/ns3/named.conf.in')
-rw-r--r--bin/tests/system/nsec3/ns3/named.conf.in162
1 files changed, 162 insertions, 0 deletions
diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
new file mode 100644
index 0000000..4324f2d
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+ // no need to change configuration: if no 'nsec3param' is set,
+ // NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+ nsec3param;
+};
+
+dnssec-policy "optout" {
+ nsec3param optout yes;
+};
+
+dnssec-policy "nsec3-other" {
+ nsec3param iterations 11 optout yes salt-length 0;
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+ type primary;
+ file "nsec-to-nsec3.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec";
+};
+
+/* These zones use the default NSEC3 settings. */
+zone "nsec3.kasp" {
+ type primary;
+ file "nsec3.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic.kasp" {
+ type primary;
+ file "nsec3-dynamic.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+ type primary;
+ file "nsec3-other.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3-other";
+};
+
+/* These zones will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+ type primary;
+ file "nsec3-change.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic-change.kasp" {
+ type primary;
+ file "nsec3-dynamic-change.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+ type primary;
+ file "nsec3-to-optout.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+ type primary;
+ file "nsec3-from-optout.kasp.db";
+ inline-signing yes;
+ dnssec-policy "optout";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+ type primary;
+ file "nsec3-to-nsec.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+/* The zone fails to load, this should not prevent shutdown. */
+zone "nsec3-fails-to-load.kasp" {
+ type primary;
+ file "nsec3-fails-to-load.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+/* These zones switch from dynamic to inline-signing or vice versa. */
+zone "nsec3-dynamic-to-inline.kasp" {
+ type primary;
+ file "nsec3-dynamic-to-inline.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+zone "nsec3-inline-to-dynamic.kasp" {
+ type primary;
+ file "nsec3-inline-to-dynamic.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
+zone "nsec3-dynamic-update-inline.kasp" {
+ type primary;
+ file "nsec3-dynamic-update-inline.kasp.db";
+ inline-signing yes;
+ allow-update { any; };
+ dnssec-policy "nsec";
+};
+
+zone "nsec3-xfr-inline.kasp" {
+ type secondary;
+ file "nsec3-xfr-inline.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec";
+ primaries { 10.53.0.2; };
+};