From 3b9b6d0b8e7f798023c9d109c490449d528fde80 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 17:59:48 +0200
Subject: Adding upstream version 1:9.18.19.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 bin/tests/system/kasp/ns3/named-fips.conf.in | 520 +++++++++++++++++++++++++++
 1 file changed, 520 insertions(+)
 create mode 100644 bin/tests/system/kasp/ns3/named-fips.conf.in

(limited to 'bin/tests/system/kasp/ns3/named-fips.conf.in')

diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in
new file mode 100644
index 0000000..a6e8b3a
--- /dev/null
+++ b/bin/tests/system/kasp/ns3/named-fips.conf.in
@@ -0,0 +1,520 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "policies/kasp.conf";
+include "policies/autosign.conf";
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	dnssec-policy "rsasha256";
+	dnssec-validation no;
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* Zones that are getting initially signed */
+
+/* The default case: No keys created, using default policy. */
+zone "default.kasp" {
+	type primary;
+	file "default.kasp.db";
+	inline-signing yes;
+	dnssec-policy "default";
+};
+
+/* checkds: Zone with one KSK. */
+zone "checkds-ksk.kasp" {
+	type primary;
+	file "checkds-ksk.kasp.db";
+	inline-signing yes;
+	dnssec-policy "checkds-ksk";
+};
+
+/* checkds: Zone with two KSKs. */
+zone "checkds-doubleksk.kasp" {
+	type primary;
+	file "checkds-doubleksk.kasp.db";
+	inline-signing yes;
+	dnssec-policy "checkds-doubleksk";
+};
+
+/* checkds: Zone with one CSK. */
+zone "checkds-csk.kasp" {
+	type primary;
+	file "checkds-csk.kasp.db";
+	inline-signing yes;
+	dnssec-policy "checkds-csk";
+};
+
+/* Key lifetime unlimited. */
+zone "unlimited.kasp" {
+	type primary;
+	file "unlimited.kasp.db";
+	inline-signing yes;
+	dnssec-policy "unlimited";
+};
+
+/* Manual rollover. */
+zone "manual-rollover.kasp" {
+	type primary;
+	file "manual-rollover.kasp.db";
+	inline-signing yes;
+	dnssec-policy "manual-rollover";
+};
+
+/* A zone that inherits dnssec-policy. */
+zone "inherit.kasp" {
+	type primary;
+	inline-signing yes;
+	file "inherit.kasp.db";
+};
+
+/* A zone that overrides dnssec-policy. */
+zone "unsigned.kasp" {
+	type primary;
+	file "unsigned.kasp.db";
+	inline-signing yes;
+	dnssec-policy "none";
+};
+
+/* A zone that is initially set to insecure. */
+zone "insecure.kasp" {
+	type primary;
+	file "insecure.kasp.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+};
+
+/* A primary zone with dnssec-policy but keys already created. */
+zone "dnssec-keygen.kasp" {
+	type primary;
+	file "dnssec-keygen.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/* A secondary zone with dnssec-policy. */
+zone "secondary.kasp" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "secondary.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/* A dynamic zone with dnssec-policy. */
+zone "dynamic.kasp" {
+	type primary;
+	file "dynamic.kasp.db";
+	dnssec-policy "default";
+	allow-update { any; };
+};
+
+/* A dynamic inline-signed zone with dnssec-policy. */
+zone "dynamic-inline-signing.kasp" {
+	type primary;
+	file "dynamic-inline-signing.kasp.db";
+	dnssec-policy "default";
+	allow-update { any; };
+	inline-signing yes;
+};
+
+/* An inline-signed zone with dnssec-policy. */
+zone "inline-signing.kasp" {
+	type primary;
+	file "inline-signing.kasp.db";
+	dnssec-policy "default";
+	inline-signing yes;
+};
+
+/*
+ * A configured dnssec-policy but some keys already created.
+ */
+zone "some-keys.kasp" {
+	type primary;
+	file "some-keys.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/*
+ * A configured dnssec-policy but some keys already in use.
+ */
+zone "legacy-keys.kasp" {
+	type primary;
+	file "legacy-keys.kasp.db";
+	inline-signing yes;
+	dnssec-policy "migrate-to-dnssec-policy";
+};
+
+/*
+ * A configured dnssec-policy with (too) many keys pregenerated.
+ */
+zone "pregenerated.kasp" {
+	type primary;
+	file "pregenerated.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/*
+ * A configured dnssec-policy with one rumoured key.
+ * Bugfix case for GL #1593.
+ */
+zone "rumoured.kasp" {
+	type primary;
+	file "rumoured.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+
+/* RFC 8901 Multi-signer Model 2. */
+zone "multisigner-model2.kasp" {
+	type primary;
+	file "multisigner-model2.kasp.db";
+	dnssec-policy "multisigner-model2";
+	allow-update { any; };
+};
+
+/*
+ * Different algorithms.
+ */
+zone "rsasha256.kasp" {
+	type primary;
+	file "rsasha256.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha256";
+};
+zone "rsasha512.kasp" {
+	type primary;
+	file "rsasha512.kasp.db";
+	inline-signing yes;
+	dnssec-policy "rsasha512";
+};
+zone "ecdsa256.kasp" {
+	type primary;
+	file "ecdsa256.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa256";
+};
+zone "ecdsa384.kasp" {
+	type primary;
+	file "ecdsa384.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ecdsa384";
+};
+
+/*
+ * Zone with too high TTL.
+ */
+zone "max-zone-ttl.kasp" {
+	type primary;
+	file "max-zone-ttl.kasp.db";
+	inline-signing yes;
+	dnssec-policy "ttl";
+};
+
+/*
+ * Zone for testing GL #2375: Three is a crowd.
+ */
+zone "three-is-a-crowd.kasp" {
+	type primary;
+	file "three-is-a-crowd.kasp.db";
+	inline-signing yes;
+	/* Use same policy as KSK rollover test zones. */
+	dnssec-policy "ksk-doubleksk";
+};
+
+/*
+ * Zones in different signing states.
+ */
+
+/*
+ * Zone that has expired signatures.
+ */
+zone "expired-sigs.autosign" {
+	type primary;
+	file "expired-sigs.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has valid, fresh signatures.
+ */
+zone "fresh-sigs.autosign" {
+	type primary;
+	file "fresh-sigs.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has unfresh signatures.
+ */
+zone "unfresh-sigs.autosign" {
+	type primary;
+	file "unfresh-sigs.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has missing private KSK.
+ */
+zone "ksk-missing.autosign" {
+	type primary;
+	file "ksk-missing.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has missing private ZSK.
+ */
+zone "zsk-missing.autosign" {
+	type primary;
+	file "zsk-missing.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has inactive ZSK.
+ */
+zone "zsk-retired.autosign" {
+	type primary;
+	file "zsk-retired.autosign.db";
+	inline-signing yes;
+	dnssec-policy "autosign";
+};
+
+/*
+ * Zones for testing enabling DNSSEC.
+ */
+zone "step1.enable-dnssec.autosign" {
+	type primary;
+	file "step1.enable-dnssec.autosign.db";
+	inline-signing yes;
+	dnssec-policy "enable-dnssec";
+};
+zone "step2.enable-dnssec.autosign" {
+	type primary;
+	file "step2.enable-dnssec.autosign.db";
+	inline-signing yes;
+	dnssec-policy "enable-dnssec";
+};
+zone "step3.enable-dnssec.autosign" {
+	type primary;
+	file "step3.enable-dnssec.autosign.db";
+	inline-signing yes;
+	dnssec-policy "enable-dnssec";
+};
+zone "step4.enable-dnssec.autosign" {
+	type primary;
+	file "step4.enable-dnssec.autosign.db";
+	inline-signing yes;
+	dnssec-policy "enable-dnssec";
+};
+
+/*
+ * Zones for testing ZSK Pre-Publication steps.
+ */
+zone "step1.zsk-prepub.autosign" {
+	type primary;
+	file "step1.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step2.zsk-prepub.autosign" {
+	type primary;
+	file "step2.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step3.zsk-prepub.autosign" {
+	type primary;
+	file "step3.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step4.zsk-prepub.autosign" {
+	type primary;
+	file "step4.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step5.zsk-prepub.autosign" {
+	type primary;
+	file "step5.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+zone "step6.zsk-prepub.autosign" {
+	type primary;
+	file "step6.zsk-prepub.autosign.db";
+	inline-signing yes;
+	dnssec-policy "zsk-prepub";
+};
+
+/*
+ * Zones for testing KSK Double-KSK steps.
+ */
+zone "step1.ksk-doubleksk.autosign" {
+	type primary;
+	file "step1.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step2.ksk-doubleksk.autosign" {
+	type primary;
+	file "step2.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step3.ksk-doubleksk.autosign" {
+	type primary;
+	file "step3.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step4.ksk-doubleksk.autosign" {
+	type primary;
+	file "step4.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step5.ksk-doubleksk.autosign" {
+	type primary;
+	file "step5.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+zone "step6.ksk-doubleksk.autosign" {
+	type primary;
+	file "step6.ksk-doubleksk.autosign.db";
+	inline-signing yes;
+	dnssec-policy "ksk-doubleksk";
+};
+
+/*
+ * Zones for testing CSK rollover steps.
+ */
+zone "step1.csk-roll.autosign" {
+	type primary;
+	file "step1.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step2.csk-roll.autosign" {
+	type primary;
+	file "step2.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step3.csk-roll.autosign" {
+	type primary;
+	file "step3.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step4.csk-roll.autosign" {
+	type primary;
+	file "step4.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step5.csk-roll.autosign" {
+	type primary;
+	file "step5.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step6.csk-roll.autosign" {
+	type primary;
+	file "step6.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step7.csk-roll.autosign" {
+	type primary;
+	file "step7.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+zone "step8.csk-roll.autosign" {
+	type primary;
+	file "step8.csk-roll.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll";
+};
+
+zone "step1.csk-roll2.autosign" {
+	type primary;
+	file "step1.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step2.csk-roll2.autosign" {
+	type primary;
+	file "step2.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step3.csk-roll2.autosign" {
+	type primary;
+	file "step3.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step4.csk-roll2.autosign" {
+	type primary;
+	file "step4.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step5.csk-roll2.autosign" {
+	type primary;
+	file "step5.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step6.csk-roll2.autosign" {
+	type primary;
+	file "step6.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
+zone "step7.csk-roll2.autosign" {
+	type primary;
+	file "step7.csk-roll2.autosign.db";
+	inline-signing yes;
+	dnssec-policy "csk-roll2";
+};
-- 
cgit v1.2.3