/* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * * SPDX-License-Identifier: MPL-2.0 * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ // NS3 dnssec-policy "nsec" { // no need to change configuration: if no 'nsec3param' is set, // NSEC will be used; }; dnssec-policy "rsasha1" { keys { csk lifetime unlimited algorithm rsasha1; }; }; dnssec-policy "nsec3" { nsec3param; }; dnssec-policy "optout" { nsec3param optout yes; }; dnssec-policy "nsec3-other" { nsec3param iterations 11 optout yes salt-length 8; }; options { query-source address 10.53.0.3; notify-source 10.53.0.3; transfer-source 10.53.0.3; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.3; }; listen-on-v6 { none; }; allow-transfer { any; }; recursion no; }; key rndc_key { secret "1234abcd8765"; algorithm @DEFAULT_HMAC@; }; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; /* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; inline-signing yes; dnssec-policy "nsec"; }; /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should work despite the incompatible RSAHSHA1 algorithm, * because the DS is still in hidden state. */ zone "rsasha1-to-nsec3.kasp" { type primary; file "rsasha1-to-nsec3.kasp.db"; inline-signing yes; dnssec-policy "rsasha1"; }; /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should block because RSASHA1 is not compatible with NSEC3, * and the DS is published. */ zone "rsasha1-to-nsec3-wait.kasp" { type primary; file "rsasha1-to-nsec3-wait.kasp.db"; inline-signing yes; dnssec-policy "rsasha1"; }; /* * This zone starts with NSEC3, but will be reconfigured to use NSEC with an * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 * algorithm, because the DS is still in hidden state. */ zone "nsec3-to-rsasha1.kasp" { type primary; file "nsec3-to-rsasha1.kasp.db"; inline-signing yes; dnssec-policy "nsec3"; }; /* * This zone starts with NSEC3, but will be reconfigured to use NSEC with an * NSEC only algorithm. This should also be fine because we are allowed * to change to NSEC with any algorithm, then we can also publish the new * DNSKEY and signatures of the RSASHA1 algorithm. */ zone "nsec3-to-rsasha1-ds.kasp" { type primary; file "nsec3-to-rsasha1-ds.kasp.db"; inline-signing yes; dnssec-policy "nsec3"; }; /* These zones use the default NSEC3 settings. */ zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; inline-signing yes; dnssec-policy "nsec3"; }; zone "nsec3-dynamic.kasp" { type primary; file "nsec3-dynamic.kasp.db"; dnssec-policy "nsec3"; allow-update { any; }; }; /* This zone uses non-default NSEC3 settings. */ zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; inline-signing yes; dnssec-policy "nsec3-other"; }; /* These zones will be reconfigured to use other NSEC3 settings. */ zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; inline-signing yes; dnssec-policy "nsec3"; }; zone "nsec3-dynamic-change.kasp" { type primary; file "nsec3-dynamic-change.kasp.db"; dnssec-policy "nsec3"; allow-update { any; }; }; /* The zone will be reconfigured to use opt-out. */ zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; inline-signing yes; dnssec-policy "nsec3"; }; /* The zone will be reconfigured to disable opt-out. */ zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; inline-signing yes; dnssec-policy "optout"; }; /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; inline-signing yes; dnssec-policy "nsec3"; }; /* The zone fails to load, this should not prevent shutdown. */ zone "nsec3-fails-to-load.kasp" { type primary; file "nsec3-fails-to-load.kasp.db"; dnssec-policy "nsec3"; allow-update { any; }; }; /* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { type primary; file "nsec3-dynamic-to-inline.kasp.db"; dnssec-policy "nsec3"; allow-update { any; }; }; zone "nsec3-inline-to-dynamic.kasp" { type primary; file "nsec3-inline-to-dynamic.kasp.db"; inline-signing yes; dnssec-policy "nsec3"; }; /* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ zone "nsec3-dynamic-update-inline.kasp" { type primary; file "nsec3-dynamic-update-inline.kasp.db"; inline-signing yes; allow-update { any; }; dnssec-policy "nsec"; }; zone "nsec3-xfr-inline.kasp" { type secondary; file "nsec3-xfr-inline.kasp.db"; inline-signing yes; dnssec-policy "nsec"; primaries { 10.53.0.2; }; };