1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14// NS9 15 16options { 17 query-source address 10.53.0.9; 18 notify-source 10.53.0.9; 19 transfer-source 10.53.0.9; 20 port @PORT@; 21 pid-file "named.pid"; 22 listen-on { 10.53.0.9; }; 23 listen-on-v6 { none; }; 24 allow-transfer { any; }; 25 recursion no; 26 dnssec-validation yes; 27}; 28 29key rndc_key { 30 secret "1234abcd8765"; 31 algorithm @DEFAULT_HMAC@; 32}; 33 34controls { 35 inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 36}; 37 38parental-agents "ns2" port @PORT@ { 39 10.53.0.2; 40}; 41 42zone "." { 43 type hint; 44 file "../../_common/root.hint"; 45}; 46 47/* 48 * Zone with parental agent configured, due for DS checking. 49 */ 50zone "dspublished.checkds" { 51 type primary; 52 file "dspublished.checkds.db"; 53 inline-signing yes; 54 dnssec-policy "default"; 55 parental-agents { 10.53.0.2 port @PORT@; }; 56}; 57 58/* 59 * Zone with parental agent configured, due for DS checking. 60 * Same as above, but now with a reference to parental-agents. 61 */ 62zone "reference.checkds" { 63 type primary; 64 file "reference.checkds.db"; 65 inline-signing yes; 66 dnssec-policy "default"; 67 parental-agents { "ns2"; }; 68}; 69 70/* 71 * Zone with parental agent configured, due for DS checking. 72 * The parental agent does not have the DS yet. 73 */ 74zone "missing-dspublished.checkds" { 75 type primary; 76 file "missing-dspublished.checkds.db"; 77 inline-signing yes; 78 dnssec-policy "default"; 79 parental-agents { 80 10.53.0.5 port @PORT@; // missing 81 }; 82}; 83 84 85/* 86 * Zone with parental agent configured, due for DS checking. 87 * This case, the server is badly configured. 88 */ 89zone "bad-dspublished.checkds" { 90 type primary; 91 file "bad-dspublished.checkds.db"; 92 inline-signing yes; 93 dnssec-policy "default"; 94 parental-agents { 95 10.53.0.6 port @PORT@; // bad 96 }; 97}; 98 99/* 100 * Zone with multiple parental agents configured, due for DS checking. 101 * All need to have the DS before the rollover may continue. 102 */ 103zone "multiple-dspublished.checkds" { 104 type primary; 105 file "multiple-dspublished.checkds.db"; 106 inline-signing yes; 107 dnssec-policy "default"; 108 parental-agents { 109 10.53.0.2 port @PORT@; 110 10.53.0.4 port @PORT@; 111 }; 112}; 113 114/* 115 * Zone with multiple parental agents configured, due for DS checking. 116 * All need to have the DS before the rollover may continue. 117 * This case, one server is still missing the DS. 118 */ 119zone "incomplete-dspublished.checkds" { 120 type primary; 121 file "incomplete-dspublished.checkds.db"; 122 inline-signing yes; 123 dnssec-policy "default"; 124 parental-agents { 125 10.53.0.2 port @PORT@; 126 10.53.0.4 port @PORT@; 127 10.53.0.5 port @PORT@; // missing 128 }; 129}; 130 131 132/* 133 * Zone with multiple parental agents configured, due for DS checking. 134 * All need to have the DS before the rollover may continue. 135 * This case, one server is badly configured. 136 */ 137zone "bad2-dspublished.checkds" { 138 type primary; 139 file "bad2-dspublished.checkds.db"; 140 inline-signing yes; 141 dnssec-policy "default"; 142 parental-agents { 143 10.53.0.2 port @PORT@; 144 10.53.0.4 port @PORT@; 145 10.53.0.6 port @PORT@; // bad 146 }; 147}; 148 149/* 150 * Zone with resolver parental agent configured, due for DS checking. 151 */ 152zone "resolver-dspublished.checkds" { 153 type primary; 154 file "resolver-dspublished.checkds.db"; 155 inline-signing yes; 156 dnssec-policy "default"; 157 parental-agents { 158 10.53.0.3 port @PORT@; 159 }; 160}; 161 162// TODO: Other test cases: 163// - Test with bogus response 164// - check with TSIG 165// - check with TLS 166 167 168/* 169 * Zones that are going insecure (test DS withdrawn polling). 170 */ 171zone "dswithdrawn.checkds" { 172 type primary; 173 file "dswithdrawn.checkds.db"; 174 inline-signing yes; 175 dnssec-policy "insecure"; 176 parental-agents { 10.53.0.5 port @PORT@; }; 177}; 178 179zone "missing-dswithdrawn.checkds" { 180 type primary; 181 file "missing-dswithdrawn.checkds.db"; 182 inline-signing yes; 183 dnssec-policy "insecure"; 184 parental-agents { 185 10.53.0.2 port @PORT@; // still published 186 }; 187}; 188 189zone "bad-dswithdrawn.checkds" { 190 type primary; 191 file "bad-dswithdrawn.checkds.db"; 192 inline-signing yes; 193 dnssec-policy "insecure"; 194 parental-agents { 195 10.53.0.6 port @PORT@; // bad 196 }; 197}; 198 199zone "multiple-dswithdrawn.checkds" { 200 type primary; 201 file "multiple-dswithdrawn.checkds.db"; 202 inline-signing yes; 203 dnssec-policy "insecure"; 204 parental-agents { 205 10.53.0.5 port @PORT@; 206 10.53.0.7 port @PORT@; 207 }; 208}; 209 210zone "incomplete-dswithdrawn.checkds" { 211 type primary; 212 file "incomplete-dswithdrawn.checkds.db"; 213 inline-signing yes; 214 dnssec-policy "insecure"; 215 parental-agents { 216 10.53.0.2 port @PORT@; // still published 217 10.53.0.5 port @PORT@; 218 10.53.0.7 port @PORT@; 219 }; 220}; 221 222zone "bad2-dswithdrawn.checkds" { 223 type primary; 224 file "bad2-dswithdrawn.checkds.db"; 225 inline-signing yes; 226 dnssec-policy "insecure"; 227 parental-agents { 228 10.53.0.5 port @PORT@; 229 10.53.0.7 port @PORT@; 230 10.53.0.6 port @PORT@; // bad 231 }; 232}; 233 234zone "resolver-dswithdrawn.checkds" { 235 type primary; 236 file "resolver-dswithdrawn.checkds.db"; 237 inline-signing yes; 238 dnssec-policy "default"; 239 parental-agents { 240 10.53.0.8 port @PORT@; 241 }; 242}; 243