autosign.conf.in revision 1.1.1.1
1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. 7 * 8 * See the COPYRIGHT file distributed with this work for additional 9 * information regarding copyright ownership. 10 */ 11 12dnssec-policy "autosign" { 13 14 signatures-refresh P1W; 15 signatures-validity P2W; 16 signatures-validity-dnskey P2W; 17 18 dnskey-ttl 300; 19 20 keys { 21 ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@; 22 zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@; 23 }; 24}; 25 26dnssec-policy "enable-dnssec" { 27 28 signatures-refresh P1W; 29 signatures-validity P2W; 30 signatures-validity-dnskey P2W; 31 32 dnskey-ttl 300; 33 max-zone-ttl PT12H; 34 zone-propagation-delay PT5M; 35 retire-safety PT20M; 36 publish-safety PT5M; 37 38 parent-propagation-delay 1h; 39 parent-ds-ttl 2h; 40 41 keys { 42 csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@; 43 }; 44}; 45 46dnssec-policy "zsk-prepub" { 47 48 signatures-refresh P1W; 49 signatures-validity P2W; 50 signatures-validity-dnskey P2W; 51 52 dnskey-ttl 3600; 53 publish-safety P1D; 54 retire-safety P2D; 55 56 keys { 57 ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@; 58 zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@; 59 }; 60 61 zone-propagation-delay PT1H; 62 max-zone-ttl 1d; 63}; 64 65dnssec-policy "ksk-doubleksk" { 66 67 signatures-refresh P1W; 68 signatures-validity P2W; 69 signatures-validity-dnskey P2W; 70 71 dnskey-ttl 2h; 72 publish-safety P1D; 73 retire-safety P2D; 74 75 keys { 76 ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; 77 zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@; 78 }; 79 80 zone-propagation-delay PT1H; 81 max-zone-ttl 1d; 82 83 parent-ds-ttl 3600; 84 parent-propagation-delay PT1H; 85}; 86 87dnssec-policy "csk-roll" { 88 89 signatures-refresh P5D; 90 signatures-validity 30d; 91 signatures-validity-dnskey 30d; 92 93 dnskey-ttl 1h; 94 publish-safety PT1H; 95 retire-safety 2h; 96 97 keys { 98 csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; 99 }; 100 101 zone-propagation-delay 1h; 102 max-zone-ttl P1D; 103 104 parent-ds-ttl 1h; 105 parent-propagation-delay 1h; 106}; 107 108dnssec-policy "csk-roll2" { 109 110 signatures-refresh 12h; 111 signatures-validity P1D; 112 signatures-validity-dnskey P1D; 113 114 dnskey-ttl 1h; 115 publish-safety PT1H; 116 retire-safety 1h; 117 118 keys { 119 csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; 120 }; 121 122 zone-propagation-delay PT1H; 123 max-zone-ttl 1d; 124 125 parent-ds-ttl PT1H; 126 parent-propagation-delay P1W; 127}; 128