autosign.conf.in revision 1.1.1.1 
1/*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12dnssec-policy "autosign" {
13
14	signatures-refresh P1W;
15	signatures-validity P2W;
16	signatures-validity-dnskey P2W;
17
18	dnskey-ttl 300;
19
20	keys {
21		ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@;
22		zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
23	};
24};
25
26dnssec-policy "enable-dnssec" {
27
28	signatures-refresh P1W;
29	signatures-validity P2W;
30	signatures-validity-dnskey P2W;
31
32	dnskey-ttl 300;
33	max-zone-ttl PT12H;
34	zone-propagation-delay PT5M;
35	retire-safety PT20M;
36	publish-safety PT5M;
37
38	parent-propagation-delay 1h;
39	parent-ds-ttl 2h;
40
41	keys {
42		csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
43	};
44};
45
46dnssec-policy "zsk-prepub" {
47
48	signatures-refresh P1W;
49	signatures-validity P2W;
50	signatures-validity-dnskey P2W;
51
52	dnskey-ttl 3600;
53	publish-safety P1D;
54	retire-safety P2D;
55
56	keys {
57		ksk key-directory lifetime P2Y  algorithm @DEFAULT_ALGORITHM@;
58		zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
59	};
60
61	zone-propagation-delay PT1H;
62	max-zone-ttl 1d;
63};
64
65dnssec-policy "ksk-doubleksk" {
66
67	signatures-refresh P1W;
68	signatures-validity P2W;
69	signatures-validity-dnskey P2W;
70
71	dnskey-ttl 2h;
72	publish-safety P1D;
73	retire-safety P2D;
74
75	keys {
76		ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
77		zsk key-directory lifetime P1Y  algorithm @DEFAULT_ALGORITHM@;
78	};
79
80	zone-propagation-delay PT1H;
81	max-zone-ttl 1d;
82
83	parent-ds-ttl 3600;
84	parent-propagation-delay PT1H;
85};
86
87dnssec-policy "csk-roll" {
88
89	signatures-refresh P5D;
90	signatures-validity 30d;
91	signatures-validity-dnskey 30d;
92
93	dnskey-ttl 1h;
94	publish-safety PT1H;
95	retire-safety 2h;
96
97	keys {
98		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
99	};
100
101	zone-propagation-delay 1h;
102	max-zone-ttl P1D;
103
104	parent-ds-ttl 1h;
105	parent-propagation-delay 1h;
106};
107
108dnssec-policy "csk-roll2" {
109
110	signatures-refresh 12h;
111	signatures-validity P1D;
112	signatures-validity-dnskey P1D;
113
114	dnskey-ttl 1h;
115	publish-safety PT1H;
116	retire-safety 1h;
117
118	keys {
119		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
120	};
121
122	zone-propagation-delay PT1H;
123	max-zone-ttl 1d;
124
125	parent-ds-ttl PT1H;
126	parent-propagation-delay P1W;
127};
128