autosign.conf.in revision 1.1.1.2
1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. 7 * 8 * See the COPYRIGHT file distributed with this work for additional 9 * information regarding copyright ownership. 10 */ 11 12dnssec-policy "autosign" { 13 14 signatures-refresh P1W; 15 signatures-validity P2W; 16 signatures-validity-dnskey P2W; 17 18 dnskey-ttl 300; 19 20 keys { 21 ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@; 22 zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@; 23 }; 24}; 25 26dnssec-policy "enable-dnssec" { 27 28 signatures-refresh P1W; 29 signatures-validity P2W; 30 signatures-validity-dnskey P2W; 31 32 dnskey-ttl 300; 33 max-zone-ttl PT12H; 34 zone-propagation-delay PT5M; 35 retire-safety PT20M; 36 publish-safety PT5M; 37 38 parent-propagation-delay 1h; 39 parent-ds-ttl 2h; 40 41 keys { 42 csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@; 43 }; 44}; 45 46dnssec-policy "zsk-prepub" { 47 48 signatures-refresh P1W; 49 signatures-validity P2W; 50 signatures-validity-dnskey P2W; 51 52 dnskey-ttl 3600; 53 publish-safety P1D; 54 retire-safety P2D; 55 purge-keys PT1H; 56 57 keys { 58 ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@; 59 zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@; 60 }; 61 62 zone-propagation-delay PT1H; 63 max-zone-ttl 1d; 64}; 65 66dnssec-policy "ksk-doubleksk" { 67 68 signatures-refresh P1W; 69 signatures-validity P2W; 70 signatures-validity-dnskey P2W; 71 72 dnskey-ttl 2h; 73 publish-safety P1D; 74 retire-safety P2D; 75 purge-keys PT1H; 76 77 keys { 78 ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; 79 zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@; 80 }; 81 82 zone-propagation-delay PT1H; 83 max-zone-ttl 1d; 84 85 parent-ds-ttl 3600; 86 parent-propagation-delay PT1H; 87}; 88 89dnssec-policy "csk-roll" { 90 91 signatures-refresh P5D; 92 signatures-validity 30d; 93 signatures-validity-dnskey 30d; 94 95 dnskey-ttl 1h; 96 publish-safety PT1H; 97 retire-safety 2h; 98 purge-keys PT1H; 99 100 keys { 101 csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; 102 }; 103 104 zone-propagation-delay 1h; 105 max-zone-ttl P1D; 106 107 parent-ds-ttl 1h; 108 parent-propagation-delay 1h; 109}; 110 111dnssec-policy "csk-roll2" { 112 113 signatures-refresh 12h; 114 signatures-validity P1D; 115 signatures-validity-dnskey P1D; 116 117 dnskey-ttl 1h; 118 publish-safety PT1H; 119 retire-safety 1h; 120 purge-keys 0; 121 122 keys { 123 csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; 124 }; 125 126 zone-propagation-delay PT1H; 127 max-zone-ttl 1d; 128 129 parent-ds-ttl PT1H; 130 parent-propagation-delay P1W; 131}; 132