autosign.conf.in revision 1.1.1.2 
1/*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12dnssec-policy "autosign" {
13
14	signatures-refresh P1W;
15	signatures-validity P2W;
16	signatures-validity-dnskey P2W;
17
18	dnskey-ttl 300;
19
20	keys {
21		ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@;
22		zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
23	};
24};
25
26dnssec-policy "enable-dnssec" {
27
28	signatures-refresh P1W;
29	signatures-validity P2W;
30	signatures-validity-dnskey P2W;
31
32	dnskey-ttl 300;
33	max-zone-ttl PT12H;
34	zone-propagation-delay PT5M;
35	retire-safety PT20M;
36	publish-safety PT5M;
37
38	parent-propagation-delay 1h;
39	parent-ds-ttl 2h;
40
41	keys {
42		csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
43	};
44};
45
46dnssec-policy "zsk-prepub" {
47
48	signatures-refresh P1W;
49	signatures-validity P2W;
50	signatures-validity-dnskey P2W;
51
52	dnskey-ttl 3600;
53	publish-safety P1D;
54	retire-safety P2D;
55	purge-keys PT1H;
56
57	keys {
58		ksk key-directory lifetime P2Y  algorithm @DEFAULT_ALGORITHM@;
59		zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
60	};
61
62	zone-propagation-delay PT1H;
63	max-zone-ttl 1d;
64};
65
66dnssec-policy "ksk-doubleksk" {
67
68	signatures-refresh P1W;
69	signatures-validity P2W;
70	signatures-validity-dnskey P2W;
71
72	dnskey-ttl 2h;
73	publish-safety P1D;
74	retire-safety P2D;
75	purge-keys PT1H;
76
77	keys {
78		ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
79		zsk key-directory lifetime P1Y  algorithm @DEFAULT_ALGORITHM@;
80	};
81
82	zone-propagation-delay PT1H;
83	max-zone-ttl 1d;
84
85	parent-ds-ttl 3600;
86	parent-propagation-delay PT1H;
87};
88
89dnssec-policy "csk-roll" {
90
91	signatures-refresh P5D;
92	signatures-validity 30d;
93	signatures-validity-dnskey 30d;
94
95	dnskey-ttl 1h;
96	publish-safety PT1H;
97	retire-safety 2h;
98	purge-keys PT1H;
99
100	keys {
101		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
102	};
103
104	zone-propagation-delay 1h;
105	max-zone-ttl P1D;
106
107	parent-ds-ttl 1h;
108	parent-propagation-delay 1h;
109};
110
111dnssec-policy "csk-roll2" {
112
113	signatures-refresh 12h;
114	signatures-validity P1D;
115	signatures-validity-dnskey P1D;
116
117	dnskey-ttl 1h;
118	publish-safety PT1H;
119	retire-safety 1h;
120	purge-keys 0;
121
122	keys {
123		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
124	};
125
126	zone-propagation-delay PT1H;
127	max-zone-ttl 1d;
128
129	parent-ds-ttl PT1H;
130	parent-propagation-delay P1W;
131};
132