autosign.conf.in revision 1.1.1.3
1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14dnssec-policy "autosign" { 15 16 signatures-refresh P1W; 17 signatures-validity P2W; 18 signatures-validity-dnskey P2W; 19 20 dnskey-ttl 300; 21 22 keys { 23 ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@; 24 zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@; 25 }; 26}; 27 28dnssec-policy "enable-dnssec" { 29 30 signatures-refresh P1W; 31 signatures-validity P2W; 32 signatures-validity-dnskey P2W; 33 34 dnskey-ttl 300; 35 max-zone-ttl PT12H; 36 zone-propagation-delay PT5M; 37 retire-safety PT20M; 38 publish-safety PT5M; 39 40 parent-propagation-delay 1h; 41 parent-ds-ttl 2h; 42 43 keys { 44 csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@; 45 }; 46}; 47 48dnssec-policy "zsk-prepub" { 49 50 signatures-refresh P1W; 51 signatures-validity P2W; 52 signatures-validity-dnskey P2W; 53 54 dnskey-ttl 3600; 55 publish-safety P1D; 56 retire-safety P2D; 57 purge-keys PT1H; 58 59 keys { 60 ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@; 61 zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@; 62 }; 63 64 zone-propagation-delay PT1H; 65 max-zone-ttl 1d; 66}; 67 68dnssec-policy "ksk-doubleksk" { 69 70 signatures-refresh P1W; 71 signatures-validity P2W; 72 signatures-validity-dnskey P2W; 73 74 dnskey-ttl 2h; 75 publish-safety P1D; 76 retire-safety P2D; 77 purge-keys PT1H; 78 79 keys { 80 ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; 81 zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@; 82 }; 83 84 zone-propagation-delay PT1H; 85 max-zone-ttl 1d; 86 87 parent-ds-ttl 3600; 88 parent-propagation-delay PT1H; 89}; 90 91dnssec-policy "csk-roll" { 92 93 signatures-refresh P5D; 94 signatures-validity 30d; 95 signatures-validity-dnskey 30d; 96 97 dnskey-ttl 1h; 98 publish-safety PT1H; 99 retire-safety 2h; 100 purge-keys PT1H; 101 102 keys { 103 csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; 104 }; 105 106 zone-propagation-delay 1h; 107 max-zone-ttl P1D; 108 109 parent-ds-ttl 1h; 110 parent-propagation-delay 1h; 111}; 112 113dnssec-policy "csk-roll2" { 114 115 signatures-refresh 12h; 116 signatures-validity P1D; 117 signatures-validity-dnskey P1D; 118 119 dnskey-ttl 1h; 120 publish-safety PT1H; 121 retire-safety 1h; 122 purge-keys 0; 123 124 keys { 125 csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; 126 }; 127 128 zone-propagation-delay PT1H; 129 max-zone-ttl 1d; 130 131 parent-ds-ttl PT1H; 132 parent-propagation-delay P1W; 133}; 134