1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14// NS6 15 16include "policies/kasp.conf"; 17include "policies/csk2.conf"; 18 19options { 20 query-source address 10.53.0.6; 21 notify-source 10.53.0.6; 22 transfer-source 10.53.0.6; 23 port @PORT@; 24 pid-file "named.pid"; 25 listen-on { 10.53.0.6; }; 26 listen-on-v6 { none; }; 27 allow-transfer { any; }; 28 recursion no; 29 dnssec-validation no; 30}; 31 32key rndc_key { 33 secret "1234abcd8765"; 34 algorithm @DEFAULT_HMAC@; 35}; 36 37controls { 38 inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 39}; 40 41/* This zone switch from dynamic to inline-signing. */ 42zone "dynamic2inline.kasp" { 43 type primary; 44 file "dynamic2inline.kasp.db"; 45 allow-update { any; }; 46 inline-signing yes; 47 dnssec-policy "default"; 48}; 49 50/* Zones for testing going insecure. */ 51zone "step1.going-insecure.kasp" { 52 type primary; 53 file "step1.going-insecure.kasp.db"; 54 inline-signing yes; 55 dnssec-policy "insecure"; 56}; 57 58zone "step2.going-insecure.kasp" { 59 type primary; 60 file "step2.going-insecure.kasp.db"; 61 inline-signing yes; 62 dnssec-policy "insecure"; 63}; 64 65zone "step1.going-insecure-dynamic.kasp" { 66 type primary; 67 file "step1.going-insecure-dynamic.kasp.db"; 68 dnssec-policy "insecure"; 69 allow-update { any; }; 70}; 71 72zone "step2.going-insecure-dynamic.kasp" { 73 type primary; 74 file "step2.going-insecure-dynamic.kasp.db"; 75 dnssec-policy "insecure"; 76 allow-update { any; }; 77}; 78 79zone "step1.going-straight-to-none.kasp" { 80 type primary; 81 file "step1.going-straight-to-none.kasp.db"; 82 dnssec-policy "none"; 83}; 84 85/* 86 * Zones for testing KSK/ZSK algorithm roll. 87 */ 88zone "step1.algorithm-roll.kasp" { 89 type primary; 90 file "step1.algorithm-roll.kasp.db"; 91 inline-signing yes; 92 dnssec-policy "ecdsa256"; 93}; 94 95zone "step2.algorithm-roll.kasp" { 96 type primary; 97 file "step2.algorithm-roll.kasp.db"; 98 inline-signing yes; 99 dnssec-policy "ecdsa256"; 100}; 101 102zone "step3.algorithm-roll.kasp" { 103 type primary; 104 file "step3.algorithm-roll.kasp.db"; 105 inline-signing yes; 106 dnssec-policy "ecdsa256"; 107}; 108 109zone "step4.algorithm-roll.kasp" { 110 type primary; 111 file "step4.algorithm-roll.kasp.db"; 112 inline-signing yes; 113 dnssec-policy "ecdsa256"; 114}; 115 116zone "step5.algorithm-roll.kasp" { 117 type primary; 118 file "step5.algorithm-roll.kasp.db"; 119 inline-signing yes; 120 dnssec-policy "ecdsa256"; 121}; 122 123zone "step6.algorithm-roll.kasp" { 124 type primary; 125 file "step6.algorithm-roll.kasp.db"; 126 inline-signing yes; 127 dnssec-policy "ecdsa256"; 128}; 129 130/* 131 * Zones for testing CSK algorithm roll. 132 */ 133zone "step1.csk-algorithm-roll.kasp" { 134 type primary; 135 file "step1.csk-algorithm-roll.kasp.db"; 136 inline-signing yes; 137 dnssec-policy "csk-algoroll"; 138}; 139 140zone "step2.csk-algorithm-roll.kasp" { 141 type primary; 142 file "step2.csk-algorithm-roll.kasp.db"; 143 inline-signing yes; 144 dnssec-policy "csk-algoroll"; 145}; 146 147zone "step3.csk-algorithm-roll.kasp" { 148 type primary; 149 file "step3.csk-algorithm-roll.kasp.db"; 150 inline-signing yes; 151 dnssec-policy "csk-algoroll"; 152}; 153 154zone "step4.csk-algorithm-roll.kasp" { 155 type primary; 156 file "step4.csk-algorithm-roll.kasp.db"; 157 inline-signing yes; 158 dnssec-policy "csk-algoroll"; 159}; 160 161zone "step5.csk-algorithm-roll.kasp" { 162 type primary; 163 file "step5.csk-algorithm-roll.kasp.db"; 164 inline-signing yes; 165 dnssec-policy "csk-algoroll"; 166}; 167 168zone "step6.csk-algorithm-roll.kasp" { 169 type primary; 170 file "step6.csk-algorithm-roll.kasp.db"; 171 inline-signing yes; 172 dnssec-policy "csk-algoroll"; 173}; 174 175dnssec-policy "modified" { 176 keys { 177 csk lifetime unlimited algorithm rsasha256 2048; 178 }; 179}; 180 181zone example { 182 type primary; 183 file "example.db"; 184 inline-signing yes; 185 dnssec-policy modified; 186}; 187