1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14// NS9 15 16options { 17 query-source address 10.53.0.9; 18 notify-source 10.53.0.9; 19 transfer-source 10.53.0.9; 20 port @PORT@; 21 pid-file "named.pid"; 22 listen-on { 10.53.0.9; }; 23 listen-on-v6 { none; }; 24 allow-transfer { any; }; 25 recursion no; 26}; 27 28key rndc_key { 29 secret "1234abcd8765"; 30 algorithm hmac-sha256; 31}; 32 33controls { 34 inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 35}; 36 37parental-agents "ns2" port @PORT@ { 38 10.53.0.2; 39}; 40 41zone "." { 42 type hint; 43 file "../../common/root.hint"; 44}; 45 46/* 47 * Zone with parental agent configured, due for DS checking. 48 */ 49zone "dspublished.checkds" { 50 type primary; 51 file "dspublished.checkds.db"; 52 inline-signing yes; 53 dnssec-policy "default"; 54 parental-agents { 10.53.0.2 port @PORT@; }; 55}; 56 57/* 58 * Zone with parental agent configured, due for DS checking. 59 * Same as above, but now with a reference to parental-agents. 60 */ 61zone "reference.checkds" { 62 type primary; 63 file "reference.checkds.db"; 64 inline-signing yes; 65 dnssec-policy "default"; 66 parental-agents { "ns2"; }; 67}; 68 69/* 70 * Zone with parental agent configured, due for DS checking. 71 * The parental agent does not have the DS yet. 72 */ 73zone "missing-dspublished.checkds" { 74 type primary; 75 file "missing-dspublished.checkds.db"; 76 inline-signing yes; 77 dnssec-policy "default"; 78 parental-agents { 79 10.53.0.5 port @PORT@; // missing 80 }; 81}; 82 83 84/* 85 * Zone with parental agent configured, due for DS checking. 86 * This case, the server is badly configured. 87 */ 88zone "bad-dspublished.checkds" { 89 type primary; 90 file "bad-dspublished.checkds.db"; 91 inline-signing yes; 92 dnssec-policy "default"; 93 parental-agents { 94 10.53.0.6 port @PORT@; // bad 95 }; 96}; 97 98/* 99 * Zone with multiple parental agents configured, due for DS checking. 100 * All need to have the DS before the rollover may continue. 101 */ 102zone "multiple-dspublished.checkds" { 103 type primary; 104 file "multiple-dspublished.checkds.db"; 105 inline-signing yes; 106 dnssec-policy "default"; 107 parental-agents { 108 10.53.0.2 port @PORT@; 109 10.53.0.4 port @PORT@; 110 }; 111}; 112 113/* 114 * Zone with multiple parental agents configured, due for DS checking. 115 * All need to have the DS before the rollover may continue. 116 * This case, one server is still missing the DS. 117 */ 118zone "incomplete-dspublished.checkds" { 119 type primary; 120 file "incomplete-dspublished.checkds.db"; 121 inline-signing yes; 122 dnssec-policy "default"; 123 parental-agents { 124 10.53.0.2 port @PORT@; 125 10.53.0.4 port @PORT@; 126 10.53.0.5 port @PORT@; // missing 127 }; 128}; 129 130 131/* 132 * Zone with multiple parental agents configured, due for DS checking. 133 * All need to have the DS before the rollover may continue. 134 * This case, one server is badly configured. 135 */ 136zone "bad2-dspublished.checkds" { 137 type primary; 138 file "bad2-dspublished.checkds.db"; 139 inline-signing yes; 140 dnssec-policy "default"; 141 parental-agents { 142 10.53.0.2 port @PORT@; 143 10.53.0.4 port @PORT@; 144 10.53.0.6 port @PORT@; // bad 145 }; 146}; 147 148// TODO: Other test cases: 149// - Test with bogus response 150// - check with TSIG 151// - check with TLS 152 153 154/* 155 * Zones that are going insecure (test DS withdrawn polling). 156 */ 157zone "dswithdrawn.checkds" { 158 type primary; 159 file "dswithdrawn.checkds.db"; 160 inline-signing yes; 161 dnssec-policy "insecure"; 162 parental-agents { 10.53.0.5 port @PORT@; }; 163}; 164 165zone "missing-dswithdrawn.checkds" { 166 type primary; 167 file "missing-dswithdrawn.checkds.db"; 168 inline-signing yes; 169 dnssec-policy "insecure"; 170 parental-agents { 171 10.53.0.2 port @PORT@; // still published 172 }; 173}; 174 175zone "bad-dswithdrawn.checkds" { 176 type primary; 177 file "bad-dswithdrawn.checkds.db"; 178 inline-signing yes; 179 dnssec-policy "insecure"; 180 parental-agents { 181 10.53.0.6 port @PORT@; // bad 182 }; 183}; 184 185zone "multiple-dswithdrawn.checkds" { 186 type primary; 187 file "multiple-dswithdrawn.checkds.db"; 188 inline-signing yes; 189 dnssec-policy "insecure"; 190 parental-agents { 191 10.53.0.5 port @PORT@; 192 10.53.0.7 port @PORT@; 193 }; 194}; 195 196zone "incomplete-dswithdrawn.checkds" { 197 type primary; 198 file "incomplete-dswithdrawn.checkds.db"; 199 inline-signing yes; 200 dnssec-policy "insecure"; 201 parental-agents { 202 10.53.0.2 port @PORT@; // still published 203 10.53.0.5 port @PORT@; 204 10.53.0.7 port @PORT@; 205 }; 206}; 207 208zone "bad2-dswithdrawn.checkds" { 209 type primary; 210 file "bad2-dswithdrawn.checkds.db"; 211 inline-signing yes; 212 dnssec-policy "insecure"; 213 parental-agents { 214 10.53.0.5 port @PORT@; 215 10.53.0.7 port @PORT@; 216 10.53.0.6 port @PORT@; // bad 217 }; 218}; 219