xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/checkds/ns9/named.conf.in (revision fb5eed702691094bd687fbf1ded189c87457cd35) 
1
2// NS9
3
4options {
5	query-source address 10.53.0.9;
6	notify-source 10.53.0.9;
7	transfer-source 10.53.0.9;
8	port @PORT@;
9	pid-file "named.pid";
10	listen-on { 10.53.0.9; };
11	listen-on-v6 { none; };
12	allow-transfer { any; };
13	recursion no;
14};
15
16key rndc_key {
17	secret "1234abcd8765";
18	algorithm hmac-sha256;
19};
20
21controls {
22	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
23};
24
25parental-agents "ns2" port @PORT@ {
26	10.53.0.2;
27};
28
29zone "." {
30	type hint;
31	file "../../common/root.hint";
32};
33
34/*
35 * Zone with parental agent configured, due for DS checking.
36 */
37zone "dspublished.checkds" {
38	type primary;
39	file "dspublished.checkds.db";
40	dnssec-policy "default";
41	parental-agents { 10.53.0.2 port @PORT@; };
42};
43
44/*
45 * Zone with parental agent configured, due for DS checking.
46 * Same as above, but now with a reference to parental-agents.
47 */
48zone "reference.checkds" {
49	type primary;
50	file "reference.checkds.db";
51	dnssec-policy "default";
52	parental-agents { "ns2"; };
53};
54
55/*
56 * Zone with parental agent configured, due for DS checking.
57 * The parental agent does not have the DS yet.
58 */
59zone "missing-dspublished.checkds" {
60	type primary;
61	file "missing-dspublished.checkds.db";
62	dnssec-policy "default";
63	parental-agents {
64		10.53.0.5 port @PORT@; // missing
65	};
66};
67
68
69/*
70 * Zone with parental agent configured, due for DS checking.
71 * This case, the server is badly configured.
72 */
73zone "bad-dspublished.checkds" {
74	type primary;
75	file "bad-dspublished.checkds.db";
76	dnssec-policy "default";
77	parental-agents {
78		10.53.0.6 port @PORT@; // bad
79	};
80};
81
82/*
83 * Zone with multiple parental agents configured, due for DS checking.
84 * All need to have the DS before the rollover may continue.
85 */
86zone "multiple-dspublished.checkds" {
87	type primary;
88	file "multiple-dspublished.checkds.db";
89	dnssec-policy "default";
90	parental-agents {
91		10.53.0.2 port @PORT@;
92		10.53.0.4 port @PORT@;
93	};
94};
95
96/*
97 * Zone with multiple parental agents configured, due for DS checking.
98 * All need to have the DS before the rollover may continue.
99 * This case, one server is still missing the DS.
100 */
101zone "incomplete-dspublished.checkds" {
102	type primary;
103	file "incomplete-dspublished.checkds.db";
104	dnssec-policy "default";
105	parental-agents {
106		10.53.0.2 port @PORT@;
107		10.53.0.4 port @PORT@;
108		10.53.0.5 port @PORT@; // missing
109	};
110};
111
112
113/*
114 * Zone with multiple parental agents configured, due for DS checking.
115 * All need to have the DS before the rollover may continue.
116 * This case, one server is badly configured.
117 */
118zone "bad2-dspublished.checkds" {
119	type primary;
120	file "bad2-dspublished.checkds.db";
121	dnssec-policy "default";
122	parental-agents {
123		10.53.0.2 port @PORT@;
124		10.53.0.4 port @PORT@;
125		10.53.0.6 port @PORT@; // bad
126	};
127};
128
129// TODO: Other test cases:
130// - Test with bogus response
131// - check with TSIG
132// - check with TLS
133
134
135/*
136 * Zones that are going insecure (test DS withdrawn polling).
137 */
138zone "dswithdrawn.checkds" {
139	type primary;
140	file "dswithdrawn.checkds.db";
141	dnssec-policy "insecure";
142	parental-agents { 10.53.0.5 port @PORT@; };
143};
144
145zone "missing-dswithdrawn.checkds" {
146	type primary;
147	file "missing-dswithdrawn.checkds.db";
148	dnssec-policy "insecure";
149	parental-agents {
150		10.53.0.2 port @PORT@; // still published
151	};
152};
153
154zone "bad-dswithdrawn.checkds" {
155	type primary;
156	file "bad-dswithdrawn.checkds.db";
157	dnssec-policy "insecure";
158	parental-agents {
159		10.53.0.6 port @PORT@; // bad
160	};
161};
162
163zone "multiple-dswithdrawn.checkds" {
164	type primary;
165	file "multiple-dswithdrawn.checkds.db";
166	dnssec-policy "insecure";
167	parental-agents {
168		10.53.0.5 port @PORT@;
169		10.53.0.7 port @PORT@;
170	};
171};
172
173zone "incomplete-dswithdrawn.checkds" {
174	type primary;
175	file "incomplete-dswithdrawn.checkds.db";
176	dnssec-policy "insecure";
177	parental-agents {
178		10.53.0.2 port @PORT@; // still published
179		10.53.0.5 port @PORT@;
180		10.53.0.7 port @PORT@;
181	};
182};
183
184zone "bad2-dswithdrawn.checkds" {
185	type primary;
186	file "bad2-dswithdrawn.checkds.db";
187	dnssec-policy "insecure";
188	parental-agents {
189		10.53.0.5 port @PORT@;
190		10.53.0.7 port @PORT@;
191		10.53.0.6 port @PORT@; // bad
192	};
193};
194