xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/kasp/ns3/named.conf.in (revision eceb233b9bd0dfebb902ed73b531ae6964fa3f9b) 
1/*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12// NS3
13
14include "policies/kasp.conf";
15include "policies/autosign.conf";
16
17options {
18	query-source address 10.53.0.3;
19	notify-source 10.53.0.3;
20	transfer-source 10.53.0.3;
21	port @PORT@;
22	pid-file "named.pid";
23	listen-on { 10.53.0.3; };
24	listen-on-v6 { none; };
25	allow-transfer { any; };
26	recursion no;
27	dnssec-policy "rsasha1";
28};
29
30key rndc_key {
31        secret "1234abcd8765";
32        algorithm hmac-sha256;
33};
34
35controls {
36        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
37};
38
39/* Zones that are getting initially signed */
40
41/* The default case: No keys created, using default policy. */
42zone "default.kasp" {
43	type master;
44	file "default.kasp.db";
45	dnssec-policy "default";
46};
47
48/* Key lifetime unlimited. */
49zone "unlimited.kasp" {
50	type master;
51	file "unlimited.kasp.db";
52	dnssec-policy "unlimited";
53};
54
55/* A master zone with dnssec-policy, no keys created. */
56zone "rsasha1.kasp" {
57	type master;
58	file "rsasha1.kasp.db";
59	dnssec-policy "rsasha1";
60};
61
62/* A zone that inherits dnssec-policy. */
63zone "inherit.kasp" {
64	type master;
65	file "inherit.kasp.db";
66};
67
68/* A zone that overrides dnssec-policy. */
69zone "unsigned.kasp" {
70	type master;
71	file "unsigned.kasp.db";
72	dnssec-policy "none";
73};
74
75/* A master zone with dnssec-policy but keys already created. */
76zone "dnssec-keygen.kasp" {
77	type master;
78	file "dnssec-keygen.kasp.db";
79	dnssec-policy "rsasha1";
80};
81
82/* A secondary zone with dnssec-policy. */
83zone "secondary.kasp" {
84	type secondary;
85	masters { 10.53.0.2; };
86	file "secondary.kasp.db";
87	dnssec-policy "rsasha1";
88};
89
90/* A dynamic zone with dnssec-policy. */
91zone "dynamic.kasp" {
92	type master;
93	file "dynamic.kasp.db";
94	dnssec-policy "default";
95	allow-update { any; };
96};
97
98/* A dynamic inline-signed zone with dnssec-policy. */
99zone "dynamic-inline-signing.kasp" {
100	type master;
101	file "dynamic-inline-signing.kasp.db";
102	dnssec-policy "default";
103	allow-update { any; };
104	inline-signing yes;
105};
106
107/* An inline-signed zone with dnssec-policy. */
108zone "inline-signing.kasp" {
109	type master;
110	file "inline-signing.kasp.db";
111	dnssec-policy "default";
112	inline-signing yes;
113};
114
115/*
116 * A configured dnssec-policy but some keys already created.
117 */
118zone "some-keys.kasp" {
119	type master;
120	file "some-keys.kasp.db";
121	dnssec-policy "rsasha1";
122};
123
124/*
125 * A configured dnssec-policy but some keys already in use.
126 */
127zone "legacy-keys.kasp" {
128	type master;
129	file "legacy-keys.kasp.db";
130	dnssec-policy "rsasha1";
131};
132
133/*
134 * A configured dnssec-policy with (too) many keys pregenerated.
135 */
136zone "pregenerated.kasp" {
137	type master;
138	file "pregenerated.kasp.db";
139	dnssec-policy "rsasha1";
140};
141
142/*
143 * A configured dnssec-policy with one rumoured key.
144 * Bugfix case for GL #1593.
145 */
146zone "rumoured.kasp" {
147	type master;
148	file "rumoured.kasp.db";
149	dnssec-policy "rsasha1";
150};
151
152/*
153 * Different algorithms.
154 */
155zone "rsasha1-nsec3.kasp" {
156	type master;
157	file "rsasha1-nsec3.kasp.db";
158	dnssec-policy "rsasha1-nsec3";
159};
160zone "rsasha256.kasp" {
161	type master;
162	file "rsasha256.kasp.db";
163	dnssec-policy "rsasha256";
164};
165zone "rsasha512.kasp" {
166	type master;
167	file "rsasha512.kasp.db";
168	dnssec-policy "rsasha512";
169};
170zone "ecdsa256.kasp" {
171	type master;
172	file "ecdsa256.kasp.db";
173	dnssec-policy "ecdsa256";
174};
175zone "ecdsa384.kasp" {
176	type master;
177	file "ecdsa384.kasp.db";
178	dnssec-policy "ecdsa384";
179};
180
181/*
182 * Zones in different signing states.
183 */
184
185/*
186 * Zone that has expired signatures.
187 */
188zone "expired-sigs.autosign" {
189	type master;
190	file "expired-sigs.autosign.db";
191	dnssec-policy "autosign";
192};
193
194/*
195 * Zone that has valid, fresh signatures.
196 */
197zone "fresh-sigs.autosign" {
198	type master;
199	file "fresh-sigs.autosign.db";
200	dnssec-policy "autosign";
201};
202
203/*
204 * Zone that has unfresh signatures.
205 */
206zone "unfresh-sigs.autosign" {
207	type master;
208	file "unfresh-sigs.autosign.db";
209	dnssec-policy "autosign";
210};
211
212/*
213 * Zone that has missing private ZSK.
214 */
215zone "zsk-missing.autosign" {
216	type master;
217	file "zsk-missing.autosign.db";
218	dnssec-policy "autosign";
219};
220
221/*
222 * Zone that has inactive ZSK.
223 */
224zone "zsk-retired.autosign" {
225	type master;
226	file "zsk-retired.autosign.db";
227	dnssec-policy "autosign";
228};
229
230/*
231 * Zones for testing enabling DNSSEC.
232 */
233zone "step1.enable-dnssec.autosign" {
234	type master;
235	file "step1.enable-dnssec.autosign.db";
236	dnssec-policy "enable-dnssec";
237};
238zone "step2.enable-dnssec.autosign" {
239	type master;
240	file "step2.enable-dnssec.autosign.db";
241	dnssec-policy "enable-dnssec";
242};
243zone "step3.enable-dnssec.autosign" {
244	type master;
245	file "step3.enable-dnssec.autosign.db";
246	dnssec-policy "enable-dnssec";
247};
248zone "step4.enable-dnssec.autosign" {
249	type master;
250	file "step4.enable-dnssec.autosign.db";
251	dnssec-policy "enable-dnssec";
252};
253
254/*
255 * Zones for testing ZSK Pre-Publication steps.
256 */
257zone "step1.zsk-prepub.autosign" {
258	type master;
259	file "step1.zsk-prepub.autosign.db";
260	dnssec-policy "zsk-prepub";
261};
262zone "step2.zsk-prepub.autosign" {
263	type master;
264	file "step2.zsk-prepub.autosign.db";
265	dnssec-policy "zsk-prepub";
266};
267zone "step3.zsk-prepub.autosign" {
268	type master;
269	file "step3.zsk-prepub.autosign.db";
270	dnssec-policy "zsk-prepub";
271};
272zone "step4.zsk-prepub.autosign" {
273	type master;
274	file "step4.zsk-prepub.autosign.db";
275	dnssec-policy "zsk-prepub";
276};
277zone "step5.zsk-prepub.autosign" {
278	type master;
279	file "step5.zsk-prepub.autosign.db";
280	dnssec-policy "zsk-prepub";
281};
282
283/*
284 * Zones for testing KSK Double-KSK steps.
285 */
286zone "step1.ksk-doubleksk.autosign" {
287	type master;
288	file "step1.ksk-doubleksk.autosign.db";
289	dnssec-policy "ksk-doubleksk";
290};
291zone "step2.ksk-doubleksk.autosign" {
292	type master;
293	file "step2.ksk-doubleksk.autosign.db";
294	dnssec-policy "ksk-doubleksk";
295};
296zone "step3.ksk-doubleksk.autosign" {
297	type master;
298	file "step3.ksk-doubleksk.autosign.db";
299	dnssec-policy "ksk-doubleksk";
300};
301zone "step4.ksk-doubleksk.autosign" {
302	type master;
303	file "step4.ksk-doubleksk.autosign.db";
304	dnssec-policy "ksk-doubleksk";
305};
306zone "step5.ksk-doubleksk.autosign" {
307	type master;
308	file "step5.ksk-doubleksk.autosign.db";
309	dnssec-policy "ksk-doubleksk";
310};
311
312/*
313 * Zones for testing CSK rollover steps.
314 */
315zone "step1.csk-roll.autosign" {
316	type master;
317	file "step1.csk-roll.autosign.db";
318	dnssec-policy "csk-roll";
319};
320zone "step2.csk-roll.autosign" {
321	type master;
322	file "step2.csk-roll.autosign.db";
323	dnssec-policy "csk-roll";
324};
325zone "step3.csk-roll.autosign" {
326	type master;
327	file "step3.csk-roll.autosign.db";
328	dnssec-policy "csk-roll";
329};
330zone "step4.csk-roll.autosign" {
331	type master;
332	file "step4.csk-roll.autosign.db";
333	dnssec-policy "csk-roll";
334};
335zone "step5.csk-roll.autosign" {
336	type master;
337	file "step5.csk-roll.autosign.db";
338	dnssec-policy "csk-roll";
339};
340zone "step6.csk-roll.autosign" {
341	type master;
342	file "step6.csk-roll.autosign.db";
343	dnssec-policy "csk-roll";
344};
345zone "step7.csk-roll.autosign" {
346	type master;
347	file "step7.csk-roll.autosign.db";
348	dnssec-policy "csk-roll";
349};
350
351zone "step1.csk-roll2.autosign" {
352	type master;
353	file "step1.csk-roll2.autosign.db";
354	dnssec-policy "csk-roll2";
355};
356zone "step2.csk-roll2.autosign" {
357	type master;
358	file "step2.csk-roll2.autosign.db";
359	dnssec-policy "csk-roll2";
360};
361zone "step3.csk-roll2.autosign" {
362	type master;
363	file "step3.csk-roll2.autosign.db";
364	dnssec-policy "csk-roll2";
365};
366zone "step4.csk-roll2.autosign" {
367	type master;
368	file "step4.csk-roll2.autosign.db";
369	dnssec-policy "csk-roll2";
370};
371zone "step5.csk-roll2.autosign" {
372	type master;
373	file "step5.csk-roll2.autosign.db";
374	dnssec-policy "csk-roll2";
375};
376zone "step6.csk-roll2.autosign" {
377	type master;
378	file "step6.csk-roll2.autosign.db";
379	dnssec-policy "csk-roll2";
380};
381