xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/kasp/ns3/named.conf.in (revision fb5eed702691094bd687fbf1ded189c87457cd35) 
1/*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12// NS3
13
14include "policies/kasp.conf";
15include "policies/autosign.conf";
16
17options {
18	query-source address 10.53.0.3;
19	notify-source 10.53.0.3;
20	transfer-source 10.53.0.3;
21	port @PORT@;
22	pid-file "named.pid";
23	listen-on { 10.53.0.3; };
24	listen-on-v6 { none; };
25	allow-transfer { any; };
26	recursion no;
27	dnssec-policy "rsasha1";
28};
29
30key rndc_key {
31        secret "1234abcd8765";
32        algorithm hmac-sha256;
33};
34
35controls {
36        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
37};
38
39/* Zones that are getting initially signed */
40
41/* The default case: No keys created, using default policy. */
42zone "default.kasp" {
43	type primary;
44	file "default.kasp.db";
45	dnssec-policy "default";
46};
47
48/* checkds: Zone with one KSK. */
49zone "checkds-ksk.kasp" {
50	type primary;
51	file "checkds-ksk.kasp.db";
52	dnssec-policy "checkds-ksk";
53};
54
55/* checkds: Zone with two KSKs. */
56zone "checkds-doubleksk.kasp" {
57	type primary;
58	file "checkds-doubleksk.kasp.db";
59	dnssec-policy "checkds-doubleksk";
60};
61
62/* checkds: Zone with one CSK. */
63zone "checkds-csk.kasp" {
64	type primary;
65	file "checkds-csk.kasp.db";
66	dnssec-policy "checkds-csk";
67};
68
69/* Key lifetime unlimited. */
70zone "unlimited.kasp" {
71	type primary;
72	file "unlimited.kasp.db";
73	dnssec-policy "unlimited";
74};
75
76/* Manual rollover. */
77zone "manual-rollover.kasp" {
78	type primary;
79	file "manual-rollover.kasp.db";
80	dnssec-policy "manual-rollover";
81};
82
83/* A master zone with dnssec-policy, no keys created. */
84zone "rsasha1.kasp" {
85	type primary;
86	file "rsasha1.kasp.db";
87	dnssec-policy "rsasha1";
88};
89
90/* A zone that inherits dnssec-policy. */
91zone "inherit.kasp" {
92	type primary;
93	file "inherit.kasp.db";
94};
95
96/* A zone that overrides dnssec-policy. */
97zone "unsigned.kasp" {
98	type primary;
99	file "unsigned.kasp.db";
100	dnssec-policy "none";
101};
102
103/* A zone that is initially set to insecure. */
104zone "insecure.kasp" {
105	type primary;
106	file "insecure.kasp.db";
107	dnssec-policy "insecure";
108};
109
110/* A master zone with dnssec-policy but keys already created. */
111zone "dnssec-keygen.kasp" {
112	type primary;
113	file "dnssec-keygen.kasp.db";
114	dnssec-policy "rsasha1";
115};
116
117/* A secondary zone with dnssec-policy. */
118zone "secondary.kasp" {
119	type secondary;
120	primaries { 10.53.0.2; };
121	file "secondary.kasp.db";
122	dnssec-policy "rsasha1";
123};
124
125/* A dynamic zone with dnssec-policy. */
126zone "dynamic.kasp" {
127	type primary;
128	file "dynamic.kasp.db";
129	dnssec-policy "default";
130	allow-update { any; };
131};
132
133/* A dynamic inline-signed zone with dnssec-policy. */
134zone "dynamic-inline-signing.kasp" {
135	type primary;
136	file "dynamic-inline-signing.kasp.db";
137	dnssec-policy "default";
138	allow-update { any; };
139	inline-signing yes;
140};
141
142/* An inline-signed zone with dnssec-policy. */
143zone "inline-signing.kasp" {
144	type primary;
145	file "inline-signing.kasp.db";
146	dnssec-policy "default";
147	inline-signing yes;
148};
149
150/*
151 * A configured dnssec-policy but some keys already created.
152 */
153zone "some-keys.kasp" {
154	type primary;
155	file "some-keys.kasp.db";
156	dnssec-policy "rsasha1";
157};
158
159/*
160 * A configured dnssec-policy but some keys already in use.
161 */
162zone "legacy-keys.kasp" {
163	type primary;
164	file "legacy-keys.kasp.db";
165	dnssec-policy "migrate-to-dnssec-policy";
166};
167
168/*
169 * A configured dnssec-policy with (too) many keys pregenerated.
170 */
171zone "pregenerated.kasp" {
172	type primary;
173	file "pregenerated.kasp.db";
174	dnssec-policy "rsasha1";
175};
176
177/*
178 * A configured dnssec-policy with one rumoured key.
179 * Bugfix case for GL #1593.
180 */
181zone "rumoured.kasp" {
182	type primary;
183	file "rumoured.kasp.db";
184	dnssec-policy "rsasha1";
185};
186
187/* RFC 8901 Multi-signer Model 2. */
188zone "multisigner-model2.kasp" {
189	type primary;
190	file "multisigner-model2.kasp.db";
191	dnssec-policy "multisigner-model2";
192	allow-update { any; };
193};
194
195/*
196 * Different algorithms.
197 */
198zone "rsasha1-nsec3.kasp" {
199	type primary;
200	file "rsasha1-nsec3.kasp.db";
201	dnssec-policy "rsasha1-nsec3";
202};
203zone "rsasha256.kasp" {
204	type primary;
205	file "rsasha256.kasp.db";
206	dnssec-policy "rsasha256";
207};
208zone "rsasha512.kasp" {
209	type primary;
210	file "rsasha512.kasp.db";
211	dnssec-policy "rsasha512";
212};
213zone "ecdsa256.kasp" {
214	type primary;
215	file "ecdsa256.kasp.db";
216	dnssec-policy "ecdsa256";
217};
218zone "ecdsa384.kasp" {
219	type primary;
220	file "ecdsa384.kasp.db";
221	dnssec-policy "ecdsa384";
222};
223
224/*
225 * Zones in different signing states.
226 */
227
228/*
229 * Zone that has expired signatures.
230 */
231zone "expired-sigs.autosign" {
232	type primary;
233	file "expired-sigs.autosign.db";
234	dnssec-policy "autosign";
235};
236
237/*
238 * Zone that has valid, fresh signatures.
239 */
240zone "fresh-sigs.autosign" {
241	type primary;
242	file "fresh-sigs.autosign.db";
243	dnssec-policy "autosign";
244};
245
246/*
247 * Zone that has unfresh signatures.
248 */
249zone "unfresh-sigs.autosign" {
250	type primary;
251	file "unfresh-sigs.autosign.db";
252	dnssec-policy "autosign";
253};
254
255/*
256 * Zone that has missing private KSK.
257 */
258zone "ksk-missing.autosign" {
259	type primary;
260	file "ksk-missing.autosign.db";
261	dnssec-policy "autosign";
262};
263
264/*
265 * Zone that has missing private ZSK.
266 */
267zone "zsk-missing.autosign" {
268	type primary;
269	file "zsk-missing.autosign.db";
270	dnssec-policy "autosign";
271};
272
273/*
274 * Zone that has inactive ZSK.
275 */
276zone "zsk-retired.autosign" {
277	type primary;
278	file "zsk-retired.autosign.db";
279	dnssec-policy "autosign";
280};
281
282/*
283 * Zones for testing enabling DNSSEC.
284 */
285zone "step1.enable-dnssec.autosign" {
286	type primary;
287	file "step1.enable-dnssec.autosign.db";
288	dnssec-policy "enable-dnssec";
289};
290zone "step2.enable-dnssec.autosign" {
291	type primary;
292	file "step2.enable-dnssec.autosign.db";
293	dnssec-policy "enable-dnssec";
294};
295zone "step3.enable-dnssec.autosign" {
296	type primary;
297	file "step3.enable-dnssec.autosign.db";
298	dnssec-policy "enable-dnssec";
299};
300zone "step4.enable-dnssec.autosign" {
301	type primary;
302	file "step4.enable-dnssec.autosign.db";
303	dnssec-policy "enable-dnssec";
304};
305
306/*
307 * Zones for testing ZSK Pre-Publication steps.
308 */
309zone "step1.zsk-prepub.autosign" {
310	type primary;
311	file "step1.zsk-prepub.autosign.db";
312	dnssec-policy "zsk-prepub";
313};
314zone "step2.zsk-prepub.autosign" {
315	type primary;
316	file "step2.zsk-prepub.autosign.db";
317	dnssec-policy "zsk-prepub";
318};
319zone "step3.zsk-prepub.autosign" {
320	type primary;
321	file "step3.zsk-prepub.autosign.db";
322	dnssec-policy "zsk-prepub";
323};
324zone "step4.zsk-prepub.autosign" {
325	type primary;
326	file "step4.zsk-prepub.autosign.db";
327	dnssec-policy "zsk-prepub";
328};
329zone "step5.zsk-prepub.autosign" {
330	type primary;
331	file "step5.zsk-prepub.autosign.db";
332	dnssec-policy "zsk-prepub";
333};
334zone "step6.zsk-prepub.autosign" {
335	type primary;
336	file "step6.zsk-prepub.autosign.db";
337	dnssec-policy "zsk-prepub";
338};
339
340/*
341 * Zones for testing KSK Double-KSK steps.
342 */
343zone "step1.ksk-doubleksk.autosign" {
344	type primary;
345	file "step1.ksk-doubleksk.autosign.db";
346	dnssec-policy "ksk-doubleksk";
347};
348zone "step2.ksk-doubleksk.autosign" {
349	type primary;
350	file "step2.ksk-doubleksk.autosign.db";
351	dnssec-policy "ksk-doubleksk";
352};
353zone "step3.ksk-doubleksk.autosign" {
354	type primary;
355	file "step3.ksk-doubleksk.autosign.db";
356	dnssec-policy "ksk-doubleksk";
357};
358zone "step4.ksk-doubleksk.autosign" {
359	type primary;
360	file "step4.ksk-doubleksk.autosign.db";
361	dnssec-policy "ksk-doubleksk";
362};
363zone "step5.ksk-doubleksk.autosign" {
364	type primary;
365	file "step5.ksk-doubleksk.autosign.db";
366	dnssec-policy "ksk-doubleksk";
367};
368zone "step6.ksk-doubleksk.autosign" {
369	type primary;
370	file "step6.ksk-doubleksk.autosign.db";
371	dnssec-policy "ksk-doubleksk";
372};
373
374/*
375 * Zones for testing CSK rollover steps.
376 */
377zone "step1.csk-roll.autosign" {
378	type primary;
379	file "step1.csk-roll.autosign.db";
380	dnssec-policy "csk-roll";
381};
382zone "step2.csk-roll.autosign" {
383	type primary;
384	file "step2.csk-roll.autosign.db";
385	dnssec-policy "csk-roll";
386};
387zone "step3.csk-roll.autosign" {
388	type primary;
389	file "step3.csk-roll.autosign.db";
390	dnssec-policy "csk-roll";
391};
392zone "step4.csk-roll.autosign" {
393	type primary;
394	file "step4.csk-roll.autosign.db";
395	dnssec-policy "csk-roll";
396};
397zone "step5.csk-roll.autosign" {
398	type primary;
399	file "step5.csk-roll.autosign.db";
400	dnssec-policy "csk-roll";
401};
402zone "step6.csk-roll.autosign" {
403	type primary;
404	file "step6.csk-roll.autosign.db";
405	dnssec-policy "csk-roll";
406};
407zone "step7.csk-roll.autosign" {
408	type primary;
409	file "step7.csk-roll.autosign.db";
410	dnssec-policy "csk-roll";
411};
412zone "step8.csk-roll.autosign" {
413	type primary;
414	file "step8.csk-roll.autosign.db";
415	dnssec-policy "csk-roll";
416};
417
418zone "step1.csk-roll2.autosign" {
419	type primary;
420	file "step1.csk-roll2.autosign.db";
421	dnssec-policy "csk-roll2";
422};
423zone "step2.csk-roll2.autosign" {
424	type primary;
425	file "step2.csk-roll2.autosign.db";
426	dnssec-policy "csk-roll2";
427};
428zone "step3.csk-roll2.autosign" {
429	type primary;
430	file "step3.csk-roll2.autosign.db";
431	dnssec-policy "csk-roll2";
432};
433zone "step4.csk-roll2.autosign" {
434	type primary;
435	file "step4.csk-roll2.autosign.db";
436	dnssec-policy "csk-roll2";
437};
438zone "step5.csk-roll2.autosign" {
439	type primary;
440	file "step5.csk-roll2.autosign.db";
441	dnssec-policy "csk-roll2";
442};
443zone "step6.csk-roll2.autosign" {
444	type primary;
445	file "step6.csk-roll2.autosign.db";
446	dnssec-policy "csk-roll2";
447};
448zone "step7.csk-roll2.autosign" {
449	type primary;
450	file "step7.csk-roll2.autosign.db";
451	dnssec-policy "csk-roll2";
452};
453