xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/kasp/ns6/named2.conf.in (revision 8e33eff89e26cf71871ead62f0d5063e1313c33a) 
1/*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * SPDX-License-Identifier: MPL-2.0
5 *
6 * This Source Code Form is subject to the terms of the Mozilla Public
7 * License, v. 2.0.  If a copy of the MPL was not distributed with this
8 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
9 *
10 * See the COPYRIGHT file distributed with this work for additional
11 * information regarding copyright ownership.
12 */
13
14// NS6
15
16include "policies/kasp.conf";
17include "policies/csk2.conf";
18
19options {
20	query-source address 10.53.0.6;
21	notify-source 10.53.0.6;
22	transfer-source 10.53.0.6;
23	port @PORT@;
24	pid-file "named.pid";
25	listen-on { 10.53.0.6; };
26	listen-on-v6 { none; };
27	allow-transfer { any; };
28	recursion no;
29	dnssec-validation no;
30};
31
32key rndc_key {
33	secret "1234abcd8765";
34	algorithm @DEFAULT_HMAC@;
35};
36
37controls {
38	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
39};
40
41zone "." {
42	type hint;
43	file "../../_common/root.hint.blackhole";
44};
45
46/* This zone switch from dynamic to inline-signing. */
47zone "dynamic2inline.kasp" {
48	type primary;
49	file "dynamic2inline.kasp.db";
50	allow-update { any; };
51	inline-signing yes;
52	dnssec-policy "default";
53};
54
55/* Zones for testing going insecure. */
56zone "step1.going-insecure.kasp" {
57        type primary;
58        file "step1.going-insecure.kasp.db";
59	inline-signing yes;
60        dnssec-policy "insecure";
61};
62
63zone "step2.going-insecure.kasp" {
64        type primary;
65        file "step2.going-insecure.kasp.db";
66	inline-signing yes;
67        dnssec-policy "insecure";
68};
69
70zone "step1.going-insecure-dynamic.kasp" {
71        type primary;
72        file "step1.going-insecure-dynamic.kasp.db";
73        dnssec-policy "insecure";
74	allow-update { any; };
75};
76
77zone "step2.going-insecure-dynamic.kasp" {
78        type primary;
79        file "step2.going-insecure-dynamic.kasp.db";
80        dnssec-policy "insecure";
81	allow-update { any; };
82};
83
84zone "step1.going-straight-to-none.kasp" {
85        type primary;
86        file "step1.going-straight-to-none.kasp.db";
87        dnssec-policy "none";
88};
89
90/*
91 * Zones for testing KSK/ZSK algorithm roll.
92 */
93zone "step1.algorithm-roll.kasp" {
94	type primary;
95	file "step1.algorithm-roll.kasp.db";
96	inline-signing yes;
97	dnssec-policy "ecdsa256";
98};
99
100zone "step2.algorithm-roll.kasp" {
101	type primary;
102	file "step2.algorithm-roll.kasp.db";
103	inline-signing yes;
104	dnssec-policy "ecdsa256";
105};
106
107zone "step3.algorithm-roll.kasp" {
108	type primary;
109	file "step3.algorithm-roll.kasp.db";
110	inline-signing yes;
111	dnssec-policy "ecdsa256";
112};
113
114zone "step4.algorithm-roll.kasp" {
115	type primary;
116	file "step4.algorithm-roll.kasp.db";
117	inline-signing yes;
118	dnssec-policy "ecdsa256";
119};
120
121zone "step5.algorithm-roll.kasp" {
122	type primary;
123	file "step5.algorithm-roll.kasp.db";
124	inline-signing yes;
125	dnssec-policy "ecdsa256";
126};
127
128zone "step6.algorithm-roll.kasp" {
129	type primary;
130	file "step6.algorithm-roll.kasp.db";
131	inline-signing yes;
132	dnssec-policy "ecdsa256";
133};
134
135/*
136 * Zones for testing CSK algorithm roll.
137 */
138zone "step1.csk-algorithm-roll.kasp" {
139	type primary;
140	file "step1.csk-algorithm-roll.kasp.db";
141	inline-signing yes;
142	dnssec-policy "csk-algoroll";
143};
144
145zone "step2.csk-algorithm-roll.kasp" {
146	type primary;
147	file "step2.csk-algorithm-roll.kasp.db";
148	inline-signing yes;
149	dnssec-policy "csk-algoroll";
150};
151
152zone "step3.csk-algorithm-roll.kasp" {
153	type primary;
154	file "step3.csk-algorithm-roll.kasp.db";
155	inline-signing yes;
156	dnssec-policy "csk-algoroll";
157};
158
159zone "step4.csk-algorithm-roll.kasp" {
160	type primary;
161	file "step4.csk-algorithm-roll.kasp.db";
162	inline-signing yes;
163	dnssec-policy "csk-algoroll";
164};
165
166zone "step5.csk-algorithm-roll.kasp" {
167	type primary;
168	file "step5.csk-algorithm-roll.kasp.db";
169	inline-signing yes;
170	dnssec-policy "csk-algoroll";
171};
172
173zone "step6.csk-algorithm-roll.kasp" {
174	type primary;
175	file "step6.csk-algorithm-roll.kasp.db";
176	inline-signing yes;
177	dnssec-policy "csk-algoroll";
178};
179
180zone example {
181	type primary;
182	file "example.db";
183	inline-signing yes;
184	dnssec-policy modified;
185};
186
187zone longer-lifetime {
188	type primary;
189	file "longer-lifetime.db";
190	inline-signing yes;
191	dnssec-policy long-lifetime;
192};
193
194zone shorter-lifetime {
195	type primary;
196	file "shorter-lifetime.db";
197	inline-signing yes;
198	dnssec-policy short-lifetime;
199};
200
201zone limit-lifetime {
202	type primary;
203	file "limit-lifetime.db";
204	inline-signing yes;
205	dnssec-policy short-lifetime;
206};
207
208zone unlimit-lifetime {
209	type primary;
210	file "unlimit-lifetime.db";
211	inline-signing yes;
212	dnssec-policy unlimited-lifetime;
213};
214