1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14// NS6 15 16include "policies/kasp.conf"; 17include "policies/csk2.conf"; 18 19options { 20 query-source address 10.53.0.6; 21 notify-source 10.53.0.6; 22 transfer-source 10.53.0.6; 23 port @PORT@; 24 pid-file "named.pid"; 25 listen-on { 10.53.0.6; }; 26 listen-on-v6 { none; }; 27 allow-transfer { any; }; 28 recursion no; 29}; 30 31key rndc_key { 32 secret "1234abcd8765"; 33 algorithm hmac-sha256; 34}; 35 36controls { 37 inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 38}; 39 40/* This zone switch from dynamic to inline-signing. */ 41zone "dynamic2inline.kasp" { 42 type primary; 43 file "dynamic2inline.kasp.db"; 44 allow-update { any; }; 45 inline-signing yes; 46 dnssec-policy "default"; 47}; 48 49/* Zones for testing going insecure. */ 50zone "step1.going-insecure.kasp" { 51 type master; 52 file "step1.going-insecure.kasp.db"; 53 inline-signing yes; 54 dnssec-policy "insecure"; 55}; 56 57zone "step2.going-insecure.kasp" { 58 type master; 59 file "step2.going-insecure.kasp.db"; 60 inline-signing yes; 61 dnssec-policy "insecure"; 62}; 63 64zone "step1.going-insecure-dynamic.kasp" { 65 type master; 66 file "step1.going-insecure-dynamic.kasp.db"; 67 dnssec-policy "insecure"; 68 allow-update { any; }; 69}; 70 71zone "step2.going-insecure-dynamic.kasp" { 72 type master; 73 file "step2.going-insecure-dynamic.kasp.db"; 74 dnssec-policy "insecure"; 75 allow-update { any; }; 76}; 77 78zone "step1.going-straight-to-none.kasp" { 79 type master; 80 file "step1.going-straight-to-none.kasp.db"; 81 dnssec-policy "none"; 82}; 83 84/* 85 * Zones for testing KSK/ZSK algorithm roll. 86 */ 87zone "step1.algorithm-roll.kasp" { 88 type primary; 89 file "step1.algorithm-roll.kasp.db"; 90 inline-signing yes; 91 dnssec-policy "ecdsa256"; 92}; 93 94zone "step2.algorithm-roll.kasp" { 95 type primary; 96 file "step2.algorithm-roll.kasp.db"; 97 inline-signing yes; 98 dnssec-policy "ecdsa256"; 99}; 100 101zone "step3.algorithm-roll.kasp" { 102 type primary; 103 file "step3.algorithm-roll.kasp.db"; 104 inline-signing yes; 105 dnssec-policy "ecdsa256"; 106}; 107 108zone "step4.algorithm-roll.kasp" { 109 type primary; 110 file "step4.algorithm-roll.kasp.db"; 111 inline-signing yes; 112 dnssec-policy "ecdsa256"; 113}; 114 115zone "step5.algorithm-roll.kasp" { 116 type primary; 117 file "step5.algorithm-roll.kasp.db"; 118 inline-signing yes; 119 dnssec-policy "ecdsa256"; 120}; 121 122zone "step6.algorithm-roll.kasp" { 123 type primary; 124 file "step6.algorithm-roll.kasp.db"; 125 inline-signing yes; 126 dnssec-policy "ecdsa256"; 127}; 128 129/* 130 * Zones for testing CSK algorithm roll. 131 */ 132zone "step1.csk-algorithm-roll.kasp" { 133 type primary; 134 file "step1.csk-algorithm-roll.kasp.db"; 135 inline-signing yes; 136 dnssec-policy "csk-algoroll"; 137}; 138 139zone "step2.csk-algorithm-roll.kasp" { 140 type primary; 141 file "step2.csk-algorithm-roll.kasp.db"; 142 inline-signing yes; 143 dnssec-policy "csk-algoroll"; 144}; 145 146zone "step3.csk-algorithm-roll.kasp" { 147 type primary; 148 file "step3.csk-algorithm-roll.kasp.db"; 149 inline-signing yes; 150 dnssec-policy "csk-algoroll"; 151}; 152 153zone "step4.csk-algorithm-roll.kasp" { 154 type primary; 155 file "step4.csk-algorithm-roll.kasp.db"; 156 inline-signing yes; 157 dnssec-policy "csk-algoroll"; 158}; 159 160zone "step5.csk-algorithm-roll.kasp" { 161 type primary; 162 file "step5.csk-algorithm-roll.kasp.db"; 163 inline-signing yes; 164 dnssec-policy "csk-algoroll"; 165}; 166 167zone "step6.csk-algorithm-roll.kasp" { 168 type primary; 169 file "step6.csk-algorithm-roll.kasp.db"; 170 inline-signing yes; 171 dnssec-policy "csk-algoroll"; 172}; 173 174dnssec-policy "modified" { 175 keys { 176 csk lifetime unlimited algorithm rsasha256 2048; 177 }; 178}; 179 180zone example { 181 type primary; 182 file "example.db"; 183 inline-signing yes; 184 dnssec-policy modified; 185}; 186