1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. 7 * 8 * See the COPYRIGHT file distributed with this work for additional 9 * information regarding copyright ownership. 10 */ 11 12// NS3 13 14dnssec-policy "nsec" { 15 // no need to change configuration: if no 'nsec3param' is set, 16 // NSEC will be used; 17}; 18 19dnssec-policy "nsec3" { 20 nsec3param; 21}; 22 23dnssec-policy "optout" { 24 nsec3param optout yes; 25}; 26 27dnssec-policy "nsec3-other" { 28 nsec3param iterations 11 optout yes salt-length 0; 29}; 30 31options { 32 query-source address 10.53.0.3; 33 notify-source 10.53.0.3; 34 transfer-source 10.53.0.3; 35 port @PORT@; 36 pid-file "named.pid"; 37 listen-on { 10.53.0.3; }; 38 listen-on-v6 { none; }; 39 allow-transfer { any; }; 40 recursion no; 41}; 42 43key rndc_key { 44 secret "1234abcd8765"; 45 algorithm hmac-sha256; 46}; 47 48controls { 49 inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 50}; 51 52/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ 53zone "nsec-to-nsec3.kasp" { 54 type primary; 55 file "nsec-to-nsec3.kasp.db"; 56 dnssec-policy "nsec"; 57}; 58 59/* These zones use the default NSEC3 settings. */ 60zone "nsec3.kasp" { 61 type primary; 62 file "nsec3.kasp.db"; 63 dnssec-policy "nsec3"; 64}; 65 66zone "nsec3-dynamic.kasp" { 67 type primary; 68 file "nsec3-dynamic.kasp.db"; 69 dnssec-policy "nsec3"; 70 allow-update { any; }; 71}; 72 73/* This zone uses non-default NSEC3 settings. */ 74zone "nsec3-other.kasp" { 75 type primary; 76 file "nsec3-other.kasp.db"; 77 dnssec-policy "nsec3-other"; 78}; 79 80/* These zones will be reconfigured to use other NSEC3 settings. */ 81zone "nsec3-change.kasp" { 82 type primary; 83 file "nsec3-change.kasp.db"; 84 dnssec-policy "nsec3"; 85}; 86 87zone "nsec3-dynamic-change.kasp" { 88 type primary; 89 file "nsec3-dynamic-change.kasp.db"; 90 dnssec-policy "nsec3"; 91 allow-update { any; }; 92}; 93 94/* The zone will be reconfigured to use opt-out. */ 95zone "nsec3-to-optout.kasp" { 96 type primary; 97 file "nsec3-to-optout.kasp.db"; 98 dnssec-policy "nsec3"; 99}; 100 101/* The zone will be reconfigured to disable opt-out. */ 102zone "nsec3-from-optout.kasp" { 103 type primary; 104 file "nsec3-from-optout.kasp.db"; 105 dnssec-policy "optout"; 106}; 107 108/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ 109zone "nsec3-to-nsec.kasp" { 110 type primary; 111 file "nsec3-to-nsec.kasp.db"; 112 dnssec-policy "nsec3"; 113}; 114 115/* The zone fails to load, this should not prevent shutdown. */ 116zone "nsec3-fails-to-load.kasp" { 117 type primary; 118 file "nsec3-fails-to-load.kasp.db"; 119 dnssec-policy "nsec3"; 120 allow-update { any; }; 121}; 122