1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14// NS3 15 16dnssec-policy "nsec" { 17 // no need to change configuration: if no 'nsec3param' is set, 18 // NSEC will be used; 19}; 20 21dnssec-policy "rsasha1" { 22 keys { 23 csk lifetime unlimited algorithm rsasha1; 24 }; 25}; 26 27dnssec-policy "nsec3" { 28 nsec3param; 29}; 30 31dnssec-policy "optout" { 32 nsec3param optout yes; 33}; 34 35dnssec-policy "nsec3-other" { 36 nsec3param iterations 11 optout yes salt-length 8; 37}; 38 39options { 40 query-source address 10.53.0.3; 41 notify-source 10.53.0.3; 42 transfer-source 10.53.0.3; 43 port @PORT@; 44 pid-file "named.pid"; 45 listen-on { 10.53.0.3; }; 46 listen-on-v6 { none; }; 47 allow-transfer { any; }; 48 recursion no; 49}; 50 51key rndc_key { 52 secret "1234abcd8765"; 53 algorithm @DEFAULT_HMAC@; 54}; 55 56controls { 57 inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 58}; 59 60/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ 61zone "nsec-to-nsec3.kasp" { 62 type primary; 63 file "nsec-to-nsec3.kasp.db"; 64 inline-signing yes; 65 dnssec-policy "nsec"; 66}; 67 68/* 69 * This zone starts with NSEC, but will be reconfigured to use NSEC3. 70 * This should work despite the incompatible RSAHSHA1 algorithm, 71 * because the DS is still in hidden state. 72 */ 73zone "rsasha1-to-nsec3.kasp" { 74 type primary; 75 file "rsasha1-to-nsec3.kasp.db"; 76 inline-signing yes; 77 dnssec-policy "rsasha1"; 78}; 79 80/* 81 * This zone starts with NSEC, but will be reconfigured to use NSEC3. 82 * This should block because RSASHA1 is not compatible with NSEC3, 83 * and the DS is published. 84 */ 85zone "rsasha1-to-nsec3-wait.kasp" { 86 type primary; 87 file "rsasha1-to-nsec3-wait.kasp.db"; 88 inline-signing yes; 89 dnssec-policy "rsasha1"; 90}; 91 92/* 93 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an 94 * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 95 * algorithm, because the DS is still in hidden state. 96 */ 97zone "nsec3-to-rsasha1.kasp" { 98 type primary; 99 file "nsec3-to-rsasha1.kasp.db"; 100 inline-signing yes; 101 dnssec-policy "nsec3"; 102}; 103 104/* 105 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an 106 * NSEC only algorithm. This should also be fine because we are allowed 107 * to change to NSEC with any algorithm, then we can also publish the new 108 * DNSKEY and signatures of the RSASHA1 algorithm. 109 */ 110zone "nsec3-to-rsasha1-ds.kasp" { 111 type primary; 112 file "nsec3-to-rsasha1-ds.kasp.db"; 113 inline-signing yes; 114 dnssec-policy "nsec3"; 115}; 116 117 118/* These zones use the default NSEC3 settings. */ 119zone "nsec3.kasp" { 120 type primary; 121 file "nsec3.kasp.db"; 122 inline-signing yes; 123 dnssec-policy "nsec3"; 124}; 125 126zone "nsec3-dynamic.kasp" { 127 type primary; 128 file "nsec3-dynamic.kasp.db"; 129 dnssec-policy "nsec3"; 130 allow-update { any; }; 131}; 132 133/* This zone uses non-default NSEC3 settings. */ 134zone "nsec3-other.kasp" { 135 type primary; 136 file "nsec3-other.kasp.db"; 137 inline-signing yes; 138 dnssec-policy "nsec3-other"; 139}; 140 141/* These zones will be reconfigured to use other NSEC3 settings. */ 142zone "nsec3-change.kasp" { 143 type primary; 144 file "nsec3-change.kasp.db"; 145 inline-signing yes; 146 dnssec-policy "nsec3"; 147}; 148 149zone "nsec3-dynamic-change.kasp" { 150 type primary; 151 file "nsec3-dynamic-change.kasp.db"; 152 dnssec-policy "nsec3"; 153 allow-update { any; }; 154}; 155 156/* The zone will be reconfigured to use opt-out. */ 157zone "nsec3-to-optout.kasp" { 158 type primary; 159 file "nsec3-to-optout.kasp.db"; 160 inline-signing yes; 161 dnssec-policy "nsec3"; 162}; 163 164/* The zone will be reconfigured to disable opt-out. */ 165zone "nsec3-from-optout.kasp" { 166 type primary; 167 file "nsec3-from-optout.kasp.db"; 168 inline-signing yes; 169 dnssec-policy "optout"; 170}; 171 172/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ 173zone "nsec3-to-nsec.kasp" { 174 type primary; 175 file "nsec3-to-nsec.kasp.db"; 176 inline-signing yes; 177 dnssec-policy "nsec3"; 178}; 179 180/* The zone fails to load, this should not prevent shutdown. */ 181zone "nsec3-fails-to-load.kasp" { 182 type primary; 183 file "nsec3-fails-to-load.kasp.db"; 184 dnssec-policy "nsec3"; 185 allow-update { any; }; 186}; 187 188/* These zones switch from dynamic to inline-signing or vice versa. */ 189zone "nsec3-dynamic-to-inline.kasp" { 190 type primary; 191 file "nsec3-dynamic-to-inline.kasp.db"; 192 dnssec-policy "nsec3"; 193 allow-update { any; }; 194}; 195 196zone "nsec3-inline-to-dynamic.kasp" { 197 type primary; 198 file "nsec3-inline-to-dynamic.kasp.db"; 199 inline-signing yes; 200 dnssec-policy "nsec3"; 201}; 202 203/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ 204zone "nsec3-dynamic-update-inline.kasp" { 205 type primary; 206 file "nsec3-dynamic-update-inline.kasp.db"; 207 inline-signing yes; 208 allow-update { any; }; 209 dnssec-policy "nsec"; 210}; 211 212zone "nsec3-xfr-inline.kasp" { 213 type secondary; 214 file "nsec3-xfr-inline.kasp.db"; 215 inline-signing yes; 216 dnssec-policy "nsec"; 217 primaries { 10.53.0.2; }; 218}; 219