1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14// NS3 15 16dnssec-policy "nsec" { 17 // no need to change configuration: if no 'nsec3param' is set, 18 // NSEC will be used; 19}; 20 21dnssec-policy "rsasha1" { 22 keys { 23 csk lifetime unlimited algorithm rsasha1; 24 }; 25}; 26 27dnssec-policy "nsec3" { 28 nsec3param; 29}; 30 31dnssec-policy "optout" { 32 nsec3param optout yes; 33}; 34 35dnssec-policy "nsec3-other" { 36 nsec3param iterations 11 optout yes salt-length 8; 37}; 38 39options { 40 query-source address 10.53.0.3; 41 notify-source 10.53.0.3; 42 transfer-source 10.53.0.3; 43 port @PORT@; 44 pid-file "named.pid"; 45 listen-on { 10.53.0.3; }; 46 listen-on-v6 { none; }; 47 allow-transfer { any; }; 48 recursion no; 49 dnssec-validation no; 50}; 51 52key rndc_key { 53 secret "1234abcd8765"; 54 algorithm @DEFAULT_HMAC@; 55}; 56 57controls { 58 inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 59}; 60 61/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ 62zone "nsec-to-nsec3.kasp" { 63 type primary; 64 file "nsec-to-nsec3.kasp.db"; 65 inline-signing yes; 66 dnssec-policy "nsec"; 67}; 68 69/* 70 * This zone starts with NSEC, but will be reconfigured to use NSEC3. 71 * This should work despite the incompatible RSAHSHA1 algorithm, 72 * because the DS is still in hidden state. 73 */ 74zone "rsasha1-to-nsec3.kasp" { 75 type primary; 76 file "rsasha1-to-nsec3.kasp.db"; 77 inline-signing yes; 78 dnssec-policy "rsasha1"; 79}; 80 81/* 82 * This zone starts with NSEC, but will be reconfigured to use NSEC3. 83 * This should block because RSASHA1 is not compatible with NSEC3, 84 * and the DS is published. 85 */ 86zone "rsasha1-to-nsec3-wait.kasp" { 87 type primary; 88 file "rsasha1-to-nsec3-wait.kasp.db"; 89 inline-signing yes; 90 dnssec-policy "rsasha1"; 91}; 92 93/* 94 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an 95 * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 96 * algorithm, because the DS is still in hidden state. 97 */ 98zone "nsec3-to-rsasha1.kasp" { 99 type primary; 100 file "nsec3-to-rsasha1.kasp.db"; 101 inline-signing yes; 102 dnssec-policy "nsec3"; 103}; 104 105/* 106 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an 107 * NSEC only algorithm. This should also be fine because we are allowed 108 * to change to NSEC with any algorithm, then we can also publish the new 109 * DNSKEY and signatures of the RSASHA1 algorithm. 110 */ 111zone "nsec3-to-rsasha1-ds.kasp" { 112 type primary; 113 file "nsec3-to-rsasha1-ds.kasp.db"; 114 inline-signing yes; 115 dnssec-policy "nsec3"; 116}; 117 118 119/* These zones use the default NSEC3 settings. */ 120zone "nsec3.kasp" { 121 type primary; 122 file "nsec3.kasp.db"; 123 inline-signing yes; 124 dnssec-policy "nsec3"; 125}; 126 127zone "nsec3-dynamic.kasp" { 128 type primary; 129 file "nsec3-dynamic.kasp.db"; 130 dnssec-policy "nsec3"; 131 allow-update { any; }; 132}; 133 134/* This zone uses non-default NSEC3 settings. */ 135zone "nsec3-other.kasp" { 136 type primary; 137 file "nsec3-other.kasp.db"; 138 inline-signing yes; 139 dnssec-policy "nsec3-other"; 140}; 141 142/* These zones will be reconfigured to use other NSEC3 settings. */ 143zone "nsec3-change.kasp" { 144 type primary; 145 file "nsec3-change.kasp.db"; 146 inline-signing yes; 147 dnssec-policy "nsec3"; 148}; 149 150zone "nsec3-dynamic-change.kasp" { 151 type primary; 152 file "nsec3-dynamic-change.kasp.db"; 153 dnssec-policy "nsec3"; 154 allow-update { any; }; 155}; 156 157/* The zone will be reconfigured to use opt-out. */ 158zone "nsec3-to-optout.kasp" { 159 type primary; 160 file "nsec3-to-optout.kasp.db"; 161 inline-signing yes; 162 dnssec-policy "nsec3"; 163}; 164 165/* The zone will be reconfigured to disable opt-out. */ 166zone "nsec3-from-optout.kasp" { 167 type primary; 168 file "nsec3-from-optout.kasp.db"; 169 inline-signing yes; 170 dnssec-policy "optout"; 171}; 172 173/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ 174zone "nsec3-to-nsec.kasp" { 175 type primary; 176 file "nsec3-to-nsec.kasp.db"; 177 inline-signing yes; 178 dnssec-policy "nsec3"; 179}; 180 181/* The zone fails to load, this should not prevent shutdown. */ 182zone "nsec3-fails-to-load.kasp" { 183 type primary; 184 file "nsec3-fails-to-load.kasp.db"; 185 dnssec-policy "nsec3"; 186 allow-update { any; }; 187}; 188 189/* These zones switch from dynamic to inline-signing or vice versa. */ 190zone "nsec3-dynamic-to-inline.kasp" { 191 type primary; 192 file "nsec3-dynamic-to-inline.kasp.db"; 193 dnssec-policy "nsec3"; 194 allow-update { any; }; 195}; 196 197zone "nsec3-inline-to-dynamic.kasp" { 198 type primary; 199 file "nsec3-inline-to-dynamic.kasp.db"; 200 inline-signing yes; 201 dnssec-policy "nsec3"; 202}; 203 204/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ 205zone "nsec3-dynamic-update-inline.kasp" { 206 type primary; 207 file "nsec3-dynamic-update-inline.kasp.db"; 208 inline-signing yes; 209 allow-update { any; }; 210 dnssec-policy "nsec"; 211}; 212 213zone "nsec3-xfr-inline.kasp" { 214 type secondary; 215 file "nsec3-xfr-inline.kasp.db"; 216 inline-signing yes; 217 dnssec-policy "nsec"; 218 primaries { 10.53.0.2; }; 219}; 220