1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14// NS3 15 16dnssec-policy "nsec" { 17 // no need to change configuration: if no 'nsec3param' is set, 18 // NSEC will be used; 19}; 20 21dnssec-policy "nsec3" { 22 nsec3param; 23}; 24 25dnssec-policy "optout" { 26 nsec3param optout yes; 27}; 28 29dnssec-policy "nsec3-other" { 30 nsec3param iterations 11 optout yes salt-length 0; 31}; 32 33options { 34 query-source address 10.53.0.3; 35 notify-source 10.53.0.3; 36 transfer-source 10.53.0.3; 37 port @PORT@; 38 pid-file "named.pid"; 39 listen-on { 10.53.0.3; }; 40 listen-on-v6 { none; }; 41 allow-transfer { any; }; 42 recursion no; 43}; 44 45key rndc_key { 46 secret "1234abcd8765"; 47 algorithm hmac-sha256; 48}; 49 50controls { 51 inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 52}; 53 54/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ 55zone "nsec-to-nsec3.kasp" { 56 type primary; 57 file "nsec-to-nsec3.kasp.db"; 58 inline-signing yes; 59 dnssec-policy "nsec"; 60}; 61 62/* These zones use the default NSEC3 settings. */ 63zone "nsec3.kasp" { 64 type primary; 65 file "nsec3.kasp.db"; 66 inline-signing yes; 67 dnssec-policy "nsec3"; 68}; 69 70zone "nsec3-dynamic.kasp" { 71 type primary; 72 file "nsec3-dynamic.kasp.db"; 73 dnssec-policy "nsec3"; 74 allow-update { any; }; 75}; 76 77/* This zone uses non-default NSEC3 settings. */ 78zone "nsec3-other.kasp" { 79 type primary; 80 file "nsec3-other.kasp.db"; 81 inline-signing yes; 82 dnssec-policy "nsec3-other"; 83}; 84 85/* These zones will be reconfigured to use other NSEC3 settings. */ 86zone "nsec3-change.kasp" { 87 type primary; 88 file "nsec3-change.kasp.db"; 89 inline-signing yes; 90 dnssec-policy "nsec3"; 91}; 92 93zone "nsec3-dynamic-change.kasp" { 94 type primary; 95 file "nsec3-dynamic-change.kasp.db"; 96 dnssec-policy "nsec3"; 97 allow-update { any; }; 98}; 99 100/* The zone will be reconfigured to use opt-out. */ 101zone "nsec3-to-optout.kasp" { 102 type primary; 103 file "nsec3-to-optout.kasp.db"; 104 inline-signing yes; 105 dnssec-policy "nsec3"; 106}; 107 108/* The zone will be reconfigured to disable opt-out. */ 109zone "nsec3-from-optout.kasp" { 110 type primary; 111 file "nsec3-from-optout.kasp.db"; 112 inline-signing yes; 113 dnssec-policy "optout"; 114}; 115 116/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ 117zone "nsec3-to-nsec.kasp" { 118 type primary; 119 file "nsec3-to-nsec.kasp.db"; 120 inline-signing yes; 121 dnssec-policy "nsec3"; 122}; 123 124/* The zone fails to load, this should not prevent shutdown. */ 125zone "nsec3-fails-to-load.kasp" { 126 type primary; 127 file "nsec3-fails-to-load.kasp.db"; 128 dnssec-policy "nsec3"; 129 allow-update { any; }; 130}; 131