1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. 7 * 8 * See the COPYRIGHT file distributed with this work for additional 9 * information regarding copyright ownership. 10 */ 11 12// NS3 13 14dnssec-policy "nsec" { 15 // no need to change configuration: if no 'nsec3param' is set, 16 // NSEC will be used; 17}; 18 19dnssec-policy "nsec3" { 20 nsec3param; 21}; 22 23dnssec-policy "optout" { 24 nsec3param optout yes; 25}; 26 27dnssec-policy "nsec3-other" { 28 nsec3param iterations 11 optout yes salt-length 0; 29}; 30 31options { 32 query-source address 10.53.0.3; 33 notify-source 10.53.0.3; 34 transfer-source 10.53.0.3; 35 port @PORT@; 36 pid-file "named.pid"; 37 listen-on { 10.53.0.3; }; 38 listen-on-v6 { none; }; 39 allow-transfer { any; }; 40 recursion no; 41}; 42 43key rndc_key { 44 secret "1234abcd8765"; 45 algorithm hmac-sha256; 46}; 47 48controls { 49 inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 50}; 51 52/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ 53zone "nsec-to-nsec3.kasp" { 54 type primary; 55 file "nsec-to-nsec3.kasp.db"; 56 //dnssec-policy "nsec"; 57 dnssec-policy "nsec3"; 58}; 59 60/* These zones use the default NSEC3 settings. */ 61zone "nsec3.kasp" { 62 type primary; 63 file "nsec3.kasp.db"; 64 dnssec-policy "nsec3"; 65}; 66 67zone "nsec3-dynamic.kasp" { 68 type primary; 69 file "nsec3-dynamic.kasp.db"; 70 dnssec-policy "nsec3"; 71 allow-update { any; }; 72}; 73 74/* This zone uses non-default NSEC3 settings. */ 75zone "nsec3-other.kasp" { 76 type primary; 77 file "nsec3-other.kasp.db"; 78 dnssec-policy "nsec3-other"; 79}; 80 81/* These zone will be reconfigured to use other NSEC3 settings. */ 82zone "nsec3-change.kasp" { 83 type primary; 84 file "nsec3-change.kasp.db"; 85 //dnssec-policy "nsec3"; 86 dnssec-policy "nsec3-other"; 87}; 88 89zone "nsec3-dynamic-change.kasp" { 90 type primary; 91 file "nsec3-dynamic-change.kasp.db"; 92 //dnssec-policy "nsec3"; 93 dnssec-policy "nsec3-other"; 94 allow-update { any; }; 95}; 96 97/* The zone will be reconfigured to use opt-out. */ 98zone "nsec3-to-optout.kasp" { 99 type primary; 100 file "nsec3-to-optout.kasp.db"; 101 //dnssec-policy "nsec3"; 102 dnssec-policy "optout"; 103}; 104 105/* The zone will be reconfigured to disable opt-out. */ 106zone "nsec3-from-optout.kasp" { 107 type primary; 108 file "nsec3-from-optout.kasp.db"; 109 //dnssec-policy "optout"; 110 dnssec-policy "nsec3"; 111}; 112 113/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ 114zone "nsec3-to-nsec.kasp" { 115 type primary; 116 file "nsec3-to-nsec.kasp.db"; 117 //dnssec-policy "nsec3"; 118 dnssec-policy "nsec"; 119}; 120 121/* The zone fails to load, but is fixed after a reload. */ 122zone "nsec3-fails-to-load.kasp" { 123 type primary; 124 file "nsec3-fails-to-load.kasp.db"; 125 dnssec-policy "nsec3"; 126 allow-update { any; }; 127}; 128