d35dab3db8
NSEC3 is not backwards compatible with key algorithms that existed
before the RFC 5155 specification was published.
(cherry picked from commit 00c5dabea3)
59 lines
1.2 KiB
Plaintext
59 lines
1.2 KiB
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
dnssec-policy "rsasha1" {
|
|
keys {
|
|
csk lifetime P10Y algorithm nsec3rsasha1 1024;
|
|
};
|
|
nsec3param iterations 150;
|
|
};
|
|
|
|
dnssec-policy "rsasha1-bad" {
|
|
keys {
|
|
csk lifetime P10Y algorithm nsec3rsasha1 1024;
|
|
};
|
|
nsec3param iterations 151;
|
|
};
|
|
|
|
dnssec-policy "rsasha256" {
|
|
keys {
|
|
csk lifetime P10Y algorithm rsasha256 2048;
|
|
};
|
|
nsec3param iterations 500;
|
|
};
|
|
|
|
dnssec-policy "rsasha256-bad" {
|
|
keys {
|
|
csk lifetime P10Y algorithm rsasha256 2048;
|
|
};
|
|
nsec3param iterations 501;
|
|
};
|
|
|
|
dnssec-policy "rsasha512" {
|
|
keys {
|
|
csk lifetime P10Y algorithm rsasha512 4096;
|
|
};
|
|
nsec3param iterations 2500;
|
|
};
|
|
|
|
dnssec-policy "rsasha512-bad" {
|
|
keys {
|
|
csk lifetime P10Y algorithm rsasha512 4096;
|
|
};
|
|
nsec3param iterations 2501;
|
|
};
|
|
|
|
zone "example.net" {
|
|
type master;
|
|
file "example.db";
|
|
dnssec-policy "default";
|
|
};
|