ddfb9ea8c1
GitLab issue #2498 is a bug report on NSEC3 with dynamic zones. Tests
for it in the nsec3 system test directory were missing.
(cherry picked from commit 0c0f10b53f)
114 lines
2.4 KiB
Plaintext
114 lines
2.4 KiB
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
// NS3
|
|
|
|
dnssec-policy "nsec" {
|
|
// no need to change configuration: if no 'nsec3param' is set,
|
|
// NSEC will be used;
|
|
};
|
|
|
|
dnssec-policy "nsec3" {
|
|
nsec3param;
|
|
};
|
|
|
|
dnssec-policy "optout" {
|
|
nsec3param optout yes;
|
|
};
|
|
|
|
dnssec-policy "nsec3-other" {
|
|
nsec3param iterations 11 optout yes salt-length 0;
|
|
};
|
|
|
|
options {
|
|
query-source address 10.53.0.3;
|
|
notify-source 10.53.0.3;
|
|
transfer-source 10.53.0.3;
|
|
port @PORT@;
|
|
pid-file "named.pid";
|
|
listen-on { 10.53.0.3; };
|
|
listen-on-v6 { none; };
|
|
allow-transfer { any; };
|
|
recursion no;
|
|
};
|
|
|
|
key rndc_key {
|
|
secret "1234abcd8765";
|
|
algorithm hmac-sha256;
|
|
};
|
|
|
|
controls {
|
|
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
};
|
|
|
|
/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
|
|
zone "nsec-to-nsec3.kasp" {
|
|
type primary;
|
|
file "nsec-to-nsec3.kasp.db";
|
|
dnssec-policy "nsec";
|
|
};
|
|
|
|
/* These zones use the default NSEC3 settings. */
|
|
zone "nsec3.kasp" {
|
|
type primary;
|
|
file "nsec3.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
};
|
|
|
|
zone "nsec3-dynamic.kasp" {
|
|
type primary;
|
|
file "nsec3-dynamic.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
allow-update { any; };
|
|
};
|
|
|
|
/* This zone uses non-default NSEC3 settings. */
|
|
zone "nsec3-other.kasp" {
|
|
type primary;
|
|
file "nsec3-other.kasp.db";
|
|
dnssec-policy "nsec3-other";
|
|
};
|
|
|
|
/* These zones will be reconfigured to use other NSEC3 settings. */
|
|
zone "nsec3-change.kasp" {
|
|
type primary;
|
|
file "nsec3-change.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
};
|
|
|
|
zone "nsec3-dynamic-change.kasp" {
|
|
type primary;
|
|
file "nsec3-dynamic-change.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
allow-update { any; };
|
|
};
|
|
|
|
/* The zone will be reconfigured to use opt-out. */
|
|
zone "nsec3-to-optout.kasp" {
|
|
type primary;
|
|
file "nsec3-to-optout.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
};
|
|
|
|
/* The zone will be reconfigured to disable opt-out. */
|
|
zone "nsec3-from-optout.kasp" {
|
|
type primary;
|
|
file "nsec3-from-optout.kasp.db";
|
|
dnssec-policy "optout";
|
|
};
|
|
|
|
/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
|
|
zone "nsec3-to-nsec.kasp" {
|
|
type primary;
|
|
file "nsec3-to-nsec.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
};
|