ad0752bc22
Make sure the 'checkds' command correctly sets the right key timing
metadata and also make sure that it rejects setting the key timing
metadata if there are multiple keys with the KSK role and no key
identifier is provided.
(cherry picked from commit a43bb41909)
402 lines
8.2 KiB
Plaintext
402 lines
8.2 KiB
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
// NS3
|
|
|
|
include "policies/kasp.conf";
|
|
include "policies/autosign.conf";
|
|
|
|
options {
|
|
query-source address 10.53.0.3;
|
|
notify-source 10.53.0.3;
|
|
transfer-source 10.53.0.3;
|
|
port @PORT@;
|
|
pid-file "named.pid";
|
|
listen-on { 10.53.0.3; };
|
|
listen-on-v6 { none; };
|
|
allow-transfer { any; };
|
|
recursion no;
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
key rndc_key {
|
|
secret "1234abcd8765";
|
|
algorithm hmac-sha256;
|
|
};
|
|
|
|
controls {
|
|
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
};
|
|
|
|
/* Zones that are getting initially signed */
|
|
|
|
/* The default case: No keys created, using default policy. */
|
|
zone "default.kasp" {
|
|
type master;
|
|
file "default.kasp.db";
|
|
dnssec-policy "default";
|
|
};
|
|
|
|
/* checkds: Zone with one KSK. */
|
|
zone "checkds-ksk.kasp" {
|
|
type primary;
|
|
file "checkds-ksk.kasp.db";
|
|
dnssec-policy "checkds-ksk";
|
|
};
|
|
|
|
/* checkds: Zone with two KSKs. */
|
|
zone "checkds-doubleksk.kasp" {
|
|
type primary;
|
|
file "checkds-doubleksk.kasp.db";
|
|
dnssec-policy "checkds-doubleksk";
|
|
};
|
|
|
|
/* checkds: Zone with one CSK. */
|
|
zone "checkds-csk.kasp" {
|
|
type primary;
|
|
file "checkds-csk.kasp.db";
|
|
dnssec-policy "checkds-csk";
|
|
};
|
|
|
|
/* Key lifetime unlimited. */
|
|
zone "unlimited.kasp" {
|
|
type master;
|
|
file "unlimited.kasp.db";
|
|
dnssec-policy "unlimited";
|
|
};
|
|
|
|
/* A master zone with dnssec-policy, no keys created. */
|
|
zone "rsasha1.kasp" {
|
|
type master;
|
|
file "rsasha1.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/* A zone that inherits dnssec-policy. */
|
|
zone "inherit.kasp" {
|
|
type master;
|
|
file "inherit.kasp.db";
|
|
};
|
|
|
|
/* A zone that overrides dnssec-policy. */
|
|
zone "unsigned.kasp" {
|
|
type master;
|
|
file "unsigned.kasp.db";
|
|
dnssec-policy "none";
|
|
};
|
|
|
|
/* A master zone with dnssec-policy but keys already created. */
|
|
zone "dnssec-keygen.kasp" {
|
|
type master;
|
|
file "dnssec-keygen.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/* A secondary zone with dnssec-policy. */
|
|
zone "secondary.kasp" {
|
|
type secondary;
|
|
masters { 10.53.0.2; };
|
|
file "secondary.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/* A dynamic zone with dnssec-policy. */
|
|
zone "dynamic.kasp" {
|
|
type master;
|
|
file "dynamic.kasp.db";
|
|
dnssec-policy "default";
|
|
allow-update { any; };
|
|
};
|
|
|
|
/* A dynamic inline-signed zone with dnssec-policy. */
|
|
zone "dynamic-inline-signing.kasp" {
|
|
type master;
|
|
file "dynamic-inline-signing.kasp.db";
|
|
dnssec-policy "default";
|
|
allow-update { any; };
|
|
inline-signing yes;
|
|
};
|
|
|
|
/* An inline-signed zone with dnssec-policy. */
|
|
zone "inline-signing.kasp" {
|
|
type master;
|
|
file "inline-signing.kasp.db";
|
|
dnssec-policy "default";
|
|
inline-signing yes;
|
|
};
|
|
|
|
/*
|
|
* A configured dnssec-policy but some keys already created.
|
|
*/
|
|
zone "some-keys.kasp" {
|
|
type master;
|
|
file "some-keys.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/*
|
|
* A configured dnssec-policy but some keys already in use.
|
|
*/
|
|
zone "legacy-keys.kasp" {
|
|
type master;
|
|
file "legacy-keys.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/*
|
|
* A configured dnssec-policy with (too) many keys pregenerated.
|
|
*/
|
|
zone "pregenerated.kasp" {
|
|
type master;
|
|
file "pregenerated.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/*
|
|
* A configured dnssec-policy with one rumoured key.
|
|
* Bugfix case for GL #1593.
|
|
*/
|
|
zone "rumoured.kasp" {
|
|
type master;
|
|
file "rumoured.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/*
|
|
* Different algorithms.
|
|
*/
|
|
zone "rsasha1-nsec3.kasp" {
|
|
type master;
|
|
file "rsasha1-nsec3.kasp.db";
|
|
dnssec-policy "rsasha1-nsec3";
|
|
};
|
|
zone "rsasha256.kasp" {
|
|
type master;
|
|
file "rsasha256.kasp.db";
|
|
dnssec-policy "rsasha256";
|
|
};
|
|
zone "rsasha512.kasp" {
|
|
type master;
|
|
file "rsasha512.kasp.db";
|
|
dnssec-policy "rsasha512";
|
|
};
|
|
zone "ecdsa256.kasp" {
|
|
type master;
|
|
file "ecdsa256.kasp.db";
|
|
dnssec-policy "ecdsa256";
|
|
};
|
|
zone "ecdsa384.kasp" {
|
|
type master;
|
|
file "ecdsa384.kasp.db";
|
|
dnssec-policy "ecdsa384";
|
|
};
|
|
|
|
/*
|
|
* Zones in different signing states.
|
|
*/
|
|
|
|
/*
|
|
* Zone that has expired signatures.
|
|
*/
|
|
zone "expired-sigs.autosign" {
|
|
type master;
|
|
file "expired-sigs.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zone that has valid, fresh signatures.
|
|
*/
|
|
zone "fresh-sigs.autosign" {
|
|
type master;
|
|
file "fresh-sigs.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zone that has unfresh signatures.
|
|
*/
|
|
zone "unfresh-sigs.autosign" {
|
|
type master;
|
|
file "unfresh-sigs.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zone that has missing private ZSK.
|
|
*/
|
|
zone "zsk-missing.autosign" {
|
|
type master;
|
|
file "zsk-missing.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zone that has inactive ZSK.
|
|
*/
|
|
zone "zsk-retired.autosign" {
|
|
type master;
|
|
file "zsk-retired.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zones for testing enabling DNSSEC.
|
|
*/
|
|
zone "step1.enable-dnssec.autosign" {
|
|
type master;
|
|
file "step1.enable-dnssec.autosign.db";
|
|
dnssec-policy "enable-dnssec";
|
|
};
|
|
zone "step2.enable-dnssec.autosign" {
|
|
type master;
|
|
file "step2.enable-dnssec.autosign.db";
|
|
dnssec-policy "enable-dnssec";
|
|
};
|
|
zone "step3.enable-dnssec.autosign" {
|
|
type master;
|
|
file "step3.enable-dnssec.autosign.db";
|
|
dnssec-policy "enable-dnssec";
|
|
};
|
|
zone "step4.enable-dnssec.autosign" {
|
|
type master;
|
|
file "step4.enable-dnssec.autosign.db";
|
|
dnssec-policy "enable-dnssec";
|
|
};
|
|
|
|
/*
|
|
* Zones for testing ZSK Pre-Publication steps.
|
|
*/
|
|
zone "step1.zsk-prepub.autosign" {
|
|
type master;
|
|
file "step1.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
zone "step2.zsk-prepub.autosign" {
|
|
type master;
|
|
file "step2.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
zone "step3.zsk-prepub.autosign" {
|
|
type master;
|
|
file "step3.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
zone "step4.zsk-prepub.autosign" {
|
|
type master;
|
|
file "step4.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
zone "step5.zsk-prepub.autosign" {
|
|
type master;
|
|
file "step5.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
|
|
/*
|
|
* Zones for testing KSK Double-KSK steps.
|
|
*/
|
|
zone "step1.ksk-doubleksk.autosign" {
|
|
type master;
|
|
file "step1.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
zone "step2.ksk-doubleksk.autosign" {
|
|
type master;
|
|
file "step2.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
zone "step3.ksk-doubleksk.autosign" {
|
|
type master;
|
|
file "step3.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
zone "step4.ksk-doubleksk.autosign" {
|
|
type master;
|
|
file "step4.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
zone "step5.ksk-doubleksk.autosign" {
|
|
type master;
|
|
file "step5.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
|
|
/*
|
|
* Zones for testing CSK rollover steps.
|
|
*/
|
|
zone "step1.csk-roll.autosign" {
|
|
type master;
|
|
file "step1.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step2.csk-roll.autosign" {
|
|
type master;
|
|
file "step2.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step3.csk-roll.autosign" {
|
|
type master;
|
|
file "step3.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step4.csk-roll.autosign" {
|
|
type master;
|
|
file "step4.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step5.csk-roll.autosign" {
|
|
type master;
|
|
file "step5.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step6.csk-roll.autosign" {
|
|
type master;
|
|
file "step6.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step7.csk-roll.autosign" {
|
|
type master;
|
|
file "step7.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
|
|
zone "step1.csk-roll2.autosign" {
|
|
type master;
|
|
file "step1.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step2.csk-roll2.autosign" {
|
|
type master;
|
|
file "step2.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step3.csk-roll2.autosign" {
|
|
type master;
|
|
file "step3.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step4.csk-roll2.autosign" {
|
|
type master;
|
|
file "step4.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step5.csk-roll2.autosign" {
|
|
type master;
|
|
file "step5.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step6.csk-roll2.autosign" {
|
|
type master;
|
|
file "step6.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|