ad0752bc22
Make sure the 'checkds' command correctly sets the right key timing
metadata and also make sure that it rejects setting the key timing
metadata if there are multiple keys with the KSK role and no key
identifier is provided.
(cherry picked from commit a43bb41909)
106 lines
2.2 KiB
Plaintext
106 lines
2.2 KiB
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
dnssec-policy "unlimited" {
|
|
dnskey-ttl 1234;
|
|
|
|
keys {
|
|
csk key-directory lifetime unlimited algorithm 13;
|
|
};
|
|
};
|
|
|
|
dnssec-policy "rsasha1" {
|
|
dnskey-ttl 1234;
|
|
|
|
keys {
|
|
ksk key-directory lifetime P10Y algorithm 5;
|
|
zsk key-directory lifetime P5Y algorithm 5;
|
|
zsk key-directory lifetime P1Y algorithm 5 2000;
|
|
};
|
|
};
|
|
|
|
dnssec-policy "rsasha1-nsec3" {
|
|
dnskey-ttl 1234;
|
|
|
|
keys {
|
|
ksk key-directory lifetime P10Y algorithm 7;
|
|
zsk key-directory lifetime P5Y algorithm 7;
|
|
zsk key-directory lifetime P1Y algorithm 7 2000;
|
|
};
|
|
};
|
|
|
|
dnssec-policy "rsasha256" {
|
|
dnskey-ttl 1234;
|
|
|
|
keys {
|
|
ksk key-directory lifetime P10Y algorithm 8;
|
|
zsk key-directory lifetime P5Y algorithm 8;
|
|
zsk key-directory lifetime P1Y algorithm 8 2000;
|
|
};
|
|
};
|
|
|
|
dnssec-policy "rsasha512" {
|
|
dnskey-ttl 1234;
|
|
|
|
keys {
|
|
ksk key-directory lifetime P10Y algorithm 10;
|
|
zsk key-directory lifetime P5Y algorithm 10;
|
|
zsk key-directory lifetime P1Y algorithm 10 2000;
|
|
};
|
|
};
|
|
|
|
dnssec-policy "ecdsa256" {
|
|
dnskey-ttl 1234;
|
|
|
|
keys {
|
|
ksk key-directory lifetime P10Y algorithm 13;
|
|
zsk key-directory lifetime P5Y algorithm 13;
|
|
zsk key-directory lifetime P1Y algorithm 13 256;
|
|
};
|
|
};
|
|
|
|
dnssec-policy "ecdsa384" {
|
|
dnskey-ttl 1234;
|
|
|
|
keys {
|
|
ksk key-directory lifetime P10Y algorithm 14;
|
|
zsk key-directory lifetime P5Y algorithm 14;
|
|
zsk key-directory lifetime P1Y algorithm 14 384;
|
|
};
|
|
};
|
|
|
|
dnssec-policy "checkds-ksk" {
|
|
dnskey-ttl 303;
|
|
|
|
keys {
|
|
ksk key-directory lifetime unlimited algorithm 13;
|
|
zsk key-directory lifetime unlimited algorithm 13;
|
|
};
|
|
};
|
|
|
|
dnssec-policy "checkds-doubleksk" {
|
|
dnskey-ttl 303;
|
|
|
|
keys {
|
|
ksk key-directory lifetime unlimited algorithm 13;
|
|
ksk key-directory lifetime unlimited algorithm 13;
|
|
zsk key-directory lifetime unlimited algorithm 13;
|
|
};
|
|
};
|
|
|
|
dnssec-policy "checkds-csk" {
|
|
dnskey-ttl 303;
|
|
|
|
keys {
|
|
csk key-directory lifetime unlimited algorithm 13;
|
|
};
|
|
};
|