62ddc3dca0
Now that inline-signing is explicitly set in dnssec-policy, remove the redundant "inline-signing yes;" lines from the system tests.
148 lines
3.3 KiB
Plaintext
148 lines
3.3 KiB
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
// NS3
|
|
|
|
dnssec-policy "nsec" {
|
|
// no need to change configuration: if no 'nsec3param' is set,
|
|
// NSEC will be used;
|
|
};
|
|
|
|
dnssec-policy "nsec3" {
|
|
nsec3param;
|
|
};
|
|
|
|
dnssec-policy "optout" {
|
|
nsec3param optout yes;
|
|
};
|
|
|
|
dnssec-policy "nsec3-other" {
|
|
nsec3param iterations 11 optout yes salt-length 0;
|
|
};
|
|
|
|
options {
|
|
query-source address 10.53.0.3;
|
|
notify-source 10.53.0.3;
|
|
transfer-source 10.53.0.3;
|
|
port @PORT@;
|
|
pid-file "named.pid";
|
|
listen-on { 10.53.0.3; };
|
|
listen-on-v6 { none; };
|
|
allow-transfer { any; };
|
|
recursion no;
|
|
dnssec-validation no;
|
|
};
|
|
|
|
key rndc_key {
|
|
secret "1234abcd8765";
|
|
algorithm @DEFAULT_HMAC@;
|
|
};
|
|
|
|
controls {
|
|
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
};
|
|
|
|
/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
|
|
zone "nsec-to-nsec3.kasp" {
|
|
type primary;
|
|
file "nsec-to-nsec3.kasp.db";
|
|
//dnssec-policy "nsec";
|
|
dnssec-policy "nsec3";
|
|
};
|
|
|
|
/* These zones use the default NSEC3 settings. */
|
|
zone "nsec3.kasp" {
|
|
type primary;
|
|
file "nsec3.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
};
|
|
|
|
zone "nsec3-dynamic.kasp" {
|
|
type primary;
|
|
file "nsec3-dynamic.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
allow-update { any; };
|
|
};
|
|
|
|
/* This zone uses non-default NSEC3 settings. */
|
|
zone "nsec3-other.kasp" {
|
|
type primary;
|
|
file "nsec3-other.kasp.db";
|
|
dnssec-policy "nsec3-other";
|
|
};
|
|
|
|
/* These zone will be reconfigured to use other NSEC3 settings. */
|
|
zone "nsec3-change.kasp" {
|
|
type primary;
|
|
file "nsec3-change.kasp.db";
|
|
//dnssec-policy "nsec3";
|
|
dnssec-policy "nsec3-other";
|
|
};
|
|
|
|
zone "nsec3-dynamic-change.kasp" {
|
|
type primary;
|
|
file "nsec3-dynamic-change.kasp.db";
|
|
//dnssec-policy "nsec3";
|
|
inline-signing no;
|
|
dnssec-policy "nsec3-other";
|
|
allow-update { any; };
|
|
};
|
|
|
|
/* The zone will be reconfigured to use opt-out. */
|
|
zone "nsec3-to-optout.kasp" {
|
|
type primary;
|
|
file "nsec3-to-optout.kasp.db";
|
|
//dnssec-policy "nsec3";
|
|
dnssec-policy "optout";
|
|
};
|
|
|
|
/* The zone will be reconfigured to disable opt-out. */
|
|
zone "nsec3-from-optout.kasp" {
|
|
type primary;
|
|
file "nsec3-from-optout.kasp.db";
|
|
//dnssec-policy "optout";
|
|
dnssec-policy "nsec3";
|
|
};
|
|
|
|
/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
|
|
zone "nsec3-to-nsec.kasp" {
|
|
type primary;
|
|
file "nsec3-to-nsec.kasp.db";
|
|
//dnssec-policy "nsec3";
|
|
dnssec-policy "nsec";
|
|
};
|
|
|
|
/* The zone fails to load, but is fixed after a reload. */
|
|
zone "nsec3-fails-to-load.kasp" {
|
|
type primary;
|
|
file "nsec3-fails-to-load.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
allow-update { any; };
|
|
};
|
|
|
|
/* These zones switch from dynamic to inline-signing or vice versa. */
|
|
zone "nsec3-dynamic-to-inline.kasp" {
|
|
type primary;
|
|
file "nsec3-dynamic-to-inline.kasp.db";
|
|
dnssec-policy "nsec3";
|
|
allow-update { any; };
|
|
};
|
|
|
|
zone "nsec3-inline-to-dynamic.kasp" {
|
|
type primary;
|
|
file "nsec3-inline-to-dynamic.kasp.db";
|
|
inline-signing no;
|
|
dnssec-policy "nsec3";
|
|
allow-update { any; };
|
|
};
|