bind9/bin/tests/system/nsec3/ns3/named2.conf.in

/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0.  If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

// NS3

include "named-fips.conf";

dnssec-policy "rsasha1" {
	keys {
		csk lifetime unlimited algorithm rsasha1;
	};
};

/*
 * This zone starts with NSEC, but will be reconfigured to use NSEC3.
 * This should work despite the incompatible RSAHSHA1 algorithm,
 * because the DS is still in hidden state.
 */
zone "rsasha1-to-nsec3.kasp" {
	type primary;
	file "rsasha1-to-nsec3.kasp.db";
	//dnssec-policy "rsasha1";
	dnssec-policy "nsec3";
};

/*
 * This zone starts with NSEC, but will be reconfigured to use NSEC3.
 * This should block because RSASHA1 is not compatible with NSEC3,
 * and the DS is published.
 */
zone "rsasha1-to-nsec3-wait.kasp" {
	type primary;
	file "rsasha1-to-nsec3-wait.kasp.db";
	//dnssec-policy "rsasha1";
	dnssec-policy "nsec3";
};

/*
 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
 * NSEC only algorithm. This should work despite the incompatible RSAHSHA1
 * algorithm, because the DS is still in hidden state.
 */
zone "nsec3-to-rsasha1.kasp" {
	type primary;
	file "nsec3-to-rsasha1.kasp.db";
	//dnssec-policy "nsec3";
	dnssec-policy "rsasha1";
};

/*
 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
 * NSEC only algorithm. This should also be fine because we are allowed
 * to change to NSEC with any algorithm, then we can also publish the new
 * DNSKEY and signatures of the RSASHA1 algorithm.
 */
zone "nsec3-to-rsasha1-ds.kasp" {
	type primary;
	file "nsec3-to-rsasha1-ds.kasp.db";
	//dnssec-policy "nsec3";
	dnssec-policy "rsasha1";
};