455 lines
9.4 KiB
Plaintext
455 lines
9.4 KiB
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
// NS3
|
|
|
|
include "policies/kasp.conf";
|
|
include "policies/autosign.conf";
|
|
|
|
options {
|
|
query-source address 10.53.0.3;
|
|
notify-source 10.53.0.3;
|
|
transfer-source 10.53.0.3;
|
|
port @PORT@;
|
|
pid-file "named.pid";
|
|
listen-on { 10.53.0.3; };
|
|
listen-on-v6 { none; };
|
|
allow-transfer { any; };
|
|
recursion no;
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
key rndc_key {
|
|
secret "1234abcd8765";
|
|
algorithm @DEFAULT_HMAC@;
|
|
};
|
|
|
|
controls {
|
|
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
};
|
|
|
|
/* Zones that are getting initially signed */
|
|
|
|
/* The default case: No keys created, using default policy. */
|
|
zone "default.kasp" {
|
|
type primary;
|
|
file "default.kasp.db";
|
|
dnssec-policy "default";
|
|
};
|
|
|
|
/* checkds: Zone with one KSK. */
|
|
zone "checkds-ksk.kasp" {
|
|
type primary;
|
|
file "checkds-ksk.kasp.db";
|
|
dnssec-policy "checkds-ksk";
|
|
};
|
|
|
|
/* checkds: Zone with two KSKs. */
|
|
zone "checkds-doubleksk.kasp" {
|
|
type primary;
|
|
file "checkds-doubleksk.kasp.db";
|
|
dnssec-policy "checkds-doubleksk";
|
|
};
|
|
|
|
/* checkds: Zone with one CSK. */
|
|
zone "checkds-csk.kasp" {
|
|
type primary;
|
|
file "checkds-csk.kasp.db";
|
|
dnssec-policy "checkds-csk";
|
|
};
|
|
|
|
/* Key lifetime unlimited. */
|
|
zone "unlimited.kasp" {
|
|
type primary;
|
|
file "unlimited.kasp.db";
|
|
dnssec-policy "unlimited";
|
|
};
|
|
|
|
/* Manual rollover. */
|
|
zone "manual-rollover.kasp" {
|
|
type primary;
|
|
file "manual-rollover.kasp.db";
|
|
dnssec-policy "manual-rollover";
|
|
};
|
|
|
|
/* A primary zone with dnssec-policy, no keys created. */
|
|
zone "rsasha1.kasp" {
|
|
type primary;
|
|
file "rsasha1.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/* A zone that inherits dnssec-policy. */
|
|
zone "inherit.kasp" {
|
|
type primary;
|
|
file "inherit.kasp.db";
|
|
};
|
|
|
|
/* A zone that overrides dnssec-policy. */
|
|
zone "unsigned.kasp" {
|
|
type primary;
|
|
file "unsigned.kasp.db";
|
|
dnssec-policy "none";
|
|
};
|
|
|
|
/* A zone that is initially set to insecure. */
|
|
zone "insecure.kasp" {
|
|
type primary;
|
|
file "insecure.kasp.db";
|
|
dnssec-policy "insecure";
|
|
};
|
|
|
|
/* A primary zone with dnssec-policy but keys already created. */
|
|
zone "dnssec-keygen.kasp" {
|
|
type primary;
|
|
file "dnssec-keygen.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/* A secondary zone with dnssec-policy. */
|
|
zone "secondary.kasp" {
|
|
type secondary;
|
|
primaries { 10.53.0.2; };
|
|
file "secondary.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/* A dynamic zone with dnssec-policy. */
|
|
zone "dynamic.kasp" {
|
|
type primary;
|
|
file "dynamic.kasp.db";
|
|
dnssec-policy "default";
|
|
allow-update { any; };
|
|
};
|
|
|
|
/* A dynamic inline-signed zone with dnssec-policy. */
|
|
zone "dynamic-inline-signing.kasp" {
|
|
type primary;
|
|
file "dynamic-inline-signing.kasp.db";
|
|
dnssec-policy "default";
|
|
allow-update { any; };
|
|
inline-signing yes;
|
|
};
|
|
|
|
/* An inline-signed zone with dnssec-policy. */
|
|
zone "inline-signing.kasp" {
|
|
type primary;
|
|
file "inline-signing.kasp.db";
|
|
dnssec-policy "default";
|
|
inline-signing yes;
|
|
};
|
|
|
|
/*
|
|
* A configured dnssec-policy but some keys already created.
|
|
*/
|
|
zone "some-keys.kasp" {
|
|
type primary;
|
|
file "some-keys.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/*
|
|
* A configured dnssec-policy but some keys already in use.
|
|
*/
|
|
zone "legacy-keys.kasp" {
|
|
type primary;
|
|
file "legacy-keys.kasp.db";
|
|
dnssec-policy "migrate-to-dnssec-policy";
|
|
};
|
|
|
|
/*
|
|
* A configured dnssec-policy with (too) many keys pregenerated.
|
|
*/
|
|
zone "pregenerated.kasp" {
|
|
type primary;
|
|
file "pregenerated.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/*
|
|
* A configured dnssec-policy with one rumoured key.
|
|
* Bugfix case for GL #1593.
|
|
*/
|
|
zone "rumoured.kasp" {
|
|
type primary;
|
|
file "rumoured.kasp.db";
|
|
dnssec-policy "rsasha1";
|
|
};
|
|
|
|
/* RFC 8901 Multi-signer Model 2. */
|
|
zone "multisigner-model2.kasp" {
|
|
type primary;
|
|
file "multisigner-model2.kasp.db";
|
|
dnssec-policy "multisigner-model2";
|
|
allow-update { any; };
|
|
};
|
|
|
|
/*
|
|
* Different algorithms.
|
|
*/
|
|
zone "rsasha1-nsec3.kasp" {
|
|
type primary;
|
|
file "rsasha1-nsec3.kasp.db";
|
|
dnssec-policy "rsasha1-nsec3";
|
|
};
|
|
zone "rsasha256.kasp" {
|
|
type primary;
|
|
file "rsasha256.kasp.db";
|
|
dnssec-policy "rsasha256";
|
|
};
|
|
zone "rsasha512.kasp" {
|
|
type primary;
|
|
file "rsasha512.kasp.db";
|
|
dnssec-policy "rsasha512";
|
|
};
|
|
zone "ecdsa256.kasp" {
|
|
type primary;
|
|
file "ecdsa256.kasp.db";
|
|
dnssec-policy "ecdsa256";
|
|
};
|
|
zone "ecdsa384.kasp" {
|
|
type primary;
|
|
file "ecdsa384.kasp.db";
|
|
dnssec-policy "ecdsa384";
|
|
};
|
|
|
|
/*
|
|
* Zones in different signing states.
|
|
*/
|
|
|
|
/*
|
|
* Zone that has expired signatures.
|
|
*/
|
|
zone "expired-sigs.autosign" {
|
|
type primary;
|
|
file "expired-sigs.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zone that has valid, fresh signatures.
|
|
*/
|
|
zone "fresh-sigs.autosign" {
|
|
type primary;
|
|
file "fresh-sigs.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zone that has unfresh signatures.
|
|
*/
|
|
zone "unfresh-sigs.autosign" {
|
|
type primary;
|
|
file "unfresh-sigs.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zone that has missing private KSK.
|
|
*/
|
|
zone "ksk-missing.autosign" {
|
|
type primary;
|
|
file "ksk-missing.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zone that has missing private ZSK.
|
|
*/
|
|
zone "zsk-missing.autosign" {
|
|
type primary;
|
|
file "zsk-missing.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zone that has inactive ZSK.
|
|
*/
|
|
zone "zsk-retired.autosign" {
|
|
type primary;
|
|
file "zsk-retired.autosign.db";
|
|
dnssec-policy "autosign";
|
|
};
|
|
|
|
/*
|
|
* Zones for testing enabling DNSSEC.
|
|
*/
|
|
zone "step1.enable-dnssec.autosign" {
|
|
type primary;
|
|
file "step1.enable-dnssec.autosign.db";
|
|
dnssec-policy "enable-dnssec";
|
|
};
|
|
zone "step2.enable-dnssec.autosign" {
|
|
type primary;
|
|
file "step2.enable-dnssec.autosign.db";
|
|
dnssec-policy "enable-dnssec";
|
|
};
|
|
zone "step3.enable-dnssec.autosign" {
|
|
type primary;
|
|
file "step3.enable-dnssec.autosign.db";
|
|
dnssec-policy "enable-dnssec";
|
|
};
|
|
zone "step4.enable-dnssec.autosign" {
|
|
type primary;
|
|
file "step4.enable-dnssec.autosign.db";
|
|
dnssec-policy "enable-dnssec";
|
|
};
|
|
|
|
/*
|
|
* Zones for testing ZSK Pre-Publication steps.
|
|
*/
|
|
zone "step1.zsk-prepub.autosign" {
|
|
type primary;
|
|
file "step1.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
zone "step2.zsk-prepub.autosign" {
|
|
type primary;
|
|
file "step2.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
zone "step3.zsk-prepub.autosign" {
|
|
type primary;
|
|
file "step3.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
zone "step4.zsk-prepub.autosign" {
|
|
type primary;
|
|
file "step4.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
zone "step5.zsk-prepub.autosign" {
|
|
type primary;
|
|
file "step5.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
zone "step6.zsk-prepub.autosign" {
|
|
type primary;
|
|
file "step6.zsk-prepub.autosign.db";
|
|
dnssec-policy "zsk-prepub";
|
|
};
|
|
|
|
/*
|
|
* Zones for testing KSK Double-KSK steps.
|
|
*/
|
|
zone "step1.ksk-doubleksk.autosign" {
|
|
type primary;
|
|
file "step1.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
zone "step2.ksk-doubleksk.autosign" {
|
|
type primary;
|
|
file "step2.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
zone "step3.ksk-doubleksk.autosign" {
|
|
type primary;
|
|
file "step3.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
zone "step4.ksk-doubleksk.autosign" {
|
|
type primary;
|
|
file "step4.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
zone "step5.ksk-doubleksk.autosign" {
|
|
type primary;
|
|
file "step5.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
zone "step6.ksk-doubleksk.autosign" {
|
|
type primary;
|
|
file "step6.ksk-doubleksk.autosign.db";
|
|
dnssec-policy "ksk-doubleksk";
|
|
};
|
|
|
|
/*
|
|
* Zones for testing CSK rollover steps.
|
|
*/
|
|
zone "step1.csk-roll.autosign" {
|
|
type primary;
|
|
file "step1.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step2.csk-roll.autosign" {
|
|
type primary;
|
|
file "step2.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step3.csk-roll.autosign" {
|
|
type primary;
|
|
file "step3.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step4.csk-roll.autosign" {
|
|
type primary;
|
|
file "step4.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step5.csk-roll.autosign" {
|
|
type primary;
|
|
file "step5.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step6.csk-roll.autosign" {
|
|
type primary;
|
|
file "step6.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step7.csk-roll.autosign" {
|
|
type primary;
|
|
file "step7.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
zone "step8.csk-roll.autosign" {
|
|
type primary;
|
|
file "step8.csk-roll.autosign.db";
|
|
dnssec-policy "csk-roll";
|
|
};
|
|
|
|
zone "step1.csk-roll2.autosign" {
|
|
type primary;
|
|
file "step1.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step2.csk-roll2.autosign" {
|
|
type primary;
|
|
file "step2.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step3.csk-roll2.autosign" {
|
|
type primary;
|
|
file "step3.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step4.csk-roll2.autosign" {
|
|
type primary;
|
|
file "step4.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step5.csk-roll2.autosign" {
|
|
type primary;
|
|
file "step5.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step6.csk-roll2.autosign" {
|
|
type primary;
|
|
file "step6.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|
|
zone "step7.csk-roll2.autosign" {
|
|
type primary;
|
|
file "step7.csk-roll2.autosign.db";
|
|
dnssec-policy "csk-roll2";
|
|
};
|