0b09ee8cdc
the default value of dnssec-validation is 'auto', which causes a server to send a key refresh query to the root zone when starting up. this is undesirable behavior in system tests, so this commit sets dnssec-validation to either 'yes' or 'no' in all tests where it had not previously been set. this change had the mostly-harmless side effect of changing the cached trust level of unvalidated answer data from 'answer' to 'authanswer', which caused a few test cases in which dumped cache data was examined in the serve-stale system test to fail. those test cases have now been updated to expect 'authanswer'.
182 lines
3.3 KiB
Plaintext
182 lines
3.3 KiB
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
// NS3
|
|
|
|
include "../../common/rndc.key";
|
|
|
|
controls {
|
|
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
};
|
|
|
|
options {
|
|
query-source address 10.53.0.3;
|
|
notify-source 10.53.0.3;
|
|
transfer-source 10.53.0.3;
|
|
port @PORT@;
|
|
pid-file "named.pid";
|
|
listen-on { 10.53.0.3; };
|
|
listen-on-v6 { none; };
|
|
recursion no;
|
|
notify yes;
|
|
try-tcp-refresh no;
|
|
notify-delay 0;
|
|
allow-new-zones yes;
|
|
dnssec-validation no;
|
|
};
|
|
|
|
zone "bits" {
|
|
type secondary;
|
|
primaries { 10.53.0.2; };
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
allow-update-forwarding { any; };
|
|
file "bits.bk";
|
|
sig-signing-signatures 1; // force incremental processing
|
|
};
|
|
|
|
server 10.53.0.4 { request-ixfr no; };
|
|
|
|
zone "noixfr" {
|
|
type secondary;
|
|
primaries { 10.53.0.4; };
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
allow-update-forwarding { any; };
|
|
file "noixfr.bk";
|
|
};
|
|
|
|
zone "primary" {
|
|
type primary;
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
file "primary.db";
|
|
notify explicit;
|
|
also-notify {
|
|
10.53.0.3;
|
|
};
|
|
};
|
|
|
|
zone "dynamic" {
|
|
type primary;
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
allow-update { any; };
|
|
file "dynamic.db";
|
|
};
|
|
|
|
zone "updated" {
|
|
type primary;
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
allow-update { none; };
|
|
file "updated.db";
|
|
};
|
|
|
|
zone "expired" {
|
|
type primary;
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
allow-update { any; };
|
|
file "expired.db";
|
|
};
|
|
|
|
zone "retransfer" {
|
|
type secondary;
|
|
primaries { 10.53.0.2; };
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
file "retransfer.bk";
|
|
};
|
|
|
|
zone "nsec3" {
|
|
type primary;
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
allow-update { any; };
|
|
file "nsec3.db";
|
|
};
|
|
|
|
zone "externalkey" {
|
|
type primary;
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
dnssec-dnskey-kskonly no;
|
|
allow-update { any; };
|
|
file "externalkey.db";
|
|
};
|
|
|
|
zone "retransfer3" {
|
|
type secondary;
|
|
primaries { 10.53.0.2; };
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
file "retransfer3.bk";
|
|
};
|
|
|
|
zone "inactiveksk" {
|
|
type secondary;
|
|
primaries { 10.53.0.2; };
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
dnssec-dnskey-kskonly yes;
|
|
file "inactiveksk.bk";
|
|
};
|
|
|
|
zone "inactivezsk" {
|
|
type secondary;
|
|
primaries { 10.53.0.2; };
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
file "inactivezsk.bk";
|
|
};
|
|
|
|
zone "nokeys" {
|
|
type secondary;
|
|
primaries { 10.53.0.2; };
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
file "nokeys.bk";
|
|
};
|
|
|
|
zone "delayedkeys" {
|
|
type primary;
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
file "delayedkeys.db";
|
|
};
|
|
|
|
zone "removedkeys-primary" {
|
|
type primary;
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
allow-update { any; };
|
|
also-notify { 10.53.0.2; };
|
|
file "removedkeys-primary.db";
|
|
};
|
|
|
|
zone "removedkeys-secondary" {
|
|
type secondary;
|
|
primaries { 10.53.0.2; };
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
file "removedkeys-secondary.bk";
|
|
};
|
|
|
|
zone "unsupported" {
|
|
type primary;
|
|
file "unsupported.db";
|
|
inline-signing yes;
|
|
auto-dnssec maintain;
|
|
};
|