/* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * * SPDX-License-Identifier: MPL-2.0 * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ // NS6 include "policies/kasp.conf"; include "policies/csk2.conf"; options { query-source address 10.53.0.6; notify-source 10.53.0.6; transfer-source 10.53.0.6; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.6; }; listen-on-v6 { none; }; allow-transfer { any; }; recursion no; dnssec-validation no; }; key rndc_key { secret "1234abcd8765"; algorithm @DEFAULT_HMAC@; }; controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; zone "." { type hint; file "../../_common/root.hint.blackhole"; }; /* This zone switch from dynamic to inline-signing. */ zone "dynamic2inline.kasp" { type primary; file "dynamic2inline.kasp.db"; allow-update { any; }; inline-signing yes; dnssec-policy "default"; }; /* Zones for testing going insecure. */ zone "step1.going-insecure.kasp" { type primary; file "step1.going-insecure.kasp.db"; inline-signing yes; dnssec-policy "insecure"; }; zone "step2.going-insecure.kasp" { type primary; file "step2.going-insecure.kasp.db"; inline-signing yes; dnssec-policy "insecure"; }; zone "step1.going-insecure-dynamic.kasp" { type primary; file "step1.going-insecure-dynamic.kasp.db"; dnssec-policy "insecure"; allow-update { any; }; }; zone "step2.going-insecure-dynamic.kasp" { type primary; file "step2.going-insecure-dynamic.kasp.db"; dnssec-policy "insecure"; allow-update { any; }; }; zone "step1.going-straight-to-none.kasp" { type primary; file "step1.going-straight-to-none.kasp.db"; dnssec-policy "none"; }; /* * Zones for testing KSK/ZSK algorithm roll. */ zone "step1.algorithm-roll.kasp" { type primary; file "step1.algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step2.algorithm-roll.kasp" { type primary; file "step2.algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step3.algorithm-roll.kasp" { type primary; file "step3.algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step4.algorithm-roll.kasp" { type primary; file "step4.algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step5.algorithm-roll.kasp" { type primary; file "step5.algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step6.algorithm-roll.kasp" { type primary; file "step6.algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "ecdsa256"; }; /* * Zones for testing CSK algorithm roll. */ zone "step1.csk-algorithm-roll.kasp" { type primary; file "step1.csk-algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step2.csk-algorithm-roll.kasp" { type primary; file "step2.csk-algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step3.csk-algorithm-roll.kasp" { type primary; file "step3.csk-algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step4.csk-algorithm-roll.kasp" { type primary; file "step4.csk-algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step5.csk-algorithm-roll.kasp" { type primary; file "step5.csk-algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step6.csk-algorithm-roll.kasp" { type primary; file "step6.csk-algorithm-roll.kasp.db"; inline-signing yes; dnssec-policy "csk-algoroll"; }; zone example { type primary; file "example.db"; inline-signing yes; dnssec-policy modified; }; zone longer-lifetime { type primary; file "longer-lifetime.db"; inline-signing yes; dnssec-policy long-lifetime; }; zone shorter-lifetime { type primary; file "shorter-lifetime.db"; inline-signing yes; dnssec-policy short-lifetime; }; zone limit-lifetime { type primary; file "limit-lifetime.db"; inline-signing yes; dnssec-policy short-lifetime; }; zone unlimit-lifetime { type primary; file "unlimit-lifetime.db"; inline-signing yes; dnssec-policy unlimited-lifetime; };