/* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * * SPDX-License-Identifier: MPL-2.0 * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ // NS3 include "policies/kasp.conf"; include "policies/autosign.conf"; options { query-source address 10.53.0.3; notify-source 10.53.0.3; transfer-source 10.53.0.3; port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.3; }; listen-on-v6 { none; }; allow-transfer { any; }; recursion no; dnssec-policy "rsasha256"; dnssec-validation no; }; key rndc_key { secret "1234abcd8765"; algorithm @DEFAULT_HMAC@; }; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; zone "." { type hint; file "../../_common/root.hint.blackhole"; }; /* Zones that are getting initially signed */ /* The default case: No keys created, using default policy. */ zone "default.kasp" { type primary; file "default.kasp.db"; inline-signing yes; dnssec-policy "default"; }; /* A zone with special characters. */ zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." { type primary; file "i-am.special.kasp.db"; check-names ignore; inline-signing yes; dnssec-policy "default"; }; /* checkds: Zone with one KSK. */ zone "checkds-ksk.kasp" { type primary; file "checkds-ksk.kasp.db"; inline-signing yes; dnssec-policy "checkds-ksk"; }; /* checkds: Zone with two KSKs. */ zone "checkds-doubleksk.kasp" { type primary; file "checkds-doubleksk.kasp.db"; inline-signing yes; dnssec-policy "checkds-doubleksk"; }; /* checkds: Zone with one CSK. */ zone "checkds-csk.kasp" { type primary; file "checkds-csk.kasp.db"; inline-signing yes; dnssec-policy "checkds-csk"; }; /* Key lifetime unlimited. */ zone "unlimited.kasp" { type primary; file "unlimited.kasp.db"; inline-signing yes; dnssec-policy "unlimited"; }; /* Manual rollover. */ zone "manual-rollover.kasp" { type primary; file "manual-rollover.kasp.db"; inline-signing yes; dnssec-policy "manual-rollover"; }; /* A zone that inherits dnssec-policy. */ zone "inherit.kasp" { type primary; inline-signing yes; file "inherit.kasp.db"; }; /* A zone that overrides dnssec-policy. */ zone "unsigned.kasp" { type primary; file "unsigned.kasp.db"; inline-signing yes; dnssec-policy "none"; }; /* A zone that is initially set to insecure. */ zone "insecure.kasp" { type primary; file "insecure.kasp.db"; inline-signing yes; dnssec-policy "insecure"; }; /* A primary zone with dnssec-policy but keys already created. */ zone "dnssec-keygen.kasp" { type primary; file "dnssec-keygen.kasp.db"; inline-signing yes; dnssec-policy "rsasha256"; }; /* A secondary zone with dnssec-policy. */ zone "secondary.kasp" { type secondary; primaries { 10.53.0.2; }; file "secondary.kasp.db"; inline-signing yes; dnssec-policy "rsasha256"; }; /* A dynamic zone with dnssec-policy. */ zone "dynamic.kasp" { type primary; file "dynamic.kasp.db"; dnssec-policy "default"; allow-update { any; }; }; /* A dynamic inline-signed zone with dnssec-policy. */ zone "dynamic-inline-signing.kasp" { type primary; file "dynamic-inline-signing.kasp.db"; dnssec-policy "default"; allow-update { any; }; inline-signing yes; }; /* * A dynamic inline-signed zone with dnssec-policy with DNSSEC records in the * raw version of the zone. */ zone "dynamic-signed-inline-signing.kasp" { type primary; file "dynamic-signed-inline-signing.kasp.db.signed"; key-directory "keys"; dnssec-policy "default"; allow-update { any; }; }; /* An inline-signed zone with dnssec-policy. */ zone "inline-signing.kasp" { type primary; file "inline-signing.kasp.db"; dnssec-policy "default"; inline-signing yes; }; /* * A configured dnssec-policy but some keys already created. */ zone "some-keys.kasp" { type primary; file "some-keys.kasp.db"; inline-signing yes; dnssec-policy "rsasha256"; }; /* * A configured dnssec-policy but some keys already in use. */ zone "legacy-keys.kasp" { type primary; file "legacy-keys.kasp.db"; inline-signing yes; dnssec-policy "migrate-to-dnssec-policy"; }; /* * A configured dnssec-policy with (too) many keys pregenerated. */ zone "pregenerated.kasp" { type primary; file "pregenerated.kasp.db"; inline-signing yes; dnssec-policy "rsasha256"; }; /* * A configured dnssec-policy with one rumoured key. * Bugfix case for GL #1593. */ zone "rumoured.kasp" { type primary; file "rumoured.kasp.db"; inline-signing yes; dnssec-policy "rsasha256"; }; /* RFC 8901 Multi-signer Model 2. */ zone "multisigner-model2.kasp" { type primary; file "multisigner-model2.kasp.db"; dnssec-policy "multisigner-model2"; allow-update { any; }; }; /* * Different algorithms. */ zone "rsasha256.kasp" { type primary; file "rsasha256.kasp.db"; inline-signing yes; dnssec-policy "rsasha256"; }; zone "rsasha512.kasp" { type primary; file "rsasha512.kasp.db"; inline-signing yes; dnssec-policy "rsasha512"; }; zone "ecdsa256.kasp" { type primary; file "ecdsa256.kasp.db"; inline-signing yes; dnssec-policy "ecdsa256"; }; zone "ecdsa384.kasp" { type primary; file "ecdsa384.kasp.db"; inline-signing yes; dnssec-policy "ecdsa384"; }; /* * Zone with too high TTL. */ zone "max-zone-ttl.kasp" { type primary; file "max-zone-ttl.kasp.db"; inline-signing yes; dnssec-policy "ttl"; }; /* * Zone for testing GL #2375: Three is a crowd. */ zone "three-is-a-crowd.kasp" { type primary; file "three-is-a-crowd.kasp.db"; inline-signing yes; /* Use same policy as KSK rollover test zones. */ dnssec-policy "ksk-doubleksk"; }; /* * Zones in different signing states. */ /* * Zone that has expired signatures. */ zone "expired-sigs.autosign" { type primary; file "expired-sigs.autosign.db"; inline-signing yes; dnssec-policy "autosign"; }; /* * Zone that has DNSKEY TTL mismatch with the dnssec-policy. */ zone "dnskey-ttl-mismatch.autosign" { type primary; file "dnskey-ttl-mismatch.autosign.db"; inline-signing yes; dnssec-policy "autosign"; }; /* * Zone that has valid, fresh signatures. */ zone "fresh-sigs.autosign" { type primary; file "fresh-sigs.autosign.db"; inline-signing yes; dnssec-policy "autosign"; }; /* * Zone that has unfresh signatures. */ zone "unfresh-sigs.autosign" { type primary; file "unfresh-sigs.autosign.db"; inline-signing yes; dnssec-policy "autosign"; }; /* * Zone that has missing private KSK. */ zone "ksk-missing.autosign" { type primary; file "ksk-missing.autosign.db"; inline-signing yes; dnssec-policy "autosign"; }; /* * Zone that has missing private ZSK. */ zone "zsk-missing.autosign" { type primary; file "zsk-missing.autosign.db"; inline-signing yes; dnssec-policy "autosign"; }; /* * Zone that has inactive ZSK. */ zone "zsk-retired.autosign" { type primary; file "zsk-retired.autosign.db"; inline-signing yes; dnssec-policy "autosign"; }; /* * Zones for testing enabling DNSSEC. */ zone "step1.enable-dnssec.autosign" { type primary; file "step1.enable-dnssec.autosign.db"; inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step2.enable-dnssec.autosign" { type primary; file "step2.enable-dnssec.autosign.db"; inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step3.enable-dnssec.autosign" { type primary; file "step3.enable-dnssec.autosign.db"; inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step4.enable-dnssec.autosign" { type primary; file "step4.enable-dnssec.autosign.db"; inline-signing yes; dnssec-policy "enable-dnssec"; }; /* * Zones for testing ZSK Pre-Publication steps. */ zone "step1.zsk-prepub.autosign" { type primary; file "step1.zsk-prepub.autosign.db"; inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step2.zsk-prepub.autosign" { type primary; file "step2.zsk-prepub.autosign.db"; inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step3.zsk-prepub.autosign" { type primary; file "step3.zsk-prepub.autosign.db"; inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step4.zsk-prepub.autosign" { type primary; file "step4.zsk-prepub.autosign.db"; inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step5.zsk-prepub.autosign" { type primary; file "step5.zsk-prepub.autosign.db"; inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step6.zsk-prepub.autosign" { type primary; file "step6.zsk-prepub.autosign.db"; inline-signing yes; dnssec-policy "zsk-prepub"; }; /* * Zones for testing KSK Double-KSK steps. */ zone "step1.ksk-doubleksk.autosign" { type primary; file "step1.ksk-doubleksk.autosign.db"; inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step2.ksk-doubleksk.autosign" { type primary; file "step2.ksk-doubleksk.autosign.db"; inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step3.ksk-doubleksk.autosign" { type primary; file "step3.ksk-doubleksk.autosign.db"; inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step4.ksk-doubleksk.autosign" { type primary; file "step4.ksk-doubleksk.autosign.db"; inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step5.ksk-doubleksk.autosign" { type primary; file "step5.ksk-doubleksk.autosign.db"; inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step6.ksk-doubleksk.autosign" { type primary; file "step6.ksk-doubleksk.autosign.db"; inline-signing yes; dnssec-policy "ksk-doubleksk"; }; /* * Zones for testing CSK rollover steps. */ zone "step1.csk-roll.autosign" { type primary; file "step1.csk-roll.autosign.db"; inline-signing yes; dnssec-policy "csk-roll"; }; zone "step2.csk-roll.autosign" { type primary; file "step2.csk-roll.autosign.db"; inline-signing yes; dnssec-policy "csk-roll"; }; zone "step3.csk-roll.autosign" { type primary; file "step3.csk-roll.autosign.db"; inline-signing yes; dnssec-policy "csk-roll"; }; zone "step4.csk-roll.autosign" { type primary; file "step4.csk-roll.autosign.db"; inline-signing yes; dnssec-policy "csk-roll"; }; zone "step5.csk-roll.autosign" { type primary; file "step5.csk-roll.autosign.db"; inline-signing yes; dnssec-policy "csk-roll"; }; zone "step6.csk-roll.autosign" { type primary; file "step6.csk-roll.autosign.db"; inline-signing yes; dnssec-policy "csk-roll"; }; zone "step7.csk-roll.autosign" { type primary; file "step7.csk-roll.autosign.db"; inline-signing yes; dnssec-policy "csk-roll"; }; zone "step8.csk-roll.autosign" { type primary; file "step8.csk-roll.autosign.db"; inline-signing yes; dnssec-policy "csk-roll"; }; zone "step1.csk-roll2.autosign" { type primary; file "step1.csk-roll2.autosign.db"; inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step2.csk-roll2.autosign" { type primary; file "step2.csk-roll2.autosign.db"; inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step3.csk-roll2.autosign" { type primary; file "step3.csk-roll2.autosign.db"; inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step4.csk-roll2.autosign" { type primary; file "step4.csk-roll2.autosign.db"; inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step5.csk-roll2.autosign" { type primary; file "step5.csk-roll2.autosign.db"; inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step6.csk-roll2.autosign" { type primary; file "step6.csk-roll2.autosign.db"; inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step7.csk-roll2.autosign" { type primary; file "step7.csk-roll2.autosign.db"; inline-signing yes; dnssec-policy "csk-roll2"; };