1/*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * SPDX-License-Identifier: MPL-2.0
5 *
6 * This Source Code Form is subject to the terms of the Mozilla Public
7 * License, v. 2.0.  If a copy of the MPL was not distributed with this
8 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
9 *
10 * See the COPYRIGHT file distributed with this work for additional
11 * information regarding copyright ownership.
12 */
13
14dnssec-policy "autosign" {
15
16	signatures-refresh P1W;
17	signatures-validity P2W;
18	signatures-validity-dnskey P2W;
19
20	dnskey-ttl 300;
21
22	keys {
23		ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@;
24		zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
25	};
26};
27
28dnssec-policy "enable-dnssec" {
29
30	signatures-refresh P1W;
31	signatures-validity P2W;
32	signatures-validity-dnskey P2W;
33
34	dnskey-ttl 300;
35	max-zone-ttl PT12H;
36	zone-propagation-delay PT5M;
37	retire-safety PT20M;
38	publish-safety PT5M;
39
40	parent-propagation-delay 1h;
41	parent-ds-ttl 2h;
42
43	keys {
44		csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
45	};
46};
47
48dnssec-policy "zsk-prepub" {
49
50	signatures-refresh P1W;
51	signatures-validity P2W;
52	signatures-validity-dnskey P2W;
53
54	dnskey-ttl 3600;
55	publish-safety P1D;
56	retire-safety P2D;
57	purge-keys PT1H;
58
59	keys {
60		ksk key-directory lifetime P2Y  algorithm @DEFAULT_ALGORITHM@;
61		zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
62	};
63
64	zone-propagation-delay PT1H;
65	max-zone-ttl 1d;
66};
67
68dnssec-policy "ksk-doubleksk" {
69
70	signatures-refresh P1W;
71	signatures-validity P2W;
72	signatures-validity-dnskey P2W;
73
74	dnskey-ttl 2h;
75	publish-safety P1D;
76	retire-safety P2D;
77	purge-keys PT1H;
78
79	keys {
80		ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
81		zsk key-directory lifetime P1Y  algorithm @DEFAULT_ALGORITHM@;
82	};
83
84	zone-propagation-delay PT1H;
85	max-zone-ttl 1d;
86
87	parent-ds-ttl 3600;
88	parent-propagation-delay PT1H;
89};
90
91dnssec-policy "csk-roll" {
92
93	signatures-refresh P5D;
94	signatures-validity 30d;
95	signatures-validity-dnskey 30d;
96
97	dnskey-ttl 1h;
98	publish-safety PT1H;
99	retire-safety 2h;
100	purge-keys PT1H;
101
102	keys {
103		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
104	};
105
106	zone-propagation-delay 1h;
107	max-zone-ttl P1D;
108
109	parent-ds-ttl 1h;
110	parent-propagation-delay 1h;
111};
112
113dnssec-policy "csk-roll2" {
114
115	signatures-refresh 12h;
116	signatures-validity P1D;
117	signatures-validity-dnskey P1D;
118
119	dnskey-ttl 1h;
120	publish-safety PT1H;
121	retire-safety 1h;
122	purge-keys 0;
123
124	keys {
125		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
126	};
127
128	zone-propagation-delay PT1H;
129	max-zone-ttl 1d;
130
131	parent-ds-ttl PT1H;
132	parent-propagation-delay P1W;
133};
134