1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14// NS3 15 16dnssec-policy "nsec" { 17 // no need to change configuration: if no 'nsec3param' is set, 18 // NSEC will be used; 19}; 20 21dnssec-policy "nsec3" { 22 nsec3param; 23}; 24 25dnssec-policy "optout" { 26 nsec3param optout yes; 27}; 28 29dnssec-policy "nsec3-other" { 30 nsec3param iterations 11 optout yes salt-length 0; 31}; 32 33options { 34 query-source address 10.53.0.3; 35 notify-source 10.53.0.3; 36 transfer-source 10.53.0.3; 37 port @PORT@; 38 pid-file "named.pid"; 39 listen-on { 10.53.0.3; }; 40 listen-on-v6 { none; }; 41 allow-transfer { any; }; 42 recursion no; 43}; 44 45key rndc_key { 46 secret "1234abcd8765"; 47 algorithm hmac-sha256; 48}; 49 50controls { 51 inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; 52}; 53 54/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ 55zone "nsec-to-nsec3.kasp" { 56 type primary; 57 file "nsec-to-nsec3.kasp.db"; 58 //dnssec-policy "nsec"; 59 dnssec-policy "nsec3"; 60}; 61 62/* These zones use the default NSEC3 settings. */ 63zone "nsec3.kasp" { 64 type primary; 65 file "nsec3.kasp.db"; 66 dnssec-policy "nsec3"; 67}; 68 69zone "nsec3-dynamic.kasp" { 70 type primary; 71 file "nsec3-dynamic.kasp.db"; 72 dnssec-policy "nsec3"; 73 allow-update { any; }; 74}; 75 76/* This zone uses non-default NSEC3 settings. */ 77zone "nsec3-other.kasp" { 78 type primary; 79 file "nsec3-other.kasp.db"; 80 dnssec-policy "nsec3-other"; 81}; 82 83/* These zone will be reconfigured to use other NSEC3 settings. */ 84zone "nsec3-change.kasp" { 85 type primary; 86 file "nsec3-change.kasp.db"; 87 //dnssec-policy "nsec3"; 88 dnssec-policy "nsec3-other"; 89}; 90 91zone "nsec3-dynamic-change.kasp" { 92 type primary; 93 file "nsec3-dynamic-change.kasp.db"; 94 //dnssec-policy "nsec3"; 95 dnssec-policy "nsec3-other"; 96 allow-update { any; }; 97}; 98 99/* The zone will be reconfigured to use opt-out. */ 100zone "nsec3-to-optout.kasp" { 101 type primary; 102 file "nsec3-to-optout.kasp.db"; 103 //dnssec-policy "nsec3"; 104 dnssec-policy "optout"; 105}; 106 107/* The zone will be reconfigured to disable opt-out. */ 108zone "nsec3-from-optout.kasp" { 109 type primary; 110 file "nsec3-from-optout.kasp.db"; 111 //dnssec-policy "optout"; 112 dnssec-policy "nsec3"; 113}; 114 115/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ 116zone "nsec3-to-nsec.kasp" { 117 type primary; 118 file "nsec3-to-nsec.kasp.db"; 119 //dnssec-policy "nsec3"; 120 dnssec-policy "nsec"; 121}; 122 123/* The zone fails to load, but is fixed after a reload. */ 124zone "nsec3-fails-to-load.kasp" { 125 type primary; 126 file "nsec3-fails-to-load.kasp.db"; 127 dnssec-policy "nsec3"; 128 allow-update { any; }; 129}; 130