--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+ dnssec-validation no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+dnssec-policy "nsec" {
+ // no need to change configuration: if no 'nsec3param' is set,
+ // NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+ nsec3param;
+};
+
+dnssec-policy "optout" {
+ nsec3param optout yes;
+};
+
+dnssec-policy "nsec3-other" {
+ nsec3param iterations 0 optout yes salt-length 8;
+};
+
* information regarding copyright ownership.
*/
-// NS3
-
-dnssec-policy "nsec" {
- // no need to change configuration: if no 'nsec3param' is set,
- // NSEC will be used;
-};
-
-dnssec-policy "nsec3" {
- nsec3param;
-};
-
-dnssec-policy "optout" {
- nsec3param optout yes;
-};
-
-dnssec-policy "nsec3-other" {
- nsec3param iterations 0 optout yes salt-length 8;
-};
-
-options {
- query-source address 10.53.0.3;
- notify-source 10.53.0.3;
- transfer-source 10.53.0.3;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.3; };
- listen-on-v6 { none; };
- allow-transfer { any; };
- recursion no;
- dnssec-validation no;
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
-};
-
-controls {
- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
+{% set reconfiged = reconfiged | default(False) %}
+{% set nsec_to_nsec3 = "nsec" if not reconfiged else "nsec3" %}
+{% set nsec3_to_nsec = "nsec3" if not reconfiged else "nsec" %}
+{% set nsec3_change = "nsec3" if not reconfiged else "nsec3-other" %}
+{% set nsec3_from_optout = "optout" if not reconfiged else "nsec3" %}
+{% set nsec3_to_optout = "nsec3" if not reconfiged else "optout" %}
/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
zone "nsec-to-nsec3.kasp" {
type primary;
file "nsec-to-nsec3.kasp.db";
- dnssec-policy "nsec";
+ dnssec-policy "@nsec_to_nsec3@";
};
/* These zones use the default NSEC3 settings. */
zone "nsec3-change.kasp" {
type primary;
file "nsec3-change.kasp.db";
- dnssec-policy "nsec3";
+ dnssec-policy "@nsec3_change@";
};
zone "nsec3-dynamic-change.kasp" {
type primary;
file "nsec3-dynamic-change.kasp.db";
inline-signing no;
- dnssec-policy "nsec3";
+ dnssec-policy "@nsec3_change@";
allow-update { any; };
};
zone "nsec3-to-optout.kasp" {
type primary;
file "nsec3-to-optout.kasp.db";
- dnssec-policy "nsec3";
+ dnssec-policy "@nsec3_to_optout@";
};
/* The zone will be reconfigured to disable opt-out. */
zone "nsec3-from-optout.kasp" {
type primary;
file "nsec3-from-optout.kasp.db";
- dnssec-policy "optout";
+ dnssec-policy "@nsec3_from_optout@";
};
/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
zone "nsec3-to-nsec.kasp" {
type primary;
file "nsec3-to-nsec.kasp.db";
- dnssec-policy "nsec3";
+ dnssec-policy "@nsec3_to_nsec@";
};
-/* The zone fails to load, this should not prevent shutdown. */
+/*
+ * The zone fails to load, this should not prevent shutdown.
+ * The zone is fixed after a reconfig.
+ */
zone "nsec3-fails-to-load.kasp" {
type primary;
file "nsec3-fails-to-load.kasp.db";
zone "nsec3-dynamic-to-inline.kasp" {
type primary;
file "nsec3-dynamic-to-inline.kasp.db";
- inline-signing no;
dnssec-policy "nsec3";
+{% if not reconfiged %}
allow-update { any; };
+ inline-signing no;
+{% endif %}
};
zone "nsec3-inline-to-dynamic.kasp" {
- type primary;
- file "nsec3-inline-to-dynamic.kasp.db";
- dnssec-policy "nsec3";
+ type primary;
+ file "nsec3-inline-to-dynamic.kasp.db";
+ dnssec-policy "nsec3";
+{% if reconfiged %}
+ allow-update { any; };
+ inline-signing no;
+{% endif %}
+
};
-/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
+{% if not reconfiged %}
+
+/*
+ * Test adding a NSEC3 record to an inline-signing dnssec-policy zone.
+ */
zone "nsec3-dynamic-update-inline.kasp" {
- type primary;
- file "nsec3-dynamic-update-inline.kasp.db";
- allow-update { any; };
- dnssec-policy "nsec";
+ type primary;
+ file "nsec3-dynamic-update-inline.kasp.db";
+ allow-update { any; };
+ dnssec-policy "nsec";
};
+/*
+ * This zone will have an empty nonterminal node added and a node deleted.
+ */
zone "nsec3-xfr-inline.kasp" {
type secondary;
file "nsec3-xfr-inline.kasp.db";
dnssec-policy "nsec";
primaries { 10.53.0.2; };
};
+
+{% else %}
+
+/*
+ * This zone will have an empty nonterminal node added and a node deleted.
+ */
+zone "nsec3-ent.kasp" {
+ type primary;
+ file "nsec3-ent.kasp.db";
+ dnssec-policy "nsec3";
+ inline-signing yes;
+};
+
+{% endif %}
* information regarding copyright ownership.
*/
-// NS3
-
-include "named-fips.conf";
+{% set reconfiged = reconfiged | default(False) %}
+{% set rsasha1_to_nsec3 = "rsasha1" if not reconfiged else "nsec3" %}
+{% set nsec3_to_rsasha1 = "nsec3" if not reconfiged else "rsasha1" %}
dnssec-policy "rsasha1" {
keys {
zone "rsasha1-to-nsec3.kasp" {
type primary;
file "rsasha1-to-nsec3.kasp.db";
- dnssec-policy "rsasha1";
+ dnssec-policy "@rsasha1_to_nsec3@";
};
/*
zone "rsasha1-to-nsec3-wait.kasp" {
type primary;
file "rsasha1-to-nsec3-wait.kasp.db";
- dnssec-policy "rsasha1";
+ dnssec-policy "@rsasha1_to_nsec3@";
};
/*
zone "nsec3-to-rsasha1.kasp" {
type primary;
file "nsec3-to-rsasha1.kasp.db";
- dnssec-policy "nsec3";
+ dnssec-policy "@nsec3_to_rsasha1@";
};
/*
zone "nsec3-to-rsasha1-ds.kasp" {
type primary;
file "nsec3-to-rsasha1-ds.kasp.db";
- dnssec-policy "nsec3";
+ dnssec-policy "@nsec3_to_rsasha1@";
};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "named-common.conf";
+include "named-fips.conf";
+
+{% if RSASHA1_SUPPORTED == "1" %}
+include "named-rsasha1.conf";
+{% endif %}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS3
-
-dnssec-policy "nsec" {
- // no need to change configuration: if no 'nsec3param' is set,
- // NSEC will be used;
-};
-
-dnssec-policy "nsec3" {
- nsec3param;
-};
-
-dnssec-policy "optout" {
- nsec3param optout yes;
-};
-
-dnssec-policy "nsec3-other" {
- nsec3param iterations 0 optout yes salt-length 8;
-};
-
-options {
- query-source address 10.53.0.3;
- notify-source 10.53.0.3;
- transfer-source 10.53.0.3;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.3; };
- listen-on-v6 { none; };
- allow-transfer { any; };
- recursion no;
- dnssec-validation no;
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
-};
-
-controls {
- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
-zone "nsec-to-nsec3.kasp" {
- type primary;
- file "nsec-to-nsec3.kasp.db";
- //dnssec-policy "nsec";
- dnssec-policy "nsec3";
-};
-
-/* These zones use the default NSEC3 settings. */
-zone "nsec3.kasp" {
- type primary;
- file "nsec3.kasp.db";
- dnssec-policy "nsec3";
-};
-
-zone "nsec3-dynamic.kasp" {
- type primary;
- file "nsec3-dynamic.kasp.db";
- dnssec-policy "nsec3";
- allow-update { any; };
-};
-
-/* This zone uses non-default NSEC3 settings. */
-zone "nsec3-other.kasp" {
- type primary;
- file "nsec3-other.kasp.db";
- dnssec-policy "nsec3-other";
-};
-
-/* These zone will be reconfigured to use other NSEC3 settings. */
-zone "nsec3-change.kasp" {
- type primary;
- file "nsec3-change.kasp.db";
- //dnssec-policy "nsec3";
- dnssec-policy "nsec3-other";
-};
-
-zone "nsec3-dynamic-change.kasp" {
- type primary;
- file "nsec3-dynamic-change.kasp.db";
- //dnssec-policy "nsec3";
- inline-signing no;
- dnssec-policy "nsec3-other";
- allow-update { any; };
-};
-
-/* The zone will be reconfigured to use opt-out. */
-zone "nsec3-to-optout.kasp" {
- type primary;
- file "nsec3-to-optout.kasp.db";
- //dnssec-policy "nsec3";
- dnssec-policy "optout";
-};
-
-/* The zone will be reconfigured to disable opt-out. */
-zone "nsec3-from-optout.kasp" {
- type primary;
- file "nsec3-from-optout.kasp.db";
- //dnssec-policy "optout";
- dnssec-policy "nsec3";
-};
-
-/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
-zone "nsec3-to-nsec.kasp" {
- type primary;
- file "nsec3-to-nsec.kasp.db";
- //dnssec-policy "nsec3";
- dnssec-policy "nsec";
-};
-
-/* The zone fails to load, but is fixed after a reload. */
-zone "nsec3-fails-to-load.kasp" {
- type primary;
- file "nsec3-fails-to-load.kasp.db";
- dnssec-policy "nsec3";
- allow-update { any; };
-};
-
-/* These zones switch from dynamic to inline-signing or vice versa. */
-zone "nsec3-dynamic-to-inline.kasp" {
- type primary;
- file "nsec3-dynamic-to-inline.kasp.db";
- dnssec-policy "nsec3";
- allow-update { any; };
-};
-
-zone "nsec3-inline-to-dynamic.kasp" {
- type primary;
- file "nsec3-inline-to-dynamic.kasp.db";
- inline-signing no;
- dnssec-policy "nsec3";
- allow-update { any; };
-};
-
-/*
- * This zone will have an empty nonterminal node added and a node deleted.
- */
-zone "nsec3-ent.kasp" {
- type primary;
- file "nsec3-ent.kasp.db";
- dnssec-policy "nsec3";
- inline-signing yes;
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS3
-
-include "named-fips.conf";
-
-dnssec-policy "rsasha1" {
- keys {
- csk lifetime unlimited algorithm rsasha1;
- };
-};
-
-/*
- * This zone starts with NSEC, but will be reconfigured to use NSEC3.
- * This should work despite the incompatible RSAHSHA1 algorithm,
- * because the DS is still in hidden state.
- */
-zone "rsasha1-to-nsec3.kasp" {
- type primary;
- file "rsasha1-to-nsec3.kasp.db";
- //dnssec-policy "rsasha1";
- dnssec-policy "nsec3";
-};
-
-/*
- * This zone starts with NSEC, but will be reconfigured to use NSEC3.
- * This should block because RSASHA1 is not compatible with NSEC3,
- * and the DS is published.
- */
-zone "rsasha1-to-nsec3-wait.kasp" {
- type primary;
- file "rsasha1-to-nsec3-wait.kasp.db";
- //dnssec-policy "rsasha1";
- dnssec-policy "nsec3";
-};
-
-/*
- * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
- * NSEC only algorithm. This should work despite the incompatible RSAHSHA1
- * algorithm, because the DS is still in hidden state.
- */
-zone "nsec3-to-rsasha1.kasp" {
- type primary;
- file "nsec3-to-rsasha1.kasp.db";
- //dnssec-policy "nsec3";
- dnssec-policy "rsasha1";
-};
-
-/*
- * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
- * NSEC only algorithm. This should also be fine because we are allowed
- * to change to NSEC with any algorithm, then we can also publish the new
- * DNSKEY and signatures of the RSASHA1 algorithm.
- */
-zone "nsec3-to-rsasha1-ds.kasp" {
- type primary;
- file "nsec3-to-rsasha1-ds.kasp.db";
- //dnssec-policy "nsec3";
- dnssec-policy "rsasha1";
-};
set -e
-copy_setports ns2/named.conf.in ns2/named.conf
(
cd ns2
$SHELL setup.sh
)
-if [ $RSASHA1_SUPPORTED = 0 ]; then
- copy_setports ns3/named-fips.conf.in ns3/named.conf
-else
- copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
- # includes named-fips.conf
- cp ns3/named1.conf.in ns3/named.conf
-fi
(
cd ns3
$SHELL setup.sh
"ns*/*.jnl",
"ns*/*.signed",
"ns*/keygen.out.*",
+ "ns3/named-common.conf",
"ns3/named-fips.conf",
+ "ns3/named-rsasha0.conf",
+ "ns3/named-rsasha1.conf",
]
)
projects / thirdparty / bind9.git / commitdiff
