Change test configuration to make use of 'dnssec-policy' instead of
'auto-dnssec'.
Because we now use 'dnssec-policy', there is no need to create an
explicit key in the final test that adds multiple inline zones
followed by a reconfig.
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
+dnssec-policy "views" {
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
zone "." {
type hint;
type primary;
file "external/inline.db";
key-directory "external";
- auto-dnssec maintain;
+ dnssec-policy views;
inline-signing yes;
- dnssec-dnskey-kskonly no;
};
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
+dnssec-policy "views" {
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
view "internal" {
match-clients { 10.53.0.2;
10.53.0.3; };
type primary;
file "internal/inline.db";
key-directory "internal";
- auto-dnssec maintain;
+ dnssec-policy views;
inline-signing yes;
- dnssec-dnskey-kskonly no;
};
};
type primary;
file "external/inline.db";
key-directory "external";
- auto-dnssec maintain;
+ dnssec-policy views;
inline-signing yes;
- dnssec-dnskey-kskonly no;
};
};
zone "${zone_name}" {
type primary;
file "db.${zone_name}";
- dnssec-dnskey-kskonly yes;
- auto-dnssec maintain;
+ dnssec-policy default;
inline-signing yes;
};
EOF
localhost IN A 127.0.0.1
EOF
- $KEYGEN -q -Kns2 -fk -aecdsa256 "${zone_name}" > /dev/null
$RNDCCMD 10.53.0.2 reconfig || ret=1
if [ $ret != 0 ]; then echo_i "failed"; break; fi
i=$((i + 1))