mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-24 23:57:30 -04:00
5f464d15a0
'dnssec-policy' can now also be set on the options and view level and a zone that does not set 'dnssec-policy' explicitly will inherit it from the view or options level. This requires a new keyword to be introduced: 'none'. If set to 'none' the zone will not be DNSSEC maintained, in other words it will stay unsigned. You can use this to break the inheritance. Of course you can also break the inheritance by referring to a different policy. The keywords 'default' and 'none' are not allowed when configuring your own dnssec-policy statement. Add appropriate tests for checking the configuration (checkconf) and add tests to the kasp system test to verify the inheritance works. Edit the kasp system test such that it can deal with unsigned zones and views (so setting a TSIG on the query).
202 lines
3.4 KiB
Text
202 lines
3.4 KiB
Text
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
/*
|
|
* This is just a random selection of configuration options.
|
|
*/
|
|
|
|
/* cut here */
|
|
dnssec-policy "test" {
|
|
dnskey-ttl 3600;
|
|
keys {
|
|
ksk key-directory lifetime P1Y algorithm 13 256;
|
|
zsk key-directory lifetime P30D algorithm 13;
|
|
csk key-directory lifetime P30D algorithm 8 2048;
|
|
};
|
|
publish-safety PT3600S;
|
|
retire-safety PT3600S;
|
|
signatures-refresh P3D;
|
|
signatures-validity P2W;
|
|
signatures-validity-dnskey P14D;
|
|
zone-max-ttl 86400;
|
|
zone-propagation-delay PT5M;
|
|
parent-ds-ttl 7200;
|
|
parent-propagation-delay PT1H;
|
|
parent-registration-delay P1D;
|
|
};
|
|
options {
|
|
avoid-v4-udp-ports {
|
|
100;
|
|
};
|
|
avoid-v6-udp-ports {
|
|
100;
|
|
};
|
|
blackhole {
|
|
10.0.0.0/8;
|
|
};
|
|
coresize 1073741824;
|
|
datasize 104857600;
|
|
directory ".";
|
|
dscp 41;
|
|
dump-file "named_dumpdb";
|
|
files 1000;
|
|
heartbeat-interval 30;
|
|
hostname none;
|
|
interface-interval 30;
|
|
keep-response-order {
|
|
10.0.10.0/24;
|
|
};
|
|
listen-on port 90 {
|
|
"any";
|
|
};
|
|
listen-on port 100 dscp 33 {
|
|
127.0.0.1/32;
|
|
};
|
|
listen-on-v6 port 53 dscp 57 {
|
|
"none";
|
|
};
|
|
match-mapped-addresses yes;
|
|
memstatistics-file "named.memstats";
|
|
pid-file none;
|
|
port 5300;
|
|
querylog yes;
|
|
recursing-file "named.recursing";
|
|
recursive-clients 3000;
|
|
serial-query-rate 100;
|
|
server-id none;
|
|
max-cache-size 20000000000000;
|
|
nta-lifetime 604800;
|
|
nta-recheck 604800;
|
|
validate-except {
|
|
"corp";
|
|
};
|
|
dnssec-policy "test";
|
|
transfer-source 0.0.0.0 dscp 63;
|
|
zone-statistics none;
|
|
};
|
|
view "first" {
|
|
match-clients {
|
|
"none";
|
|
};
|
|
zone "example1" {
|
|
type master;
|
|
file "xxx";
|
|
update-policy local;
|
|
notify-source 10.10.10.10 port 53 dscp 55;
|
|
};
|
|
zone "clone" {
|
|
type master;
|
|
file "yyy";
|
|
};
|
|
dnssec-validation auto;
|
|
zone-statistics terse;
|
|
};
|
|
view "second" {
|
|
match-clients {
|
|
"any";
|
|
};
|
|
zone "example1" {
|
|
type master;
|
|
file "zzz";
|
|
update-policy local;
|
|
zone-statistics yes;
|
|
};
|
|
zone "example2" {
|
|
type static-stub;
|
|
forward only;
|
|
forwarders {
|
|
10.53.0.4;
|
|
};
|
|
zone-statistics no;
|
|
};
|
|
zone "clone" {
|
|
in-view "first";
|
|
};
|
|
zone "." {
|
|
type redirect;
|
|
masters {
|
|
1.2.3.4;
|
|
};
|
|
};
|
|
dnssec-validation auto;
|
|
zone-statistics full;
|
|
};
|
|
view "third" {
|
|
match-clients {
|
|
"none";
|
|
};
|
|
zone "clone" {
|
|
in-view "first";
|
|
forward only;
|
|
forwarders {
|
|
10.0.0.100;
|
|
};
|
|
};
|
|
zone "dnssec" {
|
|
type master;
|
|
file "file";
|
|
allow-update {
|
|
"any";
|
|
};
|
|
auto-dnssec maintain;
|
|
};
|
|
zone "p" {
|
|
type primary;
|
|
file "pfile";
|
|
};
|
|
zone "s" {
|
|
type secondary;
|
|
masters {
|
|
1.2.3.4;
|
|
};
|
|
};
|
|
};
|
|
view "fourth" {
|
|
zone "dnssec-test" {
|
|
type master;
|
|
file "dnssec-test.db";
|
|
dnssec-policy "test";
|
|
};
|
|
zone "dnssec-default" {
|
|
type master;
|
|
file "dnssec-default.db";
|
|
dnssec-policy "default";
|
|
};
|
|
zone "dnssec-inherit" {
|
|
type master;
|
|
file "dnssec-inherit.db";
|
|
};
|
|
zone "dnssec-none" {
|
|
type master;
|
|
file "dnssec-none.db";
|
|
dnssec-policy "none";
|
|
};
|
|
dnssec-policy "default";
|
|
};
|
|
view "chaos" chaos {
|
|
zone "hostname.bind" chaos {
|
|
type master;
|
|
database "_builtin hostname";
|
|
};
|
|
};
|
|
dyndb "name" "library.so" {
|
|
this;
|
|
\};
|
|
is a {
|
|
"test" { \{ of; the; };
|
|
} bracketed;
|
|
"text \"";
|
|
system;
|
|
};
|
|
key "mykey" {
|
|
algorithm "hmac-md5";
|
|
secret "qwertyuiopasdfgh";
|
|
};
|