Home | History | Annotate | Line # | Download | only in checkconf
      1  1.1  christos /*
      2  1.1  christos  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
      3  1.1  christos  *
      4  1.1  christos  * SPDX-License-Identifier: MPL-2.0
      5  1.1  christos  *
      6  1.1  christos  * This Source Code Form is subject to the terms of the Mozilla Public
      7  1.1  christos  * License, v. 2.0.  If a copy of the MPL was not distributed with this
      8  1.1  christos  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
      9  1.1  christos  *
     10  1.1  christos  * See the COPYRIGHT file distributed with this work for additional
     11  1.1  christos  * information regarding copyright ownership.
     12  1.1  christos  */
     13  1.1  christos 
     14  1.1  christos dnssec-policy "bad-lifetime-ksk" {
     15  1.1  christos 	/*
     16  1.1  christos 	 * The KSK lifetime is too short.
     17  1.1  christos 	 * The ZSK lifetime is good enough but should trigger a warning.
     18  1.1  christos 	 */
     19  1.1  christos 	keys {
     20  1.1  christos 		ksk lifetime PT3H algorithm 13;
     21  1.1  christos 		zsk lifetime P8DT2H1S algorithm 13;
     22  1.1  christos 	};
     23  1.1  christos 
     24  1.1  christos 	dnskey-ttl PT1H;
     25  1.1  christos 	publish-safety PT1H;
     26  1.1  christos 	retire-safety PT1H;
     27  1.1  christos 	zone-propagation-delay PT1H;
     28  1.1  christos 	max-zone-ttl P1D;
     29  1.1  christos 	signatures-validity P10D;
     30  1.1  christos 	signatures-refresh P3D;
     31  1.1  christos 	parent-ds-ttl PT1H;
     32  1.1  christos 	parent-propagation-delay PT5M;
     33  1.1  christos };
     34  1.1  christos 
     35  1.1  christos dnssec-policy "bad-lifetime-zsk" {
     36  1.1  christos 	/*
     37  1.1  christos 	 * The ZSK lifetime is too short.
     38  1.1  christos 	 * The KSK lifetime is good enough but should trigger a warning.
     39  1.1  christos 	 */
     40  1.1  christos 	keys {
     41  1.1  christos 		ksk lifetime PT3H1S algorithm 13;
     42  1.1  christos 		zsk lifetime P8DT2H algorithm 13;
     43  1.1  christos 	};
     44  1.1  christos 
     45  1.1  christos 	dnskey-ttl PT1H;
     46  1.1  christos 	publish-safety PT1H;
     47  1.1  christos 	retire-safety PT1H;
     48  1.1  christos 	zone-propagation-delay PT1H;
     49  1.1  christos 	max-zone-ttl P1D;
     50  1.1  christos 	signatures-validity P10D;
     51  1.1  christos 	signatures-refresh P3D;
     52  1.1  christos 	parent-ds-ttl PT1H;
     53  1.1  christos 	parent-propagation-delay PT5M;
     54  1.1  christos };
     55  1.1  christos 
     56  1.1  christos dnssec-policy "bad-lifetime-csk" {
     57  1.1  christos 	/*
     58  1.1  christos 	 * The CSK lifetime is too short.
     59  1.1  christos 	 */
     60  1.1  christos 	keys {
     61  1.1  christos 		csk lifetime PT3H algorithm 13;
     62  1.1  christos 	};
     63  1.1  christos 
     64  1.1  christos 	dnskey-ttl PT1H;
     65  1.1  christos 	publish-safety PT1H;
     66  1.1  christos 	retire-safety PT1H;
     67  1.1  christos 	zone-propagation-delay PT1H;
     68  1.1  christos 	max-zone-ttl P1D;
     69  1.1  christos 	signatures-validity P10D;
     70  1.1  christos 	signatures-refresh P3D;
     71  1.1  christos 	parent-ds-ttl PT1H;
     72  1.1  christos 	parent-propagation-delay PT5M;
     73  1.1  christos };
     74  1.1  christos 
     75  1.1  christos zone "bad-lifetime-ksk.example.net" {
     76  1.1  christos 	type primary;
     77  1.1  christos 	file "bad-lifetime-ksk.example.db";
     78  1.1  christos 	dnssec-policy "bad-lifetime-ksk";
     79  1.1  christos };
     80  1.1  christos 
     81  1.1  christos zone "bad-lifetime-zsk.example.net" {
     82  1.1  christos 	type primary;
     83  1.1  christos 	file "bad-lifetime-zsk.example.db";
     84  1.1  christos 	dnssec-policy "bad-lifetime-zsk";
     85  1.1  christos };
     86  1.1  christos 
     87  1.1  christos zone "bad-lifetime-csk.example.net" {
     88  1.1  christos 	type primary;
     89  1.1  christos 	file "bad-lifetime-csk.example.db";
     90  1.1  christos 	dnssec-policy "bad-lifetime-csk";
     91  1.1  christos };
     92