Home | History | Annotate | Line # | Download | only in checkconf
kasp-bad-lifetime.conf revision 1.1.1.1.4.2 
      1 /*
      2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
      3  *
      4  * SPDX-License-Identifier: MPL-2.0
      5  *
      6  * This Source Code Form is subject to the terms of the Mozilla Public
      7  * License, v. 2.0.  If a copy of the MPL was not distributed with this
      8  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
      9  *
     10  * See the COPYRIGHT file distributed with this work for additional
     11  * information regarding copyright ownership.
     12  */
     13 
     14 dnssec-policy "bad-lifetime-ksk" {
     15 	/*
     16 	 * The KSK lifetime is too short.
     17 	 * The ZSK lifetime is good enough but should trigger a warning.
     18 	 */
     19 	keys {
     20 		ksk lifetime PT3H algorithm 13;
     21 		zsk lifetime P8DT2H1S algorithm 13;
     22 	};
     23 
     24 	dnskey-ttl PT1H;
     25 	publish-safety PT1H;
     26 	retire-safety PT1H;
     27 	zone-propagation-delay PT1H;
     28 	max-zone-ttl P1D;
     29 	signatures-validity P10D;
     30 	signatures-refresh P3D;
     31 	parent-ds-ttl PT1H;
     32 	parent-propagation-delay PT5M;
     33 };
     34 
     35 dnssec-policy "bad-lifetime-zsk" {
     36 	/*
     37 	 * The ZSK lifetime is too short.
     38 	 * The KSK lifetime is good enough but should trigger a warning.
     39 	 */
     40 	keys {
     41 		ksk lifetime PT3H1S algorithm 13;
     42 		zsk lifetime P8DT2H algorithm 13;
     43 	};
     44 
     45 	dnskey-ttl PT1H;
     46 	publish-safety PT1H;
     47 	retire-safety PT1H;
     48 	zone-propagation-delay PT1H;
     49 	max-zone-ttl P1D;
     50 	signatures-validity P10D;
     51 	signatures-refresh P3D;
     52 	parent-ds-ttl PT1H;
     53 	parent-propagation-delay PT5M;
     54 };
     55 
     56 dnssec-policy "bad-lifetime-csk" {
     57 	/*
     58 	 * The CSK lifetime is too short.
     59 	 */
     60 	keys {
     61 		csk lifetime PT3H algorithm 13;
     62 	};
     63 
     64 	dnskey-ttl PT1H;
     65 	publish-safety PT1H;
     66 	retire-safety PT1H;
     67 	zone-propagation-delay PT1H;
     68 	max-zone-ttl P1D;
     69 	signatures-validity P10D;
     70 	signatures-refresh P3D;
     71 	parent-ds-ttl PT1H;
     72 	parent-propagation-delay PT5M;
     73 };
     74 
     75 zone "bad-lifetime-ksk.example.net" {
     76 	type primary;
     77 	file "bad-lifetime-ksk.example.db";
     78 	dnssec-policy "bad-lifetime-ksk";
     79 };
     80 
     81 zone "bad-lifetime-zsk.example.net" {
     82 	type primary;
     83 	file "bad-lifetime-zsk.example.db";
     84 	dnssec-policy "bad-lifetime-zsk";
     85 };
     86 
     87 zone "bad-lifetime-csk.example.net" {
     88 	type primary;
     89 	file "bad-lifetime-csk.example.db";
     90 	dnssec-policy "bad-lifetime-csk";
     91 };
     92