Home | History | Annotate | Line # | Download | only in ns3 
      1 /*
      2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
      3  *
      4  * SPDX-License-Identifier: MPL-2.0
      5  *
      6  * This Source Code Form is subject to the terms of the Mozilla Public
      7  * License, v. 2.0.  If a copy of the MPL was not distributed with this
      8  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
      9  *
     10  * See the COPYRIGHT file distributed with this work for additional
     11  * information regarding copyright ownership.
     12  */
     13 
     14 dnssec-policy "migrate" {
     15 	dnskey-ttl 7200;
     16 
     17 	keys {
     18 		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
     19 		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
     20 	};
     21 };
     22 
     23 dnssec-policy "timing-metadata" {
     24 	dnskey-ttl 300;
     25 
     26 	signatures-refresh P1W;
     27 	signatures-validity P2W;
     28 	signatures-validity-dnskey P2W;
     29 
     30 	keys {
     31 		ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
     32 		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
     33 	};
     34 
     35 	// Together 12h
     36 	zone-propagation-delay 3600;
     37 	max-zone-ttl 11h;
     38 
     39 	// Together 3h
     40 	parent-propagation-delay pt1h;
     41 	parent-ds-ttl 7200;
     42 };
     43 
     44 /*
     45  * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
     46  * to ECDSAP256SHA256 keys.
     47  */
     48 dnssec-policy "migrate-nomatch-algnum" {
     49 	dnskey-ttl 300;
     50 
     51 	keys {
     52 		ksk key-directory lifetime unlimited algorithm ecdsa256;
     53 		zsk key-directory lifetime P60D algorithm ecdsa256;
     54 	};
     55 
     56 	// Together 12h
     57 	zone-propagation-delay 3600;
     58 	max-zone-ttl 11h;
     59 
     60 	// Together 3h
     61 	parent-propagation-delay pt1h;
     62 	parent-ds-ttl 7200;
     63 };
     64 
     65 /*
     66  * This policy tests migration from existing keys with 2048 bits RSASHA256 keys
     67  * to 3072 bits RSASHA256 keys.
     68  */
     69 dnssec-policy "migrate-nomatch-alglen" {
     70 	dnskey-ttl 300;
     71 
     72 	keys {
     73 		ksk key-directory lifetime unlimited algorithm rsasha256 3072;
     74 		zsk key-directory lifetime P60D algorithm rsasha256 3072;
     75 	};
     76 
     77 	// Together 12h
     78 	zone-propagation-delay 3600;
     79 	max-zone-ttl 11h;
     80 
     81 	// Together 3h
     82 	parent-propagation-delay pt1h;
     83 	parent-ds-ttl 7200;
     84 };
     85 
     86 /*
     87  * This policy tests migration from existing KSK and ZSK to CSK.
     88  * The keys clause matches the default policy.
     89  */
     90 dnssec-policy "migrate-nomatch-kzc" {
     91 	dnskey-ttl 300;
     92 
     93 	keys {
     94 		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
     95 	};
     96 
     97 	// Together 12h
     98 	zone-propagation-delay 3600;
     99 	max-zone-ttl 11h;
    100 
    101 	// Together 3h
    102 	parent-propagation-delay pt1h;
    103 	parent-ds-ttl 7200;
    104 };
    105