1 /* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * SPDX-License-Identifier: MPL-2.0 5 * 6 * This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 9 * 10 * See the COPYRIGHT file distributed with this work for additional 11 * information regarding copyright ownership. 12 */ 13 14 {% set reconfiged = reconfiged | default(False) %} 15 {% set rsasha1_to_nsec3 = "rsasha1" if not reconfiged else "nsec3" %} 16 {% set nsec3_to_rsasha1 = "nsec3" if not reconfiged else "rsasha1" %} 17 18 dnssec-policy "rsasha1" { 19 keys { 20 csk lifetime unlimited algorithm rsasha1; 21 }; 22 }; 23 24 25 {% if "rsasha1-to-nsec3.kasp" in zones %} 26 /* 27 * This zone starts with NSEC, but will be reconfigured to use NSEC3. 28 * This should work despite the incompatible RSASHA1 algorithm, 29 * because the DS is still in hidden state. 30 */ 31 zone "rsasha1-to-nsec3.kasp" { 32 type primary; 33 file "rsasha1-to-nsec3.kasp.db"; 34 dnssec-policy "@rsasha1_to_nsec3@"; 35 }; 36 {% endif %}{# rsasha1-to-nsec3.kasp #} 37 38 {% if "rsasha1-to-nsec3-wait.kasp" in zones %} 39 /* 40 * This zone starts with NSEC, but will be reconfigured to use NSEC3. 41 * This should block because RSASHA1 is not compatible with NSEC3, 42 * and the DS is published. 43 */ 44 zone "rsasha1-to-nsec3-wait.kasp" { 45 type primary; 46 file "rsasha1-to-nsec3-wait.kasp.db"; 47 dnssec-policy "@rsasha1_to_nsec3@"; 48 }; 49 {% endif %}{# rsasha1-to-nsec3-wait.kasp #} 50 51 {% if "nsec3-to-rsasha1.kasp" in zones %} 52 /* 53 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an 54 * NSEC only algorithm. This should work despite the incompatible RSASHA1 55 * algorithm, because the DS is still in hidden state. 56 */ 57 zone "nsec3-to-rsasha1.kasp" { 58 type primary; 59 file "nsec3-to-rsasha1.kasp.db"; 60 dnssec-policy "@nsec3_to_rsasha1@"; 61 }; 62 {% endif %}{# nsec3-to-rsasha1.kasp #} 63 64 {% if "nsec3-to-rsasha1-ds.kasp" in zones %} 65 /* 66 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an 67 * NSEC only algorithm. This should also be fine because we are allowed 68 * to change to NSEC with any algorithm, then we can also publish the new 69 * DNSKEY and signatures of the RSASHA1 algorithm. 70 */ 71 zone "nsec3-to-rsasha1-ds.kasp" { 72 type primary; 73 file "nsec3-to-rsasha1-ds.kasp.db"; 74 dnssec-policy "@nsec3_to_rsasha1@"; 75 }; 76 {% endif %}{# nsec3-to-rsasha1-ds.kasp #} 77
Indexes created Sat Feb 28 05:31:39 UTC 2026