Home | History | Annotate | Line # | Download | only in ns3
      1 /*
      2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
      3  *
      4  * SPDX-License-Identifier: MPL-2.0
      5  *
      6  * This Source Code Form is subject to the terms of the Mozilla Public
      7  * License, v. 2.0.  If a copy of the MPL was not distributed with this
      8  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
      9  *
     10  * See the COPYRIGHT file distributed with this work for additional
     11  * information regarding copyright ownership.
     12  */
     13 
     14 {% set reconfiged = reconfiged | default(False) %}
     15 {% set rsasha1_to_nsec3 = "rsasha1" if not reconfiged else "nsec3" %}
     16 {% set nsec3_to_rsasha1 = "nsec3" if not reconfiged else "rsasha1" %}
     17 
     18 dnssec-policy "rsasha1" {
     19 	keys {
     20 		csk lifetime unlimited algorithm rsasha1;
     21 	};
     22 };
     23 
     24 
     25 {% if "rsasha1-to-nsec3.kasp" in zones %}
     26 /*
     27  * This zone starts with NSEC, but will be reconfigured to use NSEC3.
     28  * This should work despite the incompatible RSASHA1 algorithm,
     29  * because the DS is still in hidden state.
     30  */
     31 zone "rsasha1-to-nsec3.kasp" {
     32 	type primary;
     33 	file "rsasha1-to-nsec3.kasp.db";
     34 	dnssec-policy "@rsasha1_to_nsec3@";
     35 };
     36 {% endif %}{# rsasha1-to-nsec3.kasp #}
     37 
     38 {% if "rsasha1-to-nsec3-wait.kasp" in zones %}
     39 /*
     40  * This zone starts with NSEC, but will be reconfigured to use NSEC3.
     41  * This should block because RSASHA1 is not compatible with NSEC3,
     42  * and the DS is published.
     43  */
     44 zone "rsasha1-to-nsec3-wait.kasp" {
     45 	type primary;
     46 	file "rsasha1-to-nsec3-wait.kasp.db";
     47 	dnssec-policy "@rsasha1_to_nsec3@";
     48 };
     49 {% endif %}{# rsasha1-to-nsec3-wait.kasp #}
     50 
     51 {% if "nsec3-to-rsasha1.kasp" in zones %}
     52 /*
     53  * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
     54  * NSEC only algorithm. This should work despite the incompatible RSASHA1
     55  * algorithm, because the DS is still in hidden state.
     56  */
     57 zone "nsec3-to-rsasha1.kasp" {
     58 	type primary;
     59 	file "nsec3-to-rsasha1.kasp.db";
     60 	dnssec-policy "@nsec3_to_rsasha1@";
     61 };
     62 {% endif %}{# nsec3-to-rsasha1.kasp #}
     63 
     64 {% if "nsec3-to-rsasha1-ds.kasp" in zones %}
     65 /*
     66  * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
     67  * NSEC only algorithm. This should also be fine because we are allowed
     68  * to change to NSEC with any algorithm, then we can also publish the new
     69  * DNSKEY and signatures of the RSASHA1 algorithm.
     70  */
     71 zone "nsec3-to-rsasha1-ds.kasp" {
     72 	type primary;
     73 	file "nsec3-to-rsasha1-ds.kasp.db";
     74 	dnssec-policy "@nsec3_to_rsasha1@";
     75 };
     76 {% endif %}{# nsec3-to-rsasha1-ds.kasp #}
     77