options { dnssec-validation auto; automatic-interface-scan no; # # Explicitly listen on specific addresses, both IPv4 and IPv6 to # prevent Bind to bind to too many addresses listen-on { 127.15.10.37; 127.15.10.38; }; listen-on-v6 { fda1:b2:c3:0:127:15:10:37; fda1:b2:c3:0:127:15:10:38; }; # recursion no; notify no; empty-zones-enable no; pid-file "named.pid"; masterfile-format text; session-keyfile none; }; # In the usual case add the zone to view "main" only. If the scenario requires # two variants of the zone, add the variant of the zone to view "var1" (create # view "var2" etc if required). # Put all zone files into the "zones" sub-directory. view "main" { # Name of zone file in this view should be ".zone" match-destinations { 127.15.10.37; fda1:b2:c3:0:127:15:10:37; }; key-directory "key-dir"; zone "localhost" { type master; file "zones/localhost.zone"; }; zone "good-nsec-1.dnssec10.xa" { type master; file "zones/good-nsec-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "good-nsec-2.dnssec10.xa" { type master; file "zones/good-nsec-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "good-nsec-3.dnssec10.xa" { type master; file "zones/good-nsec-3.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "good-nsec3-1.dnssec10.xa" { type master; file "zones/good-nsec3-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "good-nsec3-2.dnssec10.xa" { type master; file "zones/good-nsec3-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "good-nsec3-3.dnssec10.xa" { type master; file "zones/good-nsec3-3.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "algo-not-supp-by-zm-1.dnssec10.xa" { type master; file "zones/algo-not-supp-by-zm-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "algo-not-supp-by-zm-2.dnssec10.xa" { type master; file "zones/algo-not-supp-by-zm-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "bad-servers-but-good-nsec-1.dnssec10.xa" { type master; file "zones/bad-servers-but-good-nsec-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "err-mult-nsec-1.dnssec10.xa" { type master; file "zones/err-mult-nsec-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "err-mult-nsec-2.dnssec10.xa" { type master; file "zones/err-mult-nsec-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "err-mult-nsec3-1.dnssec10.xa" { type master; file "zones/err-mult-nsec3-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "err-mult-nsec3param-1.dnssec10.xa" { type master; file "zones/err-mult-nsec3param-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "exp-nsec-nsec3-miss-1.dnssec10.xa" { # The scenario has neither NSEC nor NSEC3, but we have to select # something to get the DNSKEY and RRSIG. type master; file "zones/exp-nsec-nsec3-miss-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "inconsistent-nsec-1.dnssec10.xa" { type master; file "zones/inconsistent-nsec-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "inconsistent-nsec3-1.dnssec10.xa" { type master; file "zones/inconsistent-nsec3-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "inconsist-nsec-nsec3-1.dnssec10.xa" { type master; file "zones/inconsist-nsec-nsec3-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "inconsist-nsec-nsec3-2.dnssec10.xa" { type master; file "zones/inconsist-nsec-nsec3-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "mixed-nsec-nsec3-1.dnssec10.xa" { type master; file "zones/mixed-nsec-nsec3-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "mixed-nsec-nsec3-2.dnssec10.xa" { type master; file "zones/mixed-nsec-nsec3-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec3param-gives-err-answer-1.dnssec10.xa" { type master; file "zones/nsec3param-gives-err-answer-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3param-gives-err-answer-2.dnssec10.xa" { type master; file "zones/nsec3param-gives-err-answer-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3param-mismatches-apex-1.dnssec10.xa" { type master; file "zones/nsec3param-mismatches-apex-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3param-q-response-err-1.dnssec10.xa" { type master; file "zones/nsec3param-q-response-err-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3param-q-response-err-2.dnssec10.xa" { type master; file "zones/nsec3param-q-response-err-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3param-q-response-err-3.dnssec10.xa" { type master; file "zones/nsec3param-q-response-err-3.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-err-type-list-1.dnssec10.xa" { type master; file "zones/nsec3-err-type-list-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-err-type-list-2.dnssec10.xa" { type master; file "zones/nsec3-err-type-list-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-mismatches-apex-1.dnssec10.xa" { type master; file "zones/nsec3-mismatches-apex-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-missing-signature-1.dnssec10.xa" { type master; file "zones/nsec3-missing-signature-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-nodata-missing-soa-1.dnssec10.xa" { type master; file "zones/nsec3-nodata-missing-soa-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-nodata-wrong-soa-1.dnssec10.xa" { type master; file "zones/nsec3-nodata-wrong-soa-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-no-verified-signature-1.dnssec10.xa" { type master; file "zones/nsec3-no-verified-signature-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-no-verified-signature-2.dnssec10.xa" { type master; file "zones/nsec3-no-verified-signature-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-no-verified-signature-3.dnssec10.xa" { type master; file "zones/nsec3-no-verified-signature-3.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec3-no-verified-signature-4.dnssec10.xa" { type master; file "zones/nsec3-no-verified-signature-4.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "nsec-err-type-list-1.dnssec10.xa" { type master; file "zones/nsec-err-type-list-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-err-type-list-2.dnssec10.xa" { type master; file "zones/nsec-err-type-list-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-gives-err-answer-1.dnssec10.xa" { type master; file "zones/nsec-gives-err-answer-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-gives-err-answer-2.dnssec10.xa" { type master; file "zones/nsec-gives-err-answer-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-mismatches-apex-1.dnssec10.xa" { type master; file "zones/nsec-mismatches-apex-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-mismatches-apex-2.dnssec10.xa" { type master; file "zones/nsec-mismatches-apex-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-missing-signature-1.dnssec10.xa" { type master; file "zones/nsec-missing-signature-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-nodata-missing-soa-1.dnssec10.xa" { type master; file "zones/nsec-nodata-missing-soa-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-nodata-wrong-soa-1.dnssec10.xa" { type master; file "zones/nsec-nodata-wrong-soa-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-no-verified-signature-1.dnssec10.xa" { type master; file "zones/nsec-no-verified-signature-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-no-verified-signature-2.dnssec10.xa" { type master; file "zones/nsec-no-verified-signature-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-no-verified-signature-3.dnssec10.xa" { type master; file "zones/nsec-no-verified-signature-3.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-no-verified-signature-4.dnssec10.xa" { type master; file "zones/nsec-no-verified-signature-4.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-query-response-err-1.dnssec10.xa" { type master; file "zones/nsec-query-response-err-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-query-response-err-2.dnssec10.xa" { type master; file "zones/nsec-query-response-err-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "nsec-query-response-err-3.dnssec10.xa" { type master; file "zones/nsec-query-response-err-3.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "server-no-dnssec-1.dnssec10.xa" { type master; file "zones/server-no-dnssec-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec; inline-signing yes; }; zone "server-no-dnssec-2.dnssec10.xa" { type master; file "zones/server-no-dnssec-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; }; # End view "main" view "var1" { # This view is for a variant of the zone already defined in view # "main". Do not put zones here unless they already exist in view # "main". # Name of zone file in this view should be ".zone", i.e. # the same name as in the main view, but stored in directory # "zones-var1". match-destinations { 127.15.10.38; fda1:b2:c3:0:127:15:10:38; }; key-directory "key-dir-var1"; zone "localhost" { type master; file "zones-var1/localhost.zone"; }; zone "inconsist-nsec-nsec3-1.dnssec10.xa" { type master; file "zones-var1/inconsist-nsec-nsec3-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "inconsist-nsec-nsec3-2.dnssec10.xa" { type master; file "zones-var1/inconsist-nsec-nsec3-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "mixed-nsec-nsec3-1.dnssec10.xa" { type master; file "zones-var1/mixed-nsec-nsec3-1.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; zone "mixed-nsec-nsec3-2.dnssec10.xa" { type master; file "zones-var1/mixed-nsec-nsec3-2.dnssec10.xa.zone"; dnssec-policy dnssec10-nsec3; inline-signing yes; }; }; # End view "var1" ## DNSSEC policy # Period duration definition: https://en.wikipedia.org/wiki/ISO_8601#Durations dnssec-policy dnssec10-nsec3 { dnskey-ttl PT24H; keys { ksk lifetime unlimited algorithm 13; # ECDSAP256SHA256 zsk lifetime unlimited algorithm 13; # ECDSAP256SHA256 }; max-zone-ttl P7W; nsec3param iterations 0 optout no salt-length 0; signatures-validity P8Y; signatures-validity-dnskey P8Y; }; dnssec-policy dnssec10-nsec { dnskey-ttl PT24H; keys { ksk lifetime unlimited algorithm 13; # ECDSAP256SHA256 zsk lifetime unlimited algorithm 13; # ECDSAP256SHA256 }; max-zone-ttl PT24H; signatures-validity P8Y; signatures-validity-dnskey P8Y; };