bind/doc/misc/dnssec-policy.default.conf

/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0.  If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

dnssec-policy "default" {
	// Keys
	offline-ksk no;
	keys {
		csk key-directory lifetime unlimited algorithm 13;
	};

	// Key timings
	cdnskey yes;
	cds-digest-types { 2; };
	dnskey-ttl 3600;
	publish-safety 1h;
	retire-safety 1h;
	purge-keys P90D;

	// Signature timings
	signatures-jitter 12h;
	signatures-refresh 5d;
	signatures-validity 14d;
	signatures-validity-dnskey 14d;

	// Zone parameters
	manual-mode no;
	inline-signing yes;
	max-zone-ttl 86400;
	zone-propagation-delay 300;

	// Parent parameters
	parent-ds-ttl 86400;
	parent-propagation-delay 1h;
};
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files. 2021-06-03 08:37:05 +02:00			`/*`
			`* Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
			`*`
			`* SPDX-License-Identifier: MPL-2.0`
			`*`
Allow for key lifetime unlimited The keyword 'unlimited' can be used instead of PT0S which means the same but is more comprehensible for users. Also fix some redundant "none" parameters in the kasp test. 2020-02-06 15:41:47 +01:00			`* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this`
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files. 2021-06-03 08:37:05 +02:00			`* file, you can obtain one at https://mozilla.org/MPL/2.0/.`
			`*`
Allow for key lifetime unlimited The keyword 'unlimited' can be used instead of PT0S which means the same but is more comprehensible for users. Also fix some redundant "none" parameters in the kasp test. 2020-02-06 15:41:47 +01:00			`* See the COPYRIGHT file distributed with this work for additional`
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files. 2021-06-03 08:37:05 +02:00			`* information regarding copyright ownership.`
			`*/`

Update docs with durations, built-in dnssec-policy Clarify in the ARM that TTL-style options can also now take ISO 8601 durations. Mention the built-in dnssec policies "default" and "none". Mention that "none" is the default. Add a file documenting the default dnssec-policy configuration options. Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml). 2019-12-05 10:47:20 +01:00			`dnssec-policy "default" {`
			`// Keys`
Add offline-ksk option Add a new configuration option to enable Offline KSK key management. Offline KSK cannot work with CSK because it splits how keys with the KSK and ZSK role operate. Therefore, one key cannot have both roles. Add a configuration check to ensure this. 2024-03-22 11:48:53 +01:00			`offline-ksk no;`
Update docs with durations, built-in dnssec-policy Clarify in the ARM that TTL-style options can also now take ISO 8601 durations. Mention the built-in dnssec policies "default" and "none". Mention that "none" is the default. Add a file documenting the default dnssec-policy configuration options. Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml). 2019-12-05 10:47:20 +01:00			`keys {`
Allow for key lifetime unlimited The keyword 'unlimited' can be used instead of PT0S which means the same but is more comprehensible for users. Also fix some redundant "none" parameters in the kasp test. 2020-02-06 15:41:47 +01:00			`csk key-directory lifetime unlimited algorithm 13;`
Update docs with durations, built-in dnssec-policy Clarify in the ARM that TTL-style options can also now take ISO 8601 durations. Mention the built-in dnssec policies "default" and "none". Mention that "none" is the default. Add a file documenting the default dnssec-policy configuration options. Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml). 2019-12-05 10:47:20 +01:00			`};`

			`// Key timings`
Add configuration option 'cdnskey' Add the 'cdnskey' configuration option to 'dnssec-policy'. 2023-05-11 14:11:45 +02:00			`cdnskey yes;`
Make cds-digest-type plural Allow for configuring multiple CDS records with different digest types (currently only SHA-256 and SHA-384 are allowed). 2023-02-10 15:18:36 +01:00			`cds-digest-types { 2; };`
Update docs with durations, built-in dnssec-policy Clarify in the ARM that TTL-style options can also now take ISO 8601 durations. Mention the built-in dnssec policies "default" and "none". Mention that "none" is the default. Add a file documenting the default dnssec-policy configuration options. Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml). 2019-12-05 10:47:20 +01:00			`dnskey-ttl 3600;`
			`publish-safety 1h;`
			`retire-safety 1h;`
Add purge-keys config option Add a new option 'purge-keys' to 'dnssec-policy' that will purge key files for deleted keys. The option determines how long key files should be retained prior to removing the corresponding files from disk. If set to 0, the option is disabled and 'named' will not remove key files from disk. 2021-02-08 12:02:19 +01:00			`purge-keys P90D;`
Update docs with durations, built-in dnssec-policy Clarify in the ARM that TTL-style options can also now take ISO 8601 durations. Mention the built-in dnssec policies "default" and "none". Mention that "none" is the default. Add a file documenting the default dnssec-policy configuration options. Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml). 2019-12-05 10:47:20 +01:00
			`// Signature timings`
Add signatures-jitter option Add an option to speficy signatures jitter. 2024-01-31 16:52:32 +01:00			`signatures-jitter 12h;`
Update docs with durations, built-in dnssec-policy Clarify in the ARM that TTL-style options can also now take ISO 8601 durations. Mention the built-in dnssec policies "default" and "none". Mention that "none" is the default. Add a file documenting the default dnssec-policy configuration options. Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml). 2019-12-05 10:47:20 +01:00			`signatures-refresh 5d;`
			`signatures-validity 14d;`
			`signatures-validity-dnskey 14d;`
revise dnssec-policy documentation 2020-02-07 23:41:18 -08:00
Update docs with durations, built-in dnssec-policy Clarify in the ARM that TTL-style options can also now take ISO 8601 durations. Mention the built-in dnssec policies "default" and "none". Mention that "none" is the default. Add a file documenting the default dnssec-policy configuration options. Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml). 2019-12-05 10:47:20 +01:00			`// Zone parameters`
Add manual-mode config option Add a new option 'manual-mode' to 'dnssec-policy'. The intended use is that if it is enabled, it will not automatically move to the next state transition (RUMOURED, UNRETENTIVE), only after manual confirmation. The intended state transition should be logged. 2025-02-17 12:05:25 +01:00			`manual-mode no;`
Add inline-signing to dnssec-policy Add an option to enable/disable inline-signing inside the dnssec-policy clause. The existing inline-signing option that is set in the zone clause takes priority, but if it is omitted, then the value that is set in dnssec-policy is taken. The built-in policies use inline-signing. This means that if you want to use the default policy without inline-signing you either have to set it explicitly in the zone clause: zone "example" { ... dnssec-policy default; inline-signing no; }; Or create a new policy, only overriding the inline-signing option: dnssec-policy "default-dynamic" { inline-signing no; }; zone "example" { ... dnssec-policy default-dynamic; }; This also means that if you are going insecure with a dynamic zone, the built-in "insecure" policy needs to be accompanied with "inline-signing no;". 2023-04-03 17:00:36 +02:00			`inline-signing yes;`
rename 'zone-max-ttl' to 'max-zone-ttl' for consistency 2020-02-05 22:09:48 -08:00			`max-zone-ttl 86400;`
Update docs with durations, built-in dnssec-policy Clarify in the ARM that TTL-style options can also now take ISO 8601 durations. Mention the built-in dnssec policies "default" and "none". Mention that "none" is the default. Add a file documenting the default dnssec-policy configuration options. Fix dnssec-policy syntax in ARM (dnssec-policy.grammar.xml). 2019-12-05 10:47:20 +01:00			`zone-propagation-delay 300;`

			`// Parent parameters`
			`parent-ds-ttl 86400;`
			`parent-propagation-delay 1h;`
			`};`