diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 7c8f929b00..17309e5ea6 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -40,15 +40,20 @@ options { zone "example1" { type primary; file "example1.db"; + inline-signing yes; }; zone "example2" { type primary; file "example2.db"; + allow-update { + "any"; + }; dnssec-policy "test"; }; zone "example3" { type primary; file "example3.db"; + inline-signing yes; dnssec-policy "default"; }; zone "dnssec-policy-none-shared-zonefile1" { diff --git a/bin/tests/system/checkconf/good-key-directory.conf b/bin/tests/system/checkconf/good-key-directory.conf index 07deb28993..45befffa32 100644 --- a/bin/tests/system/checkconf/good-key-directory.conf +++ b/bin/tests/system/checkconf/good-key-directory.conf @@ -46,6 +46,7 @@ view "localhost" { type primary; file "localhost/example.com.zone"; dnssec-policy "localhost"; + inline-signing yes; }; }; @@ -56,6 +57,7 @@ view "external" { type primary; file "external/example.com.zone"; dnssec-policy "internet"; + inline-signing yes; }; }; @@ -66,5 +68,6 @@ view "internal" { type primary; file "internal/example.com.zone"; dnssec-policy "intranet"; + inline-signing yes; }; }; diff --git a/bin/tests/system/checkconf/good.conf.in b/bin/tests/system/checkconf/good.conf.in index 1c136c703e..9ed4ece922 100644 --- a/bin/tests/system/checkconf/good.conf.in +++ b/bin/tests/system/checkconf/good.conf.in @@ -103,6 +103,7 @@ view "first" { zone "clone" { type primary; file "yyy"; + inline-signing yes; max-ixfr-ratio unlimited; }; dnssec-validation auto; @@ -166,9 +167,12 @@ view "third" { zone "p" { type primary; file "pfile"; + inline-signing yes; }; zone "s" { type secondary; + file "sfile"; + inline-signing yes; primaries { 1.2.3.4; }; @@ -179,6 +183,7 @@ view "fourth" { zone "dnssec-test" { type primary; file "dnssec-test.db"; + inline-signing yes; parental-agents { 1.2.3.4; 1.2.3.5; @@ -189,6 +194,7 @@ view "fourth" { zone "dnssec-default" { type primary; file "dnssec-default.db"; + inline-signing yes; parental-agents { "parents"; }; @@ -197,6 +203,7 @@ view "fourth" { zone "dnssec-inherit" { type primary; file "dnssec-inherit.db"; + inline-signing yes; }; zone "dnssec-none" { type primary; @@ -206,11 +213,13 @@ view "fourth" { zone "dnssec-view1" { type primary; file "dnssec-view41.db"; + inline-signing yes; dnssec-policy "test"; }; zone "dnssec-view2" { type primary; file "dnssec-view42.db"; + inline-signing yes; }; zone "dnssec-view3" { type primary; @@ -230,17 +239,20 @@ view "fifth" { zone "dnssec-view1" { type primary; file "dnssec-view51.db"; + inline-signing yes; dnssec-policy "test"; }; zone "dnssec-view2" { type primary; file "dnssec-view52.db"; + inline-signing yes; dnssec-policy "test"; key-directory "keys"; }; zone "dnssec-view3" { type primary; file "dnssec-view53.db"; + inline-signing yes; dnssec-policy "default"; key-directory "keys"; }; @@ -255,6 +267,7 @@ view "chaos" chaos { zone "hostname.bind" chaos { type primary; database "_builtin hostname"; + inline-signing yes; }; }; dyndb "name" "library.so" { diff --git a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf index bac45894dc..b67a0e1d9a 100644 --- a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf +++ b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf @@ -26,4 +26,3 @@ zone "nsec3.net" { sig-validity-interval 3600; update-check-ksk yes; }; - diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf index 8dc710f29c..a5a71d39bb 100644 --- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf @@ -57,4 +57,5 @@ zone "example.net" { type primary; file "example.db"; dnssec-policy "default"; + inline-signing yes; }; diff --git a/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf index dd907dddd2..197ff17d3f 100644 --- a/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf +++ b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf @@ -34,11 +34,13 @@ dnssec-policy "bad-sigrefresh-dnskey" { zone "sigrefresh.example.net" { type primary; file "sigrefresh.example.db"; + inline-signing yes; dnssec-policy "bad-sigrefresh"; }; zone "dnskey.example.net" { type primary; file "dnskey.example.db"; + inline-signing yes; dnssec-policy "bad-sigrefresh-dnskey"; }; diff --git a/bin/tests/system/checkconf/kasp-ignore-keylen.conf b/bin/tests/system/checkconf/kasp-ignore-keylen.conf index fae3e4120d..c9787d4180 100644 --- a/bin/tests/system/checkconf/kasp-ignore-keylen.conf +++ b/bin/tests/system/checkconf/kasp-ignore-keylen.conf @@ -22,5 +22,6 @@ zone "example.net" { type primary; file "example.db"; dnssec-policy "warn-length"; + inline-signing yes; }; diff --git a/bin/tests/system/checkconf/kasp-warning.conf b/bin/tests/system/checkconf/kasp-warning.conf index 4c05b5ad02..41b6d6f27c 100644 --- a/bin/tests/system/checkconf/kasp-warning.conf +++ b/bin/tests/system/checkconf/kasp-warning.conf @@ -42,18 +42,21 @@ dnssec-policy "warn3" { zone "warn1.example.net" { type primary; file "warn1.example.db"; + inline-signing yes; dnssec-policy "warn1"; }; zone "warn2.example.net" { type primary; file "warn2.example.db"; + inline-signing yes; dnssec-policy "warn2"; }; zone "warn3.example.net" { type primary; file "warn3.example.db"; + inline-signing yes; dnssec-policy "warn3"; }; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 7d8d50e5ca..c42f673a8b 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -492,7 +492,7 @@ n=`expr $n + 1` echo_i "checking named-checkconf kasp errors ($n)" ret=0 $CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 -grep "'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on a non-dynamic DNS zone" < checkconf.out$n > /dev/null || ret=1 +grep "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone" < checkconf.out$n > /dev/null || ret=1 grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in index 9942b68d8e..73e5d80bb6 100644 --- a/bin/tests/system/checkds/ns9/named.conf.in +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -49,6 +49,7 @@ zone "." { zone "dspublished.checkds" { type primary; file "dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.2 port @PORT@; }; }; @@ -60,6 +61,7 @@ zone "dspublished.checkds" { zone "reference.checkds" { type primary; file "reference.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { "ns2"; }; }; @@ -71,6 +73,7 @@ zone "reference.checkds" { zone "missing-dspublished.checkds" { type primary; file "missing-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.5 port @PORT@; // missing @@ -85,6 +88,7 @@ zone "missing-dspublished.checkds" { zone "bad-dspublished.checkds" { type primary; file "bad-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.6 port @PORT@; // bad @@ -98,6 +102,7 @@ zone "bad-dspublished.checkds" { zone "multiple-dspublished.checkds" { type primary; file "multiple-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.2 port @PORT@; @@ -113,6 +118,7 @@ zone "multiple-dspublished.checkds" { zone "incomplete-dspublished.checkds" { type primary; file "incomplete-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.2 port @PORT@; @@ -130,6 +136,7 @@ zone "incomplete-dspublished.checkds" { zone "bad2-dspublished.checkds" { type primary; file "bad2-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.2 port @PORT@; @@ -150,6 +157,7 @@ zone "bad2-dspublished.checkds" { zone "dswithdrawn.checkds" { type primary; file "dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.5 port @PORT@; }; }; @@ -157,6 +165,7 @@ zone "dswithdrawn.checkds" { zone "missing-dswithdrawn.checkds" { type primary; file "missing-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.2 port @PORT@; // still published @@ -166,6 +175,7 @@ zone "missing-dswithdrawn.checkds" { zone "bad-dswithdrawn.checkds" { type primary; file "bad-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.6 port @PORT@; // bad @@ -175,6 +185,7 @@ zone "bad-dswithdrawn.checkds" { zone "multiple-dswithdrawn.checkds" { type primary; file "multiple-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.5 port @PORT@; @@ -185,6 +196,7 @@ zone "multiple-dswithdrawn.checkds" { zone "incomplete-dswithdrawn.checkds" { type primary; file "incomplete-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.2 port @PORT@; // still published @@ -196,6 +208,7 @@ zone "incomplete-dswithdrawn.checkds" { zone "bad2-dswithdrawn.checkds" { type primary; file "bad2-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.5 port @PORT@; diff --git a/bin/tests/system/kasp/ns2/named.conf.in b/bin/tests/system/kasp/ns2/named.conf.in index df139cd139..f90fce8673 100644 --- a/bin/tests/system/kasp/ns2/named.conf.in +++ b/bin/tests/system/kasp/ns2/named.conf.in @@ -46,8 +46,9 @@ zone "unsigned.tld" { zone "signed.tld" { type primary; - dnssec-policy "default"; file "signed.tld.db"; + dnssec-policy "default"; + inline-signing yes; }; /* Primary service for ns3 */ diff --git a/bin/tests/system/kasp/ns3/ed25519.conf b/bin/tests/system/kasp/ns3/ed25519.conf index b64c0c8471..999fa2f657 100644 --- a/bin/tests/system/kasp/ns3/ed25519.conf +++ b/bin/tests/system/kasp/ns3/ed25519.conf @@ -24,5 +24,6 @@ dnssec-policy "ed25519" { zone "ed25519.kasp" { type primary; file "ed25519.kasp.db"; + inline-signing yes; dnssec-policy "ed25519"; }; diff --git a/bin/tests/system/kasp/ns3/ed448.conf b/bin/tests/system/kasp/ns3/ed448.conf index ee4c494892..e9c8312a43 100644 --- a/bin/tests/system/kasp/ns3/ed448.conf +++ b/bin/tests/system/kasp/ns3/ed448.conf @@ -24,5 +24,6 @@ dnssec-policy "ed448" { zone "ed448.kasp" { type primary; file "ed448.kasp.db"; + inline-signing yes; dnssec-policy "ed448"; }; diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index 8b4e9903f1..6199b0496b 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -44,6 +44,7 @@ controls { zone "default.kasp" { type primary; file "default.kasp.db"; + inline-signing yes; dnssec-policy "default"; }; @@ -51,6 +52,7 @@ zone "default.kasp" { zone "checkds-ksk.kasp" { type primary; file "checkds-ksk.kasp.db"; + inline-signing yes; dnssec-policy "checkds-ksk"; }; @@ -58,6 +60,7 @@ zone "checkds-ksk.kasp" { zone "checkds-doubleksk.kasp" { type primary; file "checkds-doubleksk.kasp.db"; + inline-signing yes; dnssec-policy "checkds-doubleksk"; }; @@ -65,6 +68,7 @@ zone "checkds-doubleksk.kasp" { zone "checkds-csk.kasp" { type primary; file "checkds-csk.kasp.db"; + inline-signing yes; dnssec-policy "checkds-csk"; }; @@ -72,6 +76,7 @@ zone "checkds-csk.kasp" { zone "unlimited.kasp" { type primary; file "unlimited.kasp.db"; + inline-signing yes; dnssec-policy "unlimited"; }; @@ -79,12 +84,14 @@ zone "unlimited.kasp" { zone "manual-rollover.kasp" { type primary; file "manual-rollover.kasp.db"; + inline-signing yes; dnssec-policy "manual-rollover"; }; /* A zone that inherits dnssec-policy. */ zone "inherit.kasp" { type primary; + inline-signing yes; file "inherit.kasp.db"; }; @@ -92,6 +99,7 @@ zone "inherit.kasp" { zone "unsigned.kasp" { type primary; file "unsigned.kasp.db"; + inline-signing yes; dnssec-policy "none"; }; @@ -99,6 +107,7 @@ zone "unsigned.kasp" { zone "insecure.kasp" { type primary; file "insecure.kasp.db"; + inline-signing yes; dnssec-policy "insecure"; }; @@ -106,6 +115,7 @@ zone "insecure.kasp" { zone "dnssec-keygen.kasp" { type primary; file "dnssec-keygen.kasp.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; @@ -114,6 +124,7 @@ zone "secondary.kasp" { type secondary; primaries { 10.53.0.2; }; file "secondary.kasp.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; @@ -148,6 +159,7 @@ zone "inline-signing.kasp" { zone "some-keys.kasp" { type primary; file "some-keys.kasp.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; @@ -157,6 +169,7 @@ zone "some-keys.kasp" { zone "legacy-keys.kasp" { type primary; file "legacy-keys.kasp.db"; + inline-signing yes; dnssec-policy "migrate-to-dnssec-policy"; }; @@ -166,6 +179,7 @@ zone "legacy-keys.kasp" { zone "pregenerated.kasp" { type primary; file "pregenerated.kasp.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; @@ -176,6 +190,7 @@ zone "pregenerated.kasp" { zone "rumoured.kasp" { type primary; file "rumoured.kasp.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; @@ -193,21 +208,25 @@ zone "multisigner-model2.kasp" { zone "rsasha256.kasp" { type primary; file "rsasha256.kasp.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; zone "rsasha512.kasp" { type primary; file "rsasha512.kasp.db"; + inline-signing yes; dnssec-policy "rsasha512"; }; zone "ecdsa256.kasp" { type primary; file "ecdsa256.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "ecdsa384.kasp" { type primary; file "ecdsa384.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa384"; }; @@ -217,6 +236,7 @@ zone "ecdsa384.kasp" { zone "max-zone-ttl.kasp" { type primary; file "max-zone-ttl.kasp.db"; + inline-signing yes; dnssec-policy "ttl"; }; @@ -230,6 +250,7 @@ zone "max-zone-ttl.kasp" { zone "expired-sigs.autosign" { type primary; file "expired-sigs.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -239,6 +260,7 @@ zone "expired-sigs.autosign" { zone "fresh-sigs.autosign" { type primary; file "fresh-sigs.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -248,6 +270,7 @@ zone "fresh-sigs.autosign" { zone "unfresh-sigs.autosign" { type primary; file "unfresh-sigs.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -257,6 +280,7 @@ zone "unfresh-sigs.autosign" { zone "ksk-missing.autosign" { type primary; file "ksk-missing.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -266,6 +290,7 @@ zone "ksk-missing.autosign" { zone "zsk-missing.autosign" { type primary; file "zsk-missing.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -275,6 +300,7 @@ zone "zsk-missing.autosign" { zone "zsk-retired.autosign" { type primary; file "zsk-retired.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -284,21 +310,25 @@ zone "zsk-retired.autosign" { zone "step1.enable-dnssec.autosign" { type primary; file "step1.enable-dnssec.autosign.db"; + inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step2.enable-dnssec.autosign" { type primary; file "step2.enable-dnssec.autosign.db"; + inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step3.enable-dnssec.autosign" { type primary; file "step3.enable-dnssec.autosign.db"; + inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step4.enable-dnssec.autosign" { type primary; file "step4.enable-dnssec.autosign.db"; + inline-signing yes; dnssec-policy "enable-dnssec"; }; @@ -308,31 +338,37 @@ zone "step4.enable-dnssec.autosign" { zone "step1.zsk-prepub.autosign" { type primary; file "step1.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step2.zsk-prepub.autosign" { type primary; file "step2.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step3.zsk-prepub.autosign" { type primary; file "step3.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step4.zsk-prepub.autosign" { type primary; file "step4.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step5.zsk-prepub.autosign" { type primary; file "step5.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step6.zsk-prepub.autosign" { type primary; file "step6.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; @@ -342,31 +378,37 @@ zone "step6.zsk-prepub.autosign" { zone "step1.ksk-doubleksk.autosign" { type primary; file "step1.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step2.ksk-doubleksk.autosign" { type primary; file "step2.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step3.ksk-doubleksk.autosign" { type primary; file "step3.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step4.ksk-doubleksk.autosign" { type primary; file "step4.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step5.ksk-doubleksk.autosign" { type primary; file "step5.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step6.ksk-doubleksk.autosign" { type primary; file "step6.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; @@ -376,76 +418,91 @@ zone "step6.ksk-doubleksk.autosign" { zone "step1.csk-roll.autosign" { type primary; file "step1.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step2.csk-roll.autosign" { type primary; file "step2.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step3.csk-roll.autosign" { type primary; file "step3.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step4.csk-roll.autosign" { type primary; file "step4.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step5.csk-roll.autosign" { type primary; file "step5.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step6.csk-roll.autosign" { type primary; file "step6.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step7.csk-roll.autosign" { type primary; file "step7.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step8.csk-roll.autosign" { type primary; file "step8.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step1.csk-roll2.autosign" { type primary; file "step1.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step2.csk-roll2.autosign" { type primary; file "step2.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step3.csk-roll2.autosign" { type primary; file "step3.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step4.csk-roll2.autosign" { type primary; file "step4.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step5.csk-roll2.autosign" { type primary; file "step5.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step6.csk-roll2.autosign" { type primary; file "step6.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step7.csk-roll2.autosign" { type primary; file "step7.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in index 921ecc89d1..92e007d1e7 100644 --- a/bin/tests/system/kasp/ns3/named.conf.in +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -18,11 +18,13 @@ include "named-fips.conf"; zone "rsasha1.kasp" { type primary; file "rsasha1.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1"; }; zone "rsasha1-nsec3.kasp" { type primary; file "rsasha1-nsec3.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1-nsec3"; }; diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in index 568587e09b..4ded7a2218 100644 --- a/bin/tests/system/kasp/ns4/named.conf.in +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -75,20 +75,22 @@ view "inherit" { zone "inherit.inherit.signed" { type primary; file "inherit.inherit.signed.db"; + inline-signing yes; }; /* Override dnssec-policy */ zone "override.inherit.signed" { type primary; - dnssec-policy "default"; file "override.inherit.signed.db"; + inline-signing yes; + dnssec-policy "default"; }; /* Unset dnssec-policy */ zone "none.inherit.signed" { type primary; - dnssec-policy "none"; file "none.inherit.signed.db"; + dnssec-policy "none"; }; }; @@ -100,20 +102,22 @@ view "override" { zone "inherit.override.signed" { type primary; file "inherit.override.signed.db"; + inline-signing yes; }; /* Override dnssec-policy */ zone "override.override.signed" { type primary; - dnssec-policy "test"; file "override.override.signed.db"; + inline-signing yes; + dnssec-policy "test"; }; /* Unset dnssec-policy */ zone "none.override.signed" { type primary; - dnssec-policy "none"; file "none.override.signed.db"; + dnssec-policy "none"; }; }; @@ -130,15 +134,16 @@ view "none" { /* Override dnssec-policy */ zone "override.none.signed" { type primary; - dnssec-policy "test"; file "override.none.signed.db"; + inline-signing yes; + dnssec-policy "test"; }; /* Unset dnssec-policy */ zone "none.none.signed" { type primary; - dnssec-policy "none"; file "none.none.signed.db"; + dnssec-policy "none"; }; }; @@ -150,7 +155,6 @@ view "example1" { zone "example.net" { type primary; file "example1.db"; - // Dynamic zone, inline-signing disabled, policy inerhited. }; }; @@ -160,7 +164,7 @@ view "example2" { zone "example.net" { type primary; file "example2.db"; - // Static zone, inline-signing, policy inherited. + inline-signing yes; }; }; diff --git a/bin/tests/system/kasp/ns5/named.conf.in b/bin/tests/system/kasp/ns5/named.conf.in index 02b17732d6..dfa5bb1d47 100644 --- a/bin/tests/system/kasp/ns5/named.conf.in +++ b/bin/tests/system/kasp/ns5/named.conf.in @@ -65,15 +65,16 @@ view "inherit" { /* Override dnssec-policy */ zone "override.inherit.unsigned" { type primary; - dnssec-policy "default"; file "override.inherit.unsigned.db"; + inline-signing yes; + dnssec-policy "default"; }; /* Unset dnssec-policy */ zone "none.inherit.unsigned" { type primary; - dnssec-policy "none"; file "none.inherit.unsigned.db"; + dnssec-policy "none"; }; }; @@ -85,20 +86,22 @@ view "override" { zone "inherit.override.unsigned" { type primary; file "inherit.override.unsigned.db"; + inline-signing yes; }; /* Override dnssec-policy */ zone "override.override.unsigned" { type primary; - dnssec-policy "test"; file "override.override.unsigned.db"; + inline-signing yes; + dnssec-policy "test"; }; /* Unset dnssec-policy */ zone "none.override.unsigned" { type primary; - dnssec-policy "none"; file "none.override.unsigned.db"; + dnssec-policy "none"; }; }; @@ -115,14 +118,15 @@ view "none" { /* Override dnssec-policy */ zone "override.none.unsigned" { type primary; - dnssec-policy "test"; file "override.none.unsigned.db"; + inline-signing yes; + dnssec-policy "test"; }; /* Unset dnssec-policy */ zone "none.none.unsigned" { type primary; - dnssec-policy "none"; file "none.none.unsigned.db"; + dnssec-policy "none"; }; }; diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index 9cfc6462be..7e62fa9dd5 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -42,6 +42,7 @@ controls { zone "step1.going-insecure.kasp" { type primary; file "step1.going-insecure.kasp.db"; + inline-signing yes; dnssec-policy "unsigning"; }; @@ -55,6 +56,7 @@ zone "step1.going-insecure-dynamic.kasp" { zone "step1.going-straight-to-none.kasp" { type primary; file "step1.going-straight-to-none.kasp.db"; + inline-signing yes; dnssec-policy "default"; }; @@ -62,12 +64,14 @@ zone "step1.going-straight-to-none.kasp" { zone "step1.algorithm-roll.kasp" { type primary; file "step1.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; zone "step1.csk-algorithm-roll.kasp" { type primary; file "step1.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; @@ -79,6 +83,7 @@ dnssec-policy "modified" { zone example { type primary; - dnssec-policy modified; file "example.db"; + inline-signing yes; + dnssec-policy modified; }; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index f421b5e662..79fc7768e7 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -41,12 +41,14 @@ controls { zone "step1.going-insecure.kasp" { type primary; file "step1.going-insecure.kasp.db"; + inline-signing yes; dnssec-policy "insecure"; }; zone "step2.going-insecure.kasp" { type primary; file "step2.going-insecure.kasp.db"; + inline-signing yes; dnssec-policy "insecure"; }; @@ -76,36 +78,42 @@ zone "step1.going-straight-to-none.kasp" { zone "step1.algorithm-roll.kasp" { type primary; file "step1.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step2.algorithm-roll.kasp" { type primary; file "step2.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step3.algorithm-roll.kasp" { type primary; file "step3.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step4.algorithm-roll.kasp" { type primary; file "step4.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step5.algorithm-roll.kasp" { type primary; file "step5.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step6.algorithm-roll.kasp" { type primary; file "step6.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; @@ -115,36 +123,42 @@ zone "step6.algorithm-roll.kasp" { zone "step1.csk-algorithm-roll.kasp" { type primary; file "step1.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step2.csk-algorithm-roll.kasp" { type primary; file "step2.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step3.csk-algorithm-roll.kasp" { type primary; file "step3.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step4.csk-algorithm-roll.kasp" { type primary; file "step4.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step5.csk-algorithm-roll.kasp" { type primary; file "step5.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step6.csk-algorithm-roll.kasp" { type primary; file "step6.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; @@ -156,6 +170,7 @@ dnssec-policy "modified" { zone example { type primary; - dnssec-policy modified; file "example.db"; + inline-signing yes; + dnssec-policy modified; }; diff --git a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in index 0391eb3512..eb7a6538bb 100644 --- a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in +++ b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in @@ -72,6 +72,7 @@ view "ext" { zone "view-rsasha256.kasp" { type primary; file "view-rsasha256.kasp.ext.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; }; @@ -82,6 +83,7 @@ view "int" { zone "view-rsasha256.kasp" { type primary; file "view-rsasha256.kasp.int.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; }; diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index 67febf6a65..36c217ad3c 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -55,6 +55,7 @@ controls { zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; + inline-signing yes; dnssec-policy "nsec"; }; @@ -62,6 +63,7 @@ zone "nsec-to-nsec3.kasp" { zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; @@ -76,6 +78,7 @@ zone "nsec3-dynamic.kasp" { zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; + inline-signing yes; dnssec-policy "nsec3-other"; }; @@ -83,6 +86,7 @@ zone "nsec3-other.kasp" { zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; @@ -97,6 +101,7 @@ zone "nsec3-dynamic-change.kasp" { zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; @@ -104,6 +109,7 @@ zone "nsec3-to-optout.kasp" { zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; + inline-signing yes; dnssec-policy "optout"; }; @@ -111,6 +117,7 @@ zone "nsec3-from-optout.kasp" { zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index 3af1f5e8d9..c81cd70049 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -55,6 +55,7 @@ controls { zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; + inline-signing yes; //dnssec-policy "nsec"; dnssec-policy "nsec3"; }; @@ -63,6 +64,7 @@ zone "nsec-to-nsec3.kasp" { zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; @@ -77,6 +79,7 @@ zone "nsec3-dynamic.kasp" { zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; + inline-signing yes; dnssec-policy "nsec3-other"; }; @@ -84,6 +87,7 @@ zone "nsec3-other.kasp" { zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; + inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "nsec3-other"; }; @@ -100,6 +104,7 @@ zone "nsec3-dynamic-change.kasp" { zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; + inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "optout"; }; @@ -108,6 +113,7 @@ zone "nsec3-to-optout.kasp" { zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; + inline-signing yes; //dnssec-policy "optout"; dnssec-policy "nsec3"; }; @@ -116,6 +122,7 @@ zone "nsec3-from-optout.kasp" { zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; + inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "nsec"; };