/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0.  If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

// NS3

dnssec-policy "nsec" {
	// no need to change configuration: if no 'nsec3param' is set,
	// NSEC will be used;
};

dnssec-policy "nsec3" {
	nsec3param;
};

dnssec-policy "optout" {
	nsec3param optout yes;
};

dnssec-policy "nsec3-other" {
	nsec3param iterations 11 optout yes salt-length 0;
};

options {
	query-source address 10.53.0.3;
	notify-source 10.53.0.3;
	transfer-source 10.53.0.3;
	port @PORT@;
	pid-file "named.pid";
	listen-on { 10.53.0.3; };
	listen-on-v6 { none; };
	allow-transfer { any; };
	recursion no;
};

key rndc_key {
	secret "1234abcd8765";
	algorithm hmac-sha256;
};

controls {
	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};

/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
zone "nsec-to-nsec3.kasp" {
	type primary;
	file "nsec-to-nsec3.kasp.db";
	inline-signing yes;
	dnssec-policy "nsec";
};

/* These zones use the default NSEC3 settings. */
zone "nsec3.kasp" {
	type primary;
	file "nsec3.kasp.db";
	inline-signing yes;
	dnssec-policy "nsec3";
};

zone "nsec3-dynamic.kasp" {
	type primary;
	file "nsec3-dynamic.kasp.db";
	dnssec-policy "nsec3";
	allow-update { any; };
};

/* This zone uses non-default NSEC3 settings. */
zone "nsec3-other.kasp" {
	type primary;
	file "nsec3-other.kasp.db";
	inline-signing yes;
	dnssec-policy "nsec3-other";
};

/* These zones will be reconfigured to use other NSEC3 settings. */
zone "nsec3-change.kasp" {
	type primary;
	file "nsec3-change.kasp.db";
	inline-signing yes;
	dnssec-policy "nsec3";
};

zone "nsec3-dynamic-change.kasp" {
	type primary;
	file "nsec3-dynamic-change.kasp.db";
	dnssec-policy "nsec3";
	allow-update { any; };
};

/* The zone will be reconfigured to use opt-out. */
zone "nsec3-to-optout.kasp" {
	type primary;
	file "nsec3-to-optout.kasp.db";
	inline-signing yes;
	dnssec-policy "nsec3";
};

/* The zone will be reconfigured to disable opt-out. */
zone "nsec3-from-optout.kasp" {
	type primary;
	file "nsec3-from-optout.kasp.db";
	inline-signing yes;
	dnssec-policy "optout";
};

/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
zone "nsec3-to-nsec.kasp" {
	type primary;
	file "nsec3-to-nsec.kasp.db";
	inline-signing yes;
	dnssec-policy "nsec3";
};

/* The zone fails to load, this should not prevent shutdown. */
zone "nsec3-fails-to-load.kasp" {
	type primary;
	file "nsec3-fails-to-load.kasp.db";
	dnssec-policy "nsec3";
	allow-update { any; };
};

/* These zones switch from dynamic to inline-signing or vice versa. */
zone "nsec3-dynamic-to-inline.kasp" {
	type primary;
	file "nsec3-dynamic-to-inline.kasp.db";
	dnssec-policy "nsec3";
	allow-update { any; };
};

zone "nsec3-inline-to-dynamic.kasp" {
	type primary;
	file "nsec3-inline-to-dynamic.kasp.db";
	inline-signing yes;
	dnssec-policy "nsec3";
};

/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
zone "nsec3-dynamic-update-inline.kasp" {
	type primary;
	file "nsec3-dynamic-update-inline.kasp.db";
	inline-signing yes;
	allow-update { any; };
	dnssec-policy "nsec";
};

zone "nsec3-xfr-inline.kasp" {
	type secondary;
	file "nsec3-xfr-inline.kasp.db";
	inline-signing yes;
	dnssec-policy "nsec";
	primaries { 10.53.0.2; };
};