X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=dnssec-tools%2Fdnsval.conf;h=8ff6dd2ffcd3b906bc4b57a0fd1ba8bf3562ca34;hb=7bf59e8a4357cbe0e79ac00a20cb5baab041ed95;hp=2b4e984d0ebc7691b283e323529cfb609a11673c;hpb=5db849a72f0b4c3166079da9f384c7667affaf0d;p=mirrors%2FArchLinux-Packages.git diff --git a/dnssec-tools/dnsval.conf b/dnssec-tools/dnsval.conf index 2b4e984..8ff6dd2 100644 --- a/dnssec-tools/dnsval.conf +++ b/dnssec-tools/dnsval.conf @@ -2,8 +2,12 @@ ####################################################################### ### ### You should NOT modify this file, use the following files instead: -### - /etc/dnssec-tools/dnsval.conf.head -### - /etc/dnssec-tools/dnsval.conf.tail +### - /etc/dnssec-tools/dnsval.conf.head (for specifiing defaults) +### - /etc/dnssec-tools/dnsval.conf.tail (for overriding) +### +### Root-zone trust anchor(s) are in the following file: +### - /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf +### (you will probably not need to modify it manualy) ### ####################################################################### ####################################################################### @@ -13,7 +17,7 @@ ################################## include /etc/dnssec-tools/dnsval.conf.head -include /usr/share/dnssec-trust-anchors/root-anchor.dnsval.conf +include /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf # TRUSTMAN-ACTION bind-include /var/opt/named/named.conf ################################## @@ -24,53 +28,63 @@ global-options trust-oob-answers yes edns0-size 1492 env-policy enable - app-policy disable - log 10:stderr + app-policy enable + log 5:stderr ; ################################## # Default policies ################################## -: trust-anchor - dnssec-tools.org DS 54556 5 2 6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71A476E282 -; +# Note that ArchLinux distribution by default uses root-zone trust anchor from file +# /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf and it will get overrided +# by setting trust-anchor again, so if you want to add your user-specific keys, you +# should also include the original root zone anchor. -: zone-security-expectation - dnssec-tools.org validate -; +#: trust-anchor +# dlv.isc.org DS 19297 5 2 A11D16F6733983E159EDF8053B2FB57B479D81A309A50EAA79A81AF4 8A47C617 +# dlv.isc.org DS 19297 5 1 7D480DBEF530374D8A4333FCB22106EB10013B46 +#; + +#: zone-security-expectation +# . validate +#; + +#: dlv-trust-points +# . dlv.isc.org +#; : provably-insecure-status . trusted ; -: clock-skew - . 0 -; +#: clock-skew +# . 0 +#; ################################## # MTA Policies ################################## -mta provably-insecure-status - . trusted -; +#mta provably-insecure-status +# . trusted +#; -mta clock-skew - . -1 -; +#mta clock-skew +# . -1 +#; ################################## # Web Browser Policies ################################## -browser provably-insecure-status - . trusted -; +#browser provably-insecure-status +# . trusted +#; -browser clock-skew - . 0 -; +#browser clock-skew +# . 0 +#; ##################################