csync-git

[mirrors/ArchLinux-Packages.git] / dnssec-tools / dnsval.conf

diff --git a/dnssec-tools/dnsval.conf b/dnssec-tools/dnsval.conf
index 2b4e984d0ebc7691b283e323529cfb609a11673c..8ff6dd2ffcd3b906bc4b57a0fd1ba8bf3562ca34 100644 (file)
--- a/dnssec-tools/dnsval.conf
+++ b/dnssec-tools/dnsval.conf
@@ -2,8 +2,12 @@
 #######################################################################
 ###
 ###  You should NOT modify this file, use the following files instead:
-###  - /etc/dnssec-tools/dnsval.conf.head
-###  - /etc/dnssec-tools/dnsval.conf.tail
+###  - /etc/dnssec-tools/dnsval.conf.head (for specifiing defaults)
+###  - /etc/dnssec-tools/dnsval.conf.tail (for overriding)
+###
+###  Root-zone trust anchor(s) are in the following file:
+###  - /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf
+###  (you will probably not need to modify it manualy)
 ###
 #######################################################################
 #######################################################################
@@ -13,7 +17,7 @@
 ##################################
 
 include /etc/dnssec-tools/dnsval.conf.head
-include /usr/share/dnssec-trust-anchors/root-anchor.dnsval.conf
+include /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf
 # TRUSTMAN-ACTION bind-include /var/opt/named/named.conf
 
 ##################################
@@ -24,53 +28,63 @@ global-options
        trust-oob-answers yes
        edns0-size 1492
        env-policy enable
-       app-policy disable
-       log 10:stderr
+       app-policy enable
+       log 5:stderr
 ;
 
 ##################################
 # Default policies
 ##################################
 
-:      trust-anchor
-       dnssec-tools.org    DS  54556  5  2  6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71A476E282
-;
+# Note that ArchLinux distribution by default uses root-zone trust anchor from file
+# /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf and it will get overrided
+# by setting trust-anchor again, so if you want to add your user-specific keys, you
+# should also include the original root zone anchor.
 
-: zone-security-expectation
-       dnssec-tools.org validate
-;
+#: trust-anchor
+#      dlv.isc.org DS 19297 5 2 A11D16F6733983E159EDF8053B2FB57B479D81A309A50EAA79A81AF4 8A47C617
+#      dlv.isc.org DS 19297 5 1 7D480DBEF530374D8A4333FCB22106EB10013B46
+#;
+
+#: zone-security-expectation
+#      . validate
+#;
+
+#: dlv-trust-points 
+#      . dlv.isc.org
+#;
 
 : provably-insecure-status
        . trusted
 ;
 
-: clock-skew
-       . 0
-;
+#: clock-skew
+#      . 0
+#;
 
 ##################################
 # MTA Policies
 ##################################
 
-mta provably-insecure-status
-       . trusted
-;
+#mta provably-insecure-status
+#      . trusted
+#;
 
-mta clock-skew
-       . -1
-;
+#mta clock-skew
+#      . -1
+#;
 
 ##################################
 # Web Browser Policies
 ##################################
 
-browser provably-insecure-status
-       . trusted
-;
+#browser provably-insecure-status
+#      . trusted
+#;
 
-browser clock-skew
-       . 0
-;
+#browser clock-skew
+#      . 0
+#;
 
 
 ##################################