/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

dnssec-policy "migrate" {
	dnskey-ttl 7200;

	keys {
		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
	};
};

dnssec-policy "timing-metadata" {
	dnskey-ttl 300;

	signatures-refresh P1W;
	signatures-validity P2W;
	signatures-validity-dnskey P2W;

	keys {
		ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
	};

	// Together 12h
	zone-propagation-delay 3600;
	max-zone-ttl 11h;

	// Together 3h
	parent-propagation-delay pt1h;
	parent-ds-ttl 7200;
};

/*
 * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
 * to ECDSAP256SHA256 keys.
 */
dnssec-policy "migrate-nomatch-algnum" {
	dnskey-ttl 300;

	keys {
		ksk key-directory lifetime unlimited algorithm ecdsa256;
		zsk key-directory lifetime P60D algorithm ecdsa256;
	};

	// Together 12h
	zone-propagation-delay 3600;
	max-zone-ttl 11h;

	// Together 3h
	parent-propagation-delay pt1h;
	parent-ds-ttl 7200;
};

/*
 * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
 * to 2048 bits RSASHA1 keys.
 */
dnssec-policy "migrate-nomatch-alglen" {
	dnskey-ttl 300;

	keys {
		ksk key-directory lifetime unlimited algorithm rsasha1 2048;
		zsk key-directory lifetime P60D algorithm rsasha1 2048;
	};

	// Together 12h
	zone-propagation-delay 3600;
	max-zone-ttl 11h;

	// Together 3h
	parent-propagation-delay pt1h;
	parent-ds-ttl 7200;
};