/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0.  If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

{% set reconfiged = reconfiged | default(False) %}
{% set rsasha1_to_nsec3 = "rsasha1" if not reconfiged else "nsec3" %}
{% set nsec3_to_rsasha1 = "nsec3" if not reconfiged else "rsasha1" %}

dnssec-policy "rsasha1" {
	keys {
		csk lifetime unlimited algorithm rsasha1;
	};
};


{% if "rsasha1-to-nsec3.kasp" in zones %}
/*
 * This zone starts with NSEC, but will be reconfigured to use NSEC3.
 * This should work despite the incompatible RSASHA1 algorithm,
 * because the DS is still in hidden state.
 */
zone "rsasha1-to-nsec3.kasp" {
	type primary;
	file "rsasha1-to-nsec3.kasp.db";
	dnssec-policy "@rsasha1_to_nsec3@";
};
{% endif %}{# rsasha1-to-nsec3.kasp #}

{% if "rsasha1-to-nsec3-wait.kasp" in zones %}
/*
 * This zone starts with NSEC, but will be reconfigured to use NSEC3.
 * This should block because RSASHA1 is not compatible with NSEC3,
 * and the DS is published.
 */
zone "rsasha1-to-nsec3-wait.kasp" {
	type primary;
	file "rsasha1-to-nsec3-wait.kasp.db";
	dnssec-policy "@rsasha1_to_nsec3@";
};
{% endif %}{# rsasha1-to-nsec3-wait.kasp #}

{% if "nsec3-to-rsasha1.kasp" in zones %}
/*
 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
 * NSEC only algorithm. This should work despite the incompatible RSASHA1
 * algorithm, because the DS is still in hidden state.
 */
zone "nsec3-to-rsasha1.kasp" {
	type primary;
	file "nsec3-to-rsasha1.kasp.db";
	dnssec-policy "@nsec3_to_rsasha1@";
};
{% endif %}{# nsec3-to-rsasha1.kasp #}

{% if "nsec3-to-rsasha1-ds.kasp" in zones %}
/*
 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
 * NSEC only algorithm. This should also be fine because we are allowed
 * to change to NSEC with any algorithm, then we can also publish the new
 * DNSKEY and signatures of the RSASHA1 algorithm.
 */
zone "nsec3-to-rsasha1-ds.kasp" {
	type primary;
	file "nsec3-to-rsasha1-ds.kasp.db";
	dnssec-policy "@nsec3_to_rsasha1@";
};
{% endif %}{# nsec3-to-rsasha1-ds.kasp #}