diff options
Diffstat (limited to 'test/knot-data/knot.conf')
-rw-r--r-- | test/knot-data/knot.conf | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf new file mode 100644 index 0000000..b925812 --- /dev/null +++ b/test/knot-data/knot.conf @@ -0,0 +1,119 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +server: + rundir: "/run/knot" + user: knot:knot + listen: 10.0.0.1@53 + listen: fd00:dead:beef:cafe::1@53 + +log: + - target: syslog + any: info + +database: + storage: "/var/lib/knot" + +acl: + - id: update_acl + address: 10.0.0.0/24 + address: fd00:dead:beef:cafe::/64 + action: update + +remote: + - id: parent_zone_server + address: 10.0.0.1@53 + address: fd00:dead:beef:cafe::1@53 + +submission: + - id: parent_zone_sbm + check-interval: 2s + parent: [parent_zone_server] + +# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS +# records to the parent zone +policy: + - id: auto_rollover + algorithm: ECDSAP256SHA256 + cds-cdnskey-publish: always + ds-push: parent_zone_server + ksk-lifetime: 365d + ksk-submission: parent_zone_sbm + propagation-delay: 1s + signing-threads: 4 + zone-max-ttl: 1s + zsk-lifetime: 60d + +# Same as auto_rollover, but with NSEC3 turned on +policy: + - id: auto_rollover_nsec3 + algorithm: ECDSAP256SHA256 + cds-cdnskey-publish: always + ds-push: parent_zone_server + ksk-lifetime: 365d + ksk-submission: parent_zone_sbm + nsec3-iterations: 0 + nsec3: on + propagation-delay: 1s + signing-threads: 4 + zone-max-ttl: 1s + zsk-lifetime: 60d + +policy: + - id: untrusted + cds-cdnskey-publish: none + +# Manual ZSK/KSK management +policy: + - id: manual + manual: on + +# Sign everything by default and propagate the respective DS records to the parent +template: + - id: default + acl: update_acl + dnssec-policy: auto_rollover + dnssec-signing: on + file: "%s.zone" + semantic-checks: on + storage: "/var/lib/knot/zones" + +# A template for unsigned zones (i.e. without DNSSEC) +template: + - id: unsigned + dnssec-signing: off + file: "%s.zone" + semantic-checks: on + storage: "/var/lib/knot/zones" + +zone: + # Create our own DNSSEC-aware root zone, so we can test the whole chain of + # trust. This needs a ZSK/KSK keypair to be generated before running knot + + # adding the respective keys to resolved's trust anchor store (see the + # test script for the setup steps). + - domain: . + dnssec-policy: manual + file: "root.zone" + + # Turn NSEC3 on for the test. zone to spice things up + - domain: test + dnssec-policy: auto_rollover_nsec3 + + # A fully (pre-)signed zone + - domain: signed.test + + # A fully (online)-signed zone + # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign + # Note: ds-push is not supported in mod-onlinesign, so we have to push + # the DS records to the parent zone manually (see the test script) + - domain: onlinesign.test + module: mod-onlinesign + dnssec-signing: off + + # Signed zone without propagated DS records to test the allow-downgrade + # feature + - domain: untrusted.test + dnssec-policy: untrusted + + # An unsigned zone + - domain: unsigned.test + template: unsigned |