summaryrefslogtreecommitdiffstats
path: root/test/knot-data/knot.conf
diff options
context:
space:
mode:
Diffstat (limited to 'test/knot-data/knot.conf')
-rw-r--r--test/knot-data/knot.conf119
1 files changed, 119 insertions, 0 deletions
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
new file mode 100644
index 0000000..b925812
--- /dev/null
+++ b/test/knot-data/knot.conf
@@ -0,0 +1,119 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+server:
+ rundir: "/run/knot"
+ user: knot:knot
+ listen: 10.0.0.1@53
+ listen: fd00:dead:beef:cafe::1@53
+
+log:
+ - target: syslog
+ any: info
+
+database:
+ storage: "/var/lib/knot"
+
+acl:
+ - id: update_acl
+ address: 10.0.0.0/24
+ address: fd00:dead:beef:cafe::/64
+ action: update
+
+remote:
+ - id: parent_zone_server
+ address: 10.0.0.1@53
+ address: fd00:dead:beef:cafe::1@53
+
+submission:
+ - id: parent_zone_sbm
+ check-interval: 2s
+ parent: [parent_zone_server]
+
+# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
+# records to the parent zone
+policy:
+ - id: auto_rollover
+ algorithm: ECDSAP256SHA256
+ cds-cdnskey-publish: always
+ ds-push: parent_zone_server
+ ksk-lifetime: 365d
+ ksk-submission: parent_zone_sbm
+ propagation-delay: 1s
+ signing-threads: 4
+ zone-max-ttl: 1s
+ zsk-lifetime: 60d
+
+# Same as auto_rollover, but with NSEC3 turned on
+policy:
+ - id: auto_rollover_nsec3
+ algorithm: ECDSAP256SHA256
+ cds-cdnskey-publish: always
+ ds-push: parent_zone_server
+ ksk-lifetime: 365d
+ ksk-submission: parent_zone_sbm
+ nsec3-iterations: 0
+ nsec3: on
+ propagation-delay: 1s
+ signing-threads: 4
+ zone-max-ttl: 1s
+ zsk-lifetime: 60d
+
+policy:
+ - id: untrusted
+ cds-cdnskey-publish: none
+
+# Manual ZSK/KSK management
+policy:
+ - id: manual
+ manual: on
+
+# Sign everything by default and propagate the respective DS records to the parent
+template:
+ - id: default
+ acl: update_acl
+ dnssec-policy: auto_rollover
+ dnssec-signing: on
+ file: "%s.zone"
+ semantic-checks: on
+ storage: "/var/lib/knot/zones"
+
+# A template for unsigned zones (i.e. without DNSSEC)
+template:
+ - id: unsigned
+ dnssec-signing: off
+ file: "%s.zone"
+ semantic-checks: on
+ storage: "/var/lib/knot/zones"
+
+zone:
+ # Create our own DNSSEC-aware root zone, so we can test the whole chain of
+ # trust. This needs a ZSK/KSK keypair to be generated before running knot +
+ # adding the respective keys to resolved's trust anchor store (see the
+ # test script for the setup steps).
+ - domain: .
+ dnssec-policy: manual
+ file: "root.zone"
+
+ # Turn NSEC3 on for the test. zone to spice things up
+ - domain: test
+ dnssec-policy: auto_rollover_nsec3
+
+ # A fully (pre-)signed zone
+ - domain: signed.test
+
+ # A fully (online)-signed zone
+ # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
+ # Note: ds-push is not supported in mod-onlinesign, so we have to push
+ # the DS records to the parent zone manually (see the test script)
+ - domain: onlinesign.test
+ module: mod-onlinesign
+ dnssec-signing: off
+
+ # Signed zone without propagated DS records to test the allow-downgrade
+ # feature
+ - domain: untrusted.test
+ dnssec-policy: untrusted
+
+ # An unsigned zone
+ - domain: unsigned.test
+ template: unsigned