1 files changed, 30 insertions, 11 deletions

diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
index b925812..b8b9e79 100644
--- a/test/knot-data/knot.conf
+++ b/test/knot-data/knot.conf
@@ -19,19 +19,27 @@ acl:
       address: fd00:dead:beef:cafe::/64
       action: update
 
+    - id: transfer_acl
+      address: 10.0.0.0/24
+      address: fd00:dead:beef:cafe::/64
+      action: transfer
+
 remote:
     - id: parent_zone_server
       address: 10.0.0.1@53
       address: fd00:dead:beef:cafe::1@53
 
+    - id: forwarded
+      address: 10.99.0.1@53
+
 submission:
     - id: parent_zone_sbm
       check-interval: 2s
       parent: [parent_zone_server]
 
-# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
-# records to the parent zone
 policy:
+    # Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
+    # records to the parent zone
     - id: auto_rollover
       algorithm: ECDSAP256SHA256
       cds-cdnskey-publish: always
@@ -43,8 +51,7 @@ policy:
       zone-max-ttl: 1s
       zsk-lifetime: 60d
 
-# Same as auto_rollover, but with NSEC3 turned on
-policy:
+    # Same as auto_rollover, but with NSEC3 turned on
     - id: auto_rollover_nsec3
       algorithm: ECDSAP256SHA256
       cds-cdnskey-publish: always
@@ -58,17 +65,20 @@ policy:
       zone-max-ttl: 1s
       zsk-lifetime: 60d
 
-policy:
     - id: untrusted
       cds-cdnskey-publish: none
 
-# Manual ZSK/KSK management
-policy:
+    # Manual ZSK/KSK management
     - id: manual
       manual: on
 
-# Sign everything by default and propagate the respective DS records to the parent
+mod-dnsproxy:
+  - id: forwarded
+    remote: forwarded
+    fallback: off
+
 template:
+    # Sign everything by default and propagate the respective DS records to the parent
     - id: default
       acl: update_acl
       dnssec-policy: auto_rollover
@@ -77,14 +87,18 @@ template:
       semantic-checks: on
       storage: "/var/lib/knot/zones"
 
-# A template for unsigned zones (i.e. without DNSSEC)
-template:
+    # A template for unsigned zones (i.e. without DNSSEC)
     - id: unsigned
       dnssec-signing: off
       file: "%s.zone"
       semantic-checks: on
       storage: "/var/lib/knot/zones"
 
+    - id: forwarded
+      dnssec-signing: off
+      module: mod-dnsproxy/forwarded
+      zonefile-load: none
+
 zone:
     # Create our own DNSSEC-aware root zone, so we can test the whole chain of
     # trust. This needs a ZSK/KSK keypair to be generated before running knot +
@@ -98,8 +112,9 @@ zone:
     - domain: test
       dnssec-policy: auto_rollover_nsec3
 
-    # A fully (pre-)signed zone
+    # A fully (pre-)signed zone with allowed zone transfers (AXFR/IXFR)
     - domain: signed.test
+      acl: [update_acl, transfer_acl]
 
     # A fully (online)-signed zone
     # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
@@ -117,3 +132,7 @@ zone:
     # An unsigned zone
     - domain: unsigned.test
       template: unsigned
+
+    # Forward all queries for this zone to our dummy test server
+    - domain: forwarded.test
+      template: forwarded