summaryrefslogtreecommitdiffstats
path: root/test/knot-data
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--test/knot-data/knot.conf119
-rw-r--r--test/knot-data/zones/onlinesign.test.zone27
-rw-r--r--test/knot-data/zones/root.zone16
-rw-r--r--test/knot-data/zones/signed.test.zone73
-rw-r--r--test/knot-data/zones/test.zone21
-rw-r--r--test/knot-data/zones/unsigned.test.zone23
-rw-r--r--test/knot-data/zones/untrusted.test.zone26
7 files changed, 305 insertions, 0 deletions
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
new file mode 100644
index 0000000..b925812
--- /dev/null
+++ b/test/knot-data/knot.conf
@@ -0,0 +1,119 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+server:
+ rundir: "/run/knot"
+ user: knot:knot
+ listen: 10.0.0.1@53
+ listen: fd00:dead:beef:cafe::1@53
+
+log:
+ - target: syslog
+ any: info
+
+database:
+ storage: "/var/lib/knot"
+
+acl:
+ - id: update_acl
+ address: 10.0.0.0/24
+ address: fd00:dead:beef:cafe::/64
+ action: update
+
+remote:
+ - id: parent_zone_server
+ address: 10.0.0.1@53
+ address: fd00:dead:beef:cafe::1@53
+
+submission:
+ - id: parent_zone_sbm
+ check-interval: 2s
+ parent: [parent_zone_server]
+
+# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
+# records to the parent zone
+policy:
+ - id: auto_rollover
+ algorithm: ECDSAP256SHA256
+ cds-cdnskey-publish: always
+ ds-push: parent_zone_server
+ ksk-lifetime: 365d
+ ksk-submission: parent_zone_sbm
+ propagation-delay: 1s
+ signing-threads: 4
+ zone-max-ttl: 1s
+ zsk-lifetime: 60d
+
+# Same as auto_rollover, but with NSEC3 turned on
+policy:
+ - id: auto_rollover_nsec3
+ algorithm: ECDSAP256SHA256
+ cds-cdnskey-publish: always
+ ds-push: parent_zone_server
+ ksk-lifetime: 365d
+ ksk-submission: parent_zone_sbm
+ nsec3-iterations: 0
+ nsec3: on
+ propagation-delay: 1s
+ signing-threads: 4
+ zone-max-ttl: 1s
+ zsk-lifetime: 60d
+
+policy:
+ - id: untrusted
+ cds-cdnskey-publish: none
+
+# Manual ZSK/KSK management
+policy:
+ - id: manual
+ manual: on
+
+# Sign everything by default and propagate the respective DS records to the parent
+template:
+ - id: default
+ acl: update_acl
+ dnssec-policy: auto_rollover
+ dnssec-signing: on
+ file: "%s.zone"
+ semantic-checks: on
+ storage: "/var/lib/knot/zones"
+
+# A template for unsigned zones (i.e. without DNSSEC)
+template:
+ - id: unsigned
+ dnssec-signing: off
+ file: "%s.zone"
+ semantic-checks: on
+ storage: "/var/lib/knot/zones"
+
+zone:
+ # Create our own DNSSEC-aware root zone, so we can test the whole chain of
+ # trust. This needs a ZSK/KSK keypair to be generated before running knot +
+ # adding the respective keys to resolved's trust anchor store (see the
+ # test script for the setup steps).
+ - domain: .
+ dnssec-policy: manual
+ file: "root.zone"
+
+ # Turn NSEC3 on for the test. zone to spice things up
+ - domain: test
+ dnssec-policy: auto_rollover_nsec3
+
+ # A fully (pre-)signed zone
+ - domain: signed.test
+
+ # A fully (online)-signed zone
+ # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
+ # Note: ds-push is not supported in mod-onlinesign, so we have to push
+ # the DS records to the parent zone manually (see the test script)
+ - domain: onlinesign.test
+ module: mod-onlinesign
+ dnssec-signing: off
+
+ # Signed zone without propagated DS records to test the allow-downgrade
+ # feature
+ - domain: untrusted.test
+ dnssec-policy: untrusted
+
+ # An unsigned zone
+ - domain: unsigned.test
+ template: unsigned
diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone
new file mode 100644
index 0000000..c8662fa
--- /dev/null
+++ b/test/knot-data/zones/onlinesign.test.zone
@@ -0,0 +1,27 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN onlinesign.test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+ NS ns1.unsigned.test.
+
+ TXT "hello from onlinesign"
+
+*.wild TXT "this is an onlinesign wildcard"
+
+; No A/AAAA record for the $ORIGIN
+sub A 10.0.0.133
+secondsub A 10.0.0.134
+
+dual A 10.0.0.135
+dual AAAA fd00:dead:beef:cafe::135
+
+ipv6 AAAA fd00:dead:beef:cafe::136
diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone
new file mode 100644
index 0000000..f601e86
--- /dev/null
+++ b/test/knot-data/zones/root.zone
@@ -0,0 +1,16 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 300
+. IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 20220416 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+. NS ns1.unsigned.test
+; NS glue records
+ns1.unsigned.test A 10.0.0.1
+ns1.unsigned.test AAAA fd00:dead:beef:cafe::1
+
+test NS ns1.unsigned.test
diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone
new file mode 100644
index 0000000..a2baac4
--- /dev/null
+++ b/test/knot-data/zones/signed.test.zone
@@ -0,0 +1,73 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN signed.test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+ NS ns1.unsigned.test.
+
+*.wild TXT "this is a wildcard"
+
+@ MX 10 mail.signed.test.
+
+ A 10.0.0.10
+mail A 10.0.0.11
+mail AAAA fd00:dead:beef:cafe::11
+
+; https://github.com/systemd/systemd/issues/22002
+dupe A 10.0.0.12
+dupe A 10.0.0.13
+dupe-ipv6 AAAA fd00:dead:beef:cafe::12
+dupe-ipv6 AAAA fd00:dead:beef:cafe::13
+dupe-mixed A 10.0.0.15
+dupe-mixed A 10.0.0.16
+dupe-mixed A 10.0.0.17
+dupe-mixed AAAA fd00:dead:beef:cafe::15
+dupe-mixed AAAA fd00:dead:beef:cafe::16
+dupe-mixed AAAA fd00:dead:beef:cafe::17
+
+; CNAME_REDIRECTS_MAX is 16, so let's test something close to that
+cname-chain CNAME follow1.signed.test.
+follow1 CNAME follow2.signed.test.
+follow2 CNAME follow3.nested.signed.test.
+follow3.nested CNAME follow4.signed.test.
+follow4 CNAME follow5.a.b.c.d.signed.test.
+follow5.a.b.c.d CNAME follow6.signed.test.
+follow6 CNAME follow7.what.is.love.signed.test.
+follow7.what.is.love CNAME follow8.signed.test.
+follow8 CNAME follow9.almost.there.signed.test.
+follow9.almost.there CNAME follow10.so.close.signed.test.
+follow10.so.close CNAME follow11.yet.so.far.signed.test.
+follow11.yet.so.far CNAME follow12.getting.hot.signed.test.
+follow12.getting.hot CNAME follow13.almost.final.signed.test.
+follow13.almost.final CNAME follow14.final.signed.test.
+follow14.final A 10.0.0.14
+
+myservice A 10.0.0.20
+myservice AAAA fd00:dead:beef:cafe::17
+_mysvc._tcp SRV 10 5 1234 myservice
+
+_invalidsvc._udp SRV 5 5 1111 invalidservice
+
+_untrustedsvc._udp SRV 5 5 1111 myservice.untrusted.test.
+
+; OPENPGPKEY RR for mr.smith@signed.test
+; The hash was generated using `echo -ne mr.smith | sha256sum | head -c56`
+; and exported via `gpg --export mr.smith | base64`
+5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey OPENPGPKEY (
+ mDMEYshhzhYJKwYBBAHaRw8BAQdAuU2RxKaycSdaR5YZ/q+/yoHeil/1WNRDVbpjPSd6QBa0GW1y
+ LnNtaXRoQHNpZ25lZC50ZXN0LnpvbmWImQQTFggAQRYhBIOXLJwlwowvXQVeJ3d9yvMKUDBWBQJi
+ yGHOAhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEHd9yvMKUDBWo6MA/2oC
+ zdnzMlK9gM5bNCFfPyagJfFfv7fW1l7WXTve6FJtAP0faW24ahE1okjmrsTUwqZHvDThysW5zTSt
+ j49S3JQDA7g4BGLIYc4SCisGAQQBl1UBBQEBB0CuNcTAt5AUE3seFN/Gm2euC+8dgtztyzoO/78K
+ ictFLAMBCAeIeAQYFggAIBYhBIOXLJwlwowvXQVeJ3d9yvMKUDBWBQJiyGHOAhsMAAoJEHd9yvMK
+ UDBWtxkA/jlbUgHpSoTKFNNTeXYbTz9jnoupe9eT4O3tU55ofwO7AQCa5ntSIuzDJ1E2iy7oOLOZ
+ m2ocNqpC7SULHhSKYfUWDg==
+)
diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone
new file mode 100644
index 0000000..ba5fceb
--- /dev/null
+++ b/test/knot-data/zones/test.zone
@@ -0,0 +1,21 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+@ NS ns1.unsigned
+; NS glue records
+ns1.unsigned A 10.0.0.1
+ns1.unsigned AAAA fd00:dead:beef:cafe::1
+
+onlinesign NS ns1.unsigned
+signed NS ns1.unsigned
+unsigned NS ns1.unsigned
diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone
new file mode 100644
index 0000000..ffa70d6
--- /dev/null
+++ b/test/knot-data/zones/unsigned.test.zone
@@ -0,0 +1,23 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN unsigned.test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+@ NS ns1
+ns1 A 10.0.0.1
+ns1 AAAA fd00:dead:beef:cafe::1
+
+@ MX 15 mail.unsigned.test.
+
+ A 10.0.0.101
+ AAAA fd00:dead:beef:cafe::101
+mail A 10.0.0.111
+stale1 1 A 10.0.0.112
diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone
new file mode 100644
index 0000000..a0dca62
--- /dev/null
+++ b/test/knot-data/zones/untrusted.test.zone
@@ -0,0 +1,26 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN untrusted.test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+@ NS ns1.unsigned.test.
+
+*.wild TXT "this is an untrusted wildcard"
+
+@ MX 10 mail.untrusted.test.
+
+ A 10.0.0.121
+ AAAA fd00:dead:beef:cafe::121
+mail A 10.0.0.122
+
+myservice A 10.0.0.123
+ AAAA fd00:dead:beef:cafe::123
+_mysvc._tcp SRV 10 5 1234 myservice