diff options
Diffstat (limited to '')
-rw-r--r-- | test/knot-data/knot.conf | 119 | ||||
-rw-r--r-- | test/knot-data/zones/onlinesign.test.zone | 27 | ||||
-rw-r--r-- | test/knot-data/zones/root.zone | 16 | ||||
-rw-r--r-- | test/knot-data/zones/signed.test.zone | 73 | ||||
-rw-r--r-- | test/knot-data/zones/test.zone | 21 | ||||
-rw-r--r-- | test/knot-data/zones/unsigned.test.zone | 23 | ||||
-rw-r--r-- | test/knot-data/zones/untrusted.test.zone | 26 |
7 files changed, 305 insertions, 0 deletions
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf new file mode 100644 index 0000000..b925812 --- /dev/null +++ b/test/knot-data/knot.conf @@ -0,0 +1,119 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +server: + rundir: "/run/knot" + user: knot:knot + listen: 10.0.0.1@53 + listen: fd00:dead:beef:cafe::1@53 + +log: + - target: syslog + any: info + +database: + storage: "/var/lib/knot" + +acl: + - id: update_acl + address: 10.0.0.0/24 + address: fd00:dead:beef:cafe::/64 + action: update + +remote: + - id: parent_zone_server + address: 10.0.0.1@53 + address: fd00:dead:beef:cafe::1@53 + +submission: + - id: parent_zone_sbm + check-interval: 2s + parent: [parent_zone_server] + +# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS +# records to the parent zone +policy: + - id: auto_rollover + algorithm: ECDSAP256SHA256 + cds-cdnskey-publish: always + ds-push: parent_zone_server + ksk-lifetime: 365d + ksk-submission: parent_zone_sbm + propagation-delay: 1s + signing-threads: 4 + zone-max-ttl: 1s + zsk-lifetime: 60d + +# Same as auto_rollover, but with NSEC3 turned on +policy: + - id: auto_rollover_nsec3 + algorithm: ECDSAP256SHA256 + cds-cdnskey-publish: always + ds-push: parent_zone_server + ksk-lifetime: 365d + ksk-submission: parent_zone_sbm + nsec3-iterations: 0 + nsec3: on + propagation-delay: 1s + signing-threads: 4 + zone-max-ttl: 1s + zsk-lifetime: 60d + +policy: + - id: untrusted + cds-cdnskey-publish: none + +# Manual ZSK/KSK management +policy: + - id: manual + manual: on + +# Sign everything by default and propagate the respective DS records to the parent +template: + - id: default + acl: update_acl + dnssec-policy: auto_rollover + dnssec-signing: on + file: "%s.zone" + semantic-checks: on + storage: "/var/lib/knot/zones" + +# A template for unsigned zones (i.e. without DNSSEC) +template: + - id: unsigned + dnssec-signing: off + file: "%s.zone" + semantic-checks: on + storage: "/var/lib/knot/zones" + +zone: + # Create our own DNSSEC-aware root zone, so we can test the whole chain of + # trust. This needs a ZSK/KSK keypair to be generated before running knot + + # adding the respective keys to resolved's trust anchor store (see the + # test script for the setup steps). + - domain: . + dnssec-policy: manual + file: "root.zone" + + # Turn NSEC3 on for the test. zone to spice things up + - domain: test + dnssec-policy: auto_rollover_nsec3 + + # A fully (pre-)signed zone + - domain: signed.test + + # A fully (online)-signed zone + # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign + # Note: ds-push is not supported in mod-onlinesign, so we have to push + # the DS records to the parent zone manually (see the test script) + - domain: onlinesign.test + module: mod-onlinesign + dnssec-signing: off + + # Signed zone without propagated DS records to test the allow-downgrade + # feature + - domain: untrusted.test + dnssec-policy: untrusted + + # An unsigned zone + - domain: unsigned.test + template: unsigned diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone new file mode 100644 index 0000000..c8662fa --- /dev/null +++ b/test/knot-data/zones/onlinesign.test.zone @@ -0,0 +1,27 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN onlinesign.test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info + NS ns1.unsigned.test. + + TXT "hello from onlinesign" + +*.wild TXT "this is an onlinesign wildcard" + +; No A/AAAA record for the $ORIGIN +sub A 10.0.0.133 +secondsub A 10.0.0.134 + +dual A 10.0.0.135 +dual AAAA fd00:dead:beef:cafe::135 + +ipv6 AAAA fd00:dead:beef:cafe::136 diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone new file mode 100644 index 0000000..f601e86 --- /dev/null +++ b/test/knot-data/zones/root.zone @@ -0,0 +1,16 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 300 +. IN SOA ns1.unsigned.test. root.unsigned.test. ( + 20220416 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +. NS ns1.unsigned.test +; NS glue records +ns1.unsigned.test A 10.0.0.1 +ns1.unsigned.test AAAA fd00:dead:beef:cafe::1 + +test NS ns1.unsigned.test diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone new file mode 100644 index 0000000..a2baac4 --- /dev/null +++ b/test/knot-data/zones/signed.test.zone @@ -0,0 +1,73 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN signed.test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info + NS ns1.unsigned.test. + +*.wild TXT "this is a wildcard" + +@ MX 10 mail.signed.test. + + A 10.0.0.10 +mail A 10.0.0.11 +mail AAAA fd00:dead:beef:cafe::11 + +; https://github.com/systemd/systemd/issues/22002 +dupe A 10.0.0.12 +dupe A 10.0.0.13 +dupe-ipv6 AAAA fd00:dead:beef:cafe::12 +dupe-ipv6 AAAA fd00:dead:beef:cafe::13 +dupe-mixed A 10.0.0.15 +dupe-mixed A 10.0.0.16 +dupe-mixed A 10.0.0.17 +dupe-mixed AAAA fd00:dead:beef:cafe::15 +dupe-mixed AAAA fd00:dead:beef:cafe::16 +dupe-mixed AAAA fd00:dead:beef:cafe::17 + +; CNAME_REDIRECTS_MAX is 16, so let's test something close to that +cname-chain CNAME follow1.signed.test. +follow1 CNAME follow2.signed.test. +follow2 CNAME follow3.nested.signed.test. +follow3.nested CNAME follow4.signed.test. +follow4 CNAME follow5.a.b.c.d.signed.test. +follow5.a.b.c.d CNAME follow6.signed.test. +follow6 CNAME follow7.what.is.love.signed.test. +follow7.what.is.love CNAME follow8.signed.test. +follow8 CNAME follow9.almost.there.signed.test. +follow9.almost.there CNAME follow10.so.close.signed.test. +follow10.so.close CNAME follow11.yet.so.far.signed.test. +follow11.yet.so.far CNAME follow12.getting.hot.signed.test. +follow12.getting.hot CNAME follow13.almost.final.signed.test. +follow13.almost.final CNAME follow14.final.signed.test. +follow14.final A 10.0.0.14 + +myservice A 10.0.0.20 +myservice AAAA fd00:dead:beef:cafe::17 +_mysvc._tcp SRV 10 5 1234 myservice + +_invalidsvc._udp SRV 5 5 1111 invalidservice + +_untrustedsvc._udp SRV 5 5 1111 myservice.untrusted.test. + +; OPENPGPKEY RR for mr.smith@signed.test +; The hash was generated using `echo -ne mr.smith | sha256sum | head -c56` +; and exported via `gpg --export mr.smith | base64` +5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey OPENPGPKEY ( + mDMEYshhzhYJKwYBBAHaRw8BAQdAuU2RxKaycSdaR5YZ/q+/yoHeil/1WNRDVbpjPSd6QBa0GW1y + LnNtaXRoQHNpZ25lZC50ZXN0LnpvbmWImQQTFggAQRYhBIOXLJwlwowvXQVeJ3d9yvMKUDBWBQJi + yGHOAhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEHd9yvMKUDBWo6MA/2oC + zdnzMlK9gM5bNCFfPyagJfFfv7fW1l7WXTve6FJtAP0faW24ahE1okjmrsTUwqZHvDThysW5zTSt + j49S3JQDA7g4BGLIYc4SCisGAQQBl1UBBQEBB0CuNcTAt5AUE3seFN/Gm2euC+8dgtztyzoO/78K + ictFLAMBCAeIeAQYFggAIBYhBIOXLJwlwowvXQVeJ3d9yvMKUDBWBQJiyGHOAhsMAAoJEHd9yvMK + UDBWtxkA/jlbUgHpSoTKFNNTeXYbTz9jnoupe9eT4O3tU55ofwO7AQCa5ntSIuzDJ1E2iy7oOLOZ + m2ocNqpC7SULHhSKYfUWDg== +) diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone new file mode 100644 index 0000000..ba5fceb --- /dev/null +++ b/test/knot-data/zones/test.zone @@ -0,0 +1,21 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info +@ NS ns1.unsigned +; NS glue records +ns1.unsigned A 10.0.0.1 +ns1.unsigned AAAA fd00:dead:beef:cafe::1 + +onlinesign NS ns1.unsigned +signed NS ns1.unsigned +unsigned NS ns1.unsigned diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone new file mode 100644 index 0000000..ffa70d6 --- /dev/null +++ b/test/knot-data/zones/unsigned.test.zone @@ -0,0 +1,23 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN unsigned.test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info +@ NS ns1 +ns1 A 10.0.0.1 +ns1 AAAA fd00:dead:beef:cafe::1 + +@ MX 15 mail.unsigned.test. + + A 10.0.0.101 + AAAA fd00:dead:beef:cafe::101 +mail A 10.0.0.111 +stale1 1 A 10.0.0.112 diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone new file mode 100644 index 0000000..a0dca62 --- /dev/null +++ b/test/knot-data/zones/untrusted.test.zone @@ -0,0 +1,26 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN untrusted.test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info +@ NS ns1.unsigned.test. + +*.wild TXT "this is an untrusted wildcard" + +@ MX 10 mail.untrusted.test. + + A 10.0.0.121 + AAAA fd00:dead:beef:cafe::121 +mail A 10.0.0.122 + +myservice A 10.0.0.123 + AAAA fd00:dead:beef:cafe::123 +_mysvc._tcp SRV 10 5 1234 myservice |