# SPDX-License-Identifier: LGPL-2.1-or-later

server:
    rundir: "/run/knot"
    user: knot:knot
    listen: 10.0.0.1@53
    listen: fd00:dead:beef:cafe::1@53

log:
    - target: syslog
      any: info

database:
    storage: "/var/lib/knot"

acl:
    - id: update_acl
      address: 10.0.0.0/24
      address: fd00:dead:beef:cafe::/64
      action: update

    - id: transfer_acl
      address: 10.0.0.0/24
      address: fd00:dead:beef:cafe::/64
      action: transfer

remote:
    - id: parent_zone_server
      address: 10.0.0.1@53
      address: fd00:dead:beef:cafe::1@53

    - id: forwarded
      address: 10.99.0.1@53

submission:
    - id: parent_zone_sbm
      check-interval: 2s
      parent: [parent_zone_server]

policy:
    # Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
    # records to the parent zone
    - id: auto_rollover
      algorithm: ECDSAP256SHA256
      cds-cdnskey-publish: always
      ds-push: parent_zone_server
      ksk-lifetime: 365d
      ksk-submission: parent_zone_sbm
      propagation-delay: 1s
      signing-threads: 4
      zone-max-ttl: 1s
      zsk-lifetime: 60d

    # Same as auto_rollover, but with NSEC3 turned on
    - id: auto_rollover_nsec3
      algorithm: ECDSAP256SHA256
      cds-cdnskey-publish: always
      ds-push: parent_zone_server
      ksk-lifetime: 365d
      ksk-submission: parent_zone_sbm
      nsec3-iterations: 0
      nsec3: on
      propagation-delay: 1s
      signing-threads: 4
      zone-max-ttl: 1s
      zsk-lifetime: 60d

    - id: untrusted
      cds-cdnskey-publish: none

    # Manual ZSK/KSK management
    - id: manual
      manual: on

mod-dnsproxy:
  - id: forwarded
    remote: forwarded
    fallback: off

template:
    # Sign everything by default and propagate the respective DS records to the parent
    - id: default
      acl: update_acl
      dnssec-policy: auto_rollover
      dnssec-signing: on
      file: "%s.zone"
      semantic-checks: on
      storage: "/var/lib/knot/zones"

    # A template for unsigned zones (i.e. without DNSSEC)
    - id: unsigned
      dnssec-signing: off
      file: "%s.zone"
      semantic-checks: on
      storage: "/var/lib/knot/zones"

    - id: forwarded
      dnssec-signing: off
      module: mod-dnsproxy/forwarded
      zonefile-load: none

zone:
    # Create our own DNSSEC-aware root zone, so we can test the whole chain of
    # trust. This needs a ZSK/KSK keypair to be generated before running knot +
    # adding the respective keys to resolved's trust anchor store (see the
    # test script for the setup steps).
    - domain: .
      dnssec-policy: manual
      file: "root.zone"

    # Turn NSEC3 on for the test. zone to spice things up
    - domain: test
      dnssec-policy: auto_rollover_nsec3

    # A fully (pre-)signed zone with allowed zone transfers (AXFR/IXFR)
    - domain: signed.test
      acl: [update_acl, transfer_acl]

    # A fully (online)-signed zone
    # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
    # Note: ds-push is not supported in mod-onlinesign, so we have to push
    #       the DS records to the parent zone manually (see the test script)
    - domain: onlinesign.test
      module: mod-onlinesign
      dnssec-signing: off

    # Signed zone without propagated DS records to test the allow-downgrade
    # feature
    - domain: untrusted.test
      dnssec-policy: untrusted

    # An unsigned zone
    - domain: unsigned.test
      template: unsigned

    # Forward all queries for this zone to our dummy test server
    - domain: forwarded.test
      template: forwarded