# SPDX-License-Identifier: LGPL-2.1-or-later server: rundir: "/run/knot" user: knot:knot listen: 10.0.0.1@53 listen: fd00:dead:beef:cafe::1@53 log: - target: syslog any: info database: storage: "/var/lib/knot" acl: - id: update_acl address: 10.0.0.0/24 address: fd00:dead:beef:cafe::/64 action: update - id: transfer_acl address: 10.0.0.0/24 address: fd00:dead:beef:cafe::/64 action: transfer remote: - id: parent_zone_server address: 10.0.0.1@53 address: fd00:dead:beef:cafe::1@53 - id: forwarded address: 10.99.0.1@53 submission: - id: parent_zone_sbm check-interval: 2s parent: [parent_zone_server] policy: # Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS # records to the parent zone - id: auto_rollover algorithm: ECDSAP256SHA256 cds-cdnskey-publish: always ds-push: parent_zone_server ksk-lifetime: 365d ksk-submission: parent_zone_sbm propagation-delay: 1s signing-threads: 4 zone-max-ttl: 1s zsk-lifetime: 60d # Same as auto_rollover, but with NSEC3 turned on - id: auto_rollover_nsec3 algorithm: ECDSAP256SHA256 cds-cdnskey-publish: always ds-push: parent_zone_server ksk-lifetime: 365d ksk-submission: parent_zone_sbm nsec3-iterations: 0 nsec3: on propagation-delay: 1s signing-threads: 4 zone-max-ttl: 1s zsk-lifetime: 60d - id: untrusted cds-cdnskey-publish: none # Manual ZSK/KSK management - id: manual manual: on mod-dnsproxy: - id: forwarded remote: forwarded fallback: off template: # Sign everything by default and propagate the respective DS records to the parent - id: default acl: update_acl dnssec-policy: auto_rollover dnssec-signing: on file: "%s.zone" semantic-checks: on storage: "/var/lib/knot/zones" # A template for unsigned zones (i.e. without DNSSEC) - id: unsigned dnssec-signing: off file: "%s.zone" semantic-checks: on storage: "/var/lib/knot/zones" - id: forwarded dnssec-signing: off module: mod-dnsproxy/forwarded zonefile-load: none zone: # Create our own DNSSEC-aware root zone, so we can test the whole chain of # trust. This needs a ZSK/KSK keypair to be generated before running knot + # adding the respective keys to resolved's trust anchor store (see the # test script for the setup steps). - domain: . dnssec-policy: manual file: "root.zone" # Turn NSEC3 on for the test. zone to spice things up - domain: test dnssec-policy: auto_rollover_nsec3 # A fully (pre-)signed zone with allowed zone transfers (AXFR/IXFR) - domain: signed.test acl: [update_acl, transfer_acl] # A fully (online)-signed zone # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign # Note: ds-push is not supported in mod-onlinesign, so we have to push # the DS records to the parent zone manually (see the test script) - domain: onlinesign.test module: mod-onlinesign dnssec-signing: off # Signed zone without propagated DS records to test the allow-downgrade # feature - domain: untrusted.test dnssec-policy: untrusted # An unsigned zone - domain: unsigned.test template: unsigned # Forward all queries for this zone to our dummy test server - domain: forwarded.test template: forwarded