diff options
Diffstat (limited to '')
-rw-r--r-- | test/knot-data/knot.conf | 116 | ||||
-rw-r--r-- | test/knot-data/zones/onlinesign.test.zone | 22 | ||||
-rw-r--r-- | test/knot-data/zones/root.zone | 14 | ||||
-rw-r--r-- | test/knot-data/zones/signed.test.zone | 42 | ||||
-rw-r--r-- | test/knot-data/zones/test.zone | 19 | ||||
-rw-r--r-- | test/knot-data/zones/unsigned.test.zone | 20 | ||||
-rw-r--r-- | test/knot-data/zones/untrusted.test.zone | 21 |
7 files changed, 254 insertions, 0 deletions
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf new file mode 100644 index 0000000..e3de69d --- /dev/null +++ b/test/knot-data/knot.conf @@ -0,0 +1,116 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +server: + rundir: "/run/knot" + user: knot:knot + listen: 10.0.0.1@53 + +log: + - target: syslog + any: info + +database: + storage: "/var/lib/knot" + +acl: + - id: update_acl + address: 10.0.0.0/24 + action: update + +remote: + - id: parent_zone_server + address: 10.0.0.1@53 + +submission: + - id: parent_zone_sbm + check-interval: 2s + parent: [parent_zone_server] + +# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS +# records to the parent zone +policy: + - id: auto_rollover + algorithm: ECDSAP256SHA256 + cds-cdnskey-publish: always + ds-push: parent_zone_server + ksk-lifetime: 365d + ksk-submission: parent_zone_sbm + propagation-delay: 1s + signing-threads: 4 + zone-max-ttl: 1s + zsk-lifetime: 60d + +# Same as auto_rollover, but with NSEC3 turned on +policy: + - id: auto_rollover_nsec3 + algorithm: ECDSAP256SHA256 + cds-cdnskey-publish: always + ds-push: parent_zone_server + ksk-lifetime: 365d + ksk-submission: parent_zone_sbm + nsec3: on + nsec3-iterations: 10 + propagation-delay: 1s + signing-threads: 4 + zone-max-ttl: 1s + zsk-lifetime: 60d + +policy: + - id: untrusted + cds-cdnskey-publish: none + +# Manual ZSK/KSK management +policy: + - id: manual + manual: on + +# Sign everything by default and propagate the respective DS records to the parent +template: + - id: default + acl: update_acl + dnssec-policy: auto_rollover + dnssec-signing: on + file: "%s.zone" + semantic-checks: on + storage: "/var/lib/knot/zones" + +# A template for unsigned zones (i.e. without DNSSEC) +template: + - id: unsigned + dnssec-signing: off + file: "%s.zone" + semantic-checks: on + storage: "/var/lib/knot/zones" + +zone: + # Create our own DNSSEC-aware root zone, so we can test the whole chain of + # trust. This needs a ZSK/KSK keypair to be generated before running knot + + # adding the respective keys to resolved's trust anchor store (see the + # test script for the setup steps). + - domain: . + dnssec-policy: manual + file: "root.zone" + + # Turn NSEC3 on for the test. zone to spice things up + - domain: test + dnssec-policy: auto_rollover_nsec3 + + # A fully (pre-)signed zone + - domain: signed.test + + # A fully (online)-signed zone + # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign + # Note: ds-push is not supported in mod-onlinesign, so we have to push + # the DS records to the parent zone manually (see the test script) + - domain: onlinesign.test + module: mod-onlinesign + dnssec-signing: off + + # Signed zone without propagated DS records to test the allow-downgrade + # feature + - domain: untrusted.test + dnssec-policy: untrusted + + # An unsigned zone + - domain: unsigned.test + template: unsigned diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone new file mode 100644 index 0000000..c12c6b3 --- /dev/null +++ b/test/knot-data/zones/onlinesign.test.zone @@ -0,0 +1,22 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN onlinesign.test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info + NS ns1.unsigned.test. + + TXT "hello from onlinesign" + +*.wild TXT "this is an onlinesign wildcard" + +; No A/AAAA record for the $ORIGIN +sub A 10.0.0.133 +secondsub A 10.0.0.134 diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone new file mode 100644 index 0000000..72439fd --- /dev/null +++ b/test/knot-data/zones/root.zone @@ -0,0 +1,14 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 300 +. IN SOA ns1.unsigned.test. root.unsigned.test. ( + 20220416 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +. NS ns1.unsigned.test +ns1.unsigned.test A 10.0.0.1 + +test NS ns1.unsigned.test diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone new file mode 100644 index 0000000..38d8e2a --- /dev/null +++ b/test/knot-data/zones/signed.test.zone @@ -0,0 +1,42 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN signed.test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info + NS ns1.unsigned.test. + +*.wild TXT "this is a wildcard" + +@ MX 10 mail.signed.test. + + A 10.0.0.10 +mail A 10.0.0.11 + +; https://github.com/systemd/systemd/issues/22002 +dupe A 10.0.0.12 +dupe A 10.0.0.13 + +; CNAME_REDIRECTS_MAX is 16, so let's test something close to that +cname-chain CNAME follow1.signed.test. +follow1 CNAME follow2.signed.test. +follow2 CNAME follow3.nested.signed.test. +follow3.nested CNAME follow4.signed.test. +follow4 CNAME follow5.a.b.c.d.signed.test. +follow5.a.b.c.d CNAME follow6.signed.test. +follow6 CNAME follow7.what.is.love.signed.test. +follow7.what.is.love CNAME follow8.signed.test. +follow8 CNAME follow9.almost.there.signed.test. +follow9.almost.there CNAME follow10.so.close.signed.test. +follow10.so.close CNAME follow11.yet.so.far.signed.test. +follow11.yet.so.far CNAME follow12.getting.hot.signed.test. +follow12.getting.hot CNAME follow13.almost.final.signed.test. +follow13.almost.final CNAME follow14.final.signed.test. +follow14.final A 10.0.0.14 diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone new file mode 100644 index 0000000..6cc2633 --- /dev/null +++ b/test/knot-data/zones/test.zone @@ -0,0 +1,19 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info +@ NS ns1.unsigned +ns1.signed A 10.0.0.1 + +onlinesign NS ns1.unsigned +signed NS ns1.unsigned +unsigned NS ns1.unsigned diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone new file mode 100644 index 0000000..87d9437 --- /dev/null +++ b/test/knot-data/zones/unsigned.test.zone @@ -0,0 +1,20 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN unsigned.test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info +@ NS ns1.unsigned.test. +ns1 A 10.0.0.1 + +@ MX 15 mail.unsigned.test. + + A 10.0.0.101 +mail A 10.0.0.111 diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone new file mode 100644 index 0000000..6d29bd7 --- /dev/null +++ b/test/knot-data/zones/untrusted.test.zone @@ -0,0 +1,21 @@ +; SPDX-License-Identifier: LGPL-2.1-or-later +$TTL 86400 +$ORIGIN untrusted.test. + +@ IN SOA ns1.unsigned.test. root.unsigned.test. ( + 42 ; serial + 3H ; refresh + 15M ; retry + 1W ; expire + 1D ; minimum TTL +) + +; NS info +@ NS ns1.unsigned.test. + +*.wild TXT "this is an untrusted wildcard" + +@ MX 10 mail.untrusted.test. + + A 10.0.0.121 +mail A 10.0.0.121 |