summaryrefslogtreecommitdiffstats
path: root/test/knot-data
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--test/knot-data/knot.conf116
-rw-r--r--test/knot-data/zones/onlinesign.test.zone22
-rw-r--r--test/knot-data/zones/root.zone14
-rw-r--r--test/knot-data/zones/signed.test.zone42
-rw-r--r--test/knot-data/zones/test.zone19
-rw-r--r--test/knot-data/zones/unsigned.test.zone20
-rw-r--r--test/knot-data/zones/untrusted.test.zone21
7 files changed, 254 insertions, 0 deletions
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
new file mode 100644
index 0000000..e3de69d
--- /dev/null
+++ b/test/knot-data/knot.conf
@@ -0,0 +1,116 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+server:
+ rundir: "/run/knot"
+ user: knot:knot
+ listen: 10.0.0.1@53
+
+log:
+ - target: syslog
+ any: info
+
+database:
+ storage: "/var/lib/knot"
+
+acl:
+ - id: update_acl
+ address: 10.0.0.0/24
+ action: update
+
+remote:
+ - id: parent_zone_server
+ address: 10.0.0.1@53
+
+submission:
+ - id: parent_zone_sbm
+ check-interval: 2s
+ parent: [parent_zone_server]
+
+# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
+# records to the parent zone
+policy:
+ - id: auto_rollover
+ algorithm: ECDSAP256SHA256
+ cds-cdnskey-publish: always
+ ds-push: parent_zone_server
+ ksk-lifetime: 365d
+ ksk-submission: parent_zone_sbm
+ propagation-delay: 1s
+ signing-threads: 4
+ zone-max-ttl: 1s
+ zsk-lifetime: 60d
+
+# Same as auto_rollover, but with NSEC3 turned on
+policy:
+ - id: auto_rollover_nsec3
+ algorithm: ECDSAP256SHA256
+ cds-cdnskey-publish: always
+ ds-push: parent_zone_server
+ ksk-lifetime: 365d
+ ksk-submission: parent_zone_sbm
+ nsec3: on
+ nsec3-iterations: 10
+ propagation-delay: 1s
+ signing-threads: 4
+ zone-max-ttl: 1s
+ zsk-lifetime: 60d
+
+policy:
+ - id: untrusted
+ cds-cdnskey-publish: none
+
+# Manual ZSK/KSK management
+policy:
+ - id: manual
+ manual: on
+
+# Sign everything by default and propagate the respective DS records to the parent
+template:
+ - id: default
+ acl: update_acl
+ dnssec-policy: auto_rollover
+ dnssec-signing: on
+ file: "%s.zone"
+ semantic-checks: on
+ storage: "/var/lib/knot/zones"
+
+# A template for unsigned zones (i.e. without DNSSEC)
+template:
+ - id: unsigned
+ dnssec-signing: off
+ file: "%s.zone"
+ semantic-checks: on
+ storage: "/var/lib/knot/zones"
+
+zone:
+ # Create our own DNSSEC-aware root zone, so we can test the whole chain of
+ # trust. This needs a ZSK/KSK keypair to be generated before running knot +
+ # adding the respective keys to resolved's trust anchor store (see the
+ # test script for the setup steps).
+ - domain: .
+ dnssec-policy: manual
+ file: "root.zone"
+
+ # Turn NSEC3 on for the test. zone to spice things up
+ - domain: test
+ dnssec-policy: auto_rollover_nsec3
+
+ # A fully (pre-)signed zone
+ - domain: signed.test
+
+ # A fully (online)-signed zone
+ # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
+ # Note: ds-push is not supported in mod-onlinesign, so we have to push
+ # the DS records to the parent zone manually (see the test script)
+ - domain: onlinesign.test
+ module: mod-onlinesign
+ dnssec-signing: off
+
+ # Signed zone without propagated DS records to test the allow-downgrade
+ # feature
+ - domain: untrusted.test
+ dnssec-policy: untrusted
+
+ # An unsigned zone
+ - domain: unsigned.test
+ template: unsigned
diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone
new file mode 100644
index 0000000..c12c6b3
--- /dev/null
+++ b/test/knot-data/zones/onlinesign.test.zone
@@ -0,0 +1,22 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN onlinesign.test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+ NS ns1.unsigned.test.
+
+ TXT "hello from onlinesign"
+
+*.wild TXT "this is an onlinesign wildcard"
+
+; No A/AAAA record for the $ORIGIN
+sub A 10.0.0.133
+secondsub A 10.0.0.134
diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone
new file mode 100644
index 0000000..72439fd
--- /dev/null
+++ b/test/knot-data/zones/root.zone
@@ -0,0 +1,14 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 300
+. IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 20220416 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+. NS ns1.unsigned.test
+ns1.unsigned.test A 10.0.0.1
+
+test NS ns1.unsigned.test
diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone
new file mode 100644
index 0000000..38d8e2a
--- /dev/null
+++ b/test/knot-data/zones/signed.test.zone
@@ -0,0 +1,42 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN signed.test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+ NS ns1.unsigned.test.
+
+*.wild TXT "this is a wildcard"
+
+@ MX 10 mail.signed.test.
+
+ A 10.0.0.10
+mail A 10.0.0.11
+
+; https://github.com/systemd/systemd/issues/22002
+dupe A 10.0.0.12
+dupe A 10.0.0.13
+
+; CNAME_REDIRECTS_MAX is 16, so let's test something close to that
+cname-chain CNAME follow1.signed.test.
+follow1 CNAME follow2.signed.test.
+follow2 CNAME follow3.nested.signed.test.
+follow3.nested CNAME follow4.signed.test.
+follow4 CNAME follow5.a.b.c.d.signed.test.
+follow5.a.b.c.d CNAME follow6.signed.test.
+follow6 CNAME follow7.what.is.love.signed.test.
+follow7.what.is.love CNAME follow8.signed.test.
+follow8 CNAME follow9.almost.there.signed.test.
+follow9.almost.there CNAME follow10.so.close.signed.test.
+follow10.so.close CNAME follow11.yet.so.far.signed.test.
+follow11.yet.so.far CNAME follow12.getting.hot.signed.test.
+follow12.getting.hot CNAME follow13.almost.final.signed.test.
+follow13.almost.final CNAME follow14.final.signed.test.
+follow14.final A 10.0.0.14
diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone
new file mode 100644
index 0000000..6cc2633
--- /dev/null
+++ b/test/knot-data/zones/test.zone
@@ -0,0 +1,19 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+@ NS ns1.unsigned
+ns1.signed A 10.0.0.1
+
+onlinesign NS ns1.unsigned
+signed NS ns1.unsigned
+unsigned NS ns1.unsigned
diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone
new file mode 100644
index 0000000..87d9437
--- /dev/null
+++ b/test/knot-data/zones/unsigned.test.zone
@@ -0,0 +1,20 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN unsigned.test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+@ NS ns1.unsigned.test.
+ns1 A 10.0.0.1
+
+@ MX 15 mail.unsigned.test.
+
+ A 10.0.0.101
+mail A 10.0.0.111
diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone
new file mode 100644
index 0000000..6d29bd7
--- /dev/null
+++ b/test/knot-data/zones/untrusted.test.zone
@@ -0,0 +1,21 @@
+; SPDX-License-Identifier: LGPL-2.1-or-later
+$TTL 86400
+$ORIGIN untrusted.test.
+
+@ IN SOA ns1.unsigned.test. root.unsigned.test. (
+ 42 ; serial
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expire
+ 1D ; minimum TTL
+)
+
+; NS info
+@ NS ns1.unsigned.test.
+
+*.wild TXT "this is an untrusted wildcard"
+
+@ MX 10 mail.untrusted.test.
+
+ A 10.0.0.121
+mail A 10.0.0.121