From b750101eb236130cf056c675997decbac904cc49 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 17:35:18 +0200
Subject: Adding upstream version 252.22.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 test/knot-data/knot.conf | 116 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 116 insertions(+)
 create mode 100644 test/knot-data/knot.conf

(limited to 'test/knot-data/knot.conf')

diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
new file mode 100644
index 0000000..e3de69d
--- /dev/null
+++ b/test/knot-data/knot.conf
@@ -0,0 +1,116 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+server:
+    rundir: "/run/knot"
+    user: knot:knot
+    listen: 10.0.0.1@53
+
+log:
+    - target: syslog
+      any: info
+
+database:
+    storage: "/var/lib/knot"
+
+acl:
+    - id: update_acl
+      address: 10.0.0.0/24
+      action: update
+
+remote:
+    - id: parent_zone_server
+      address: 10.0.0.1@53
+
+submission:
+    - id: parent_zone_sbm
+      check-interval: 2s
+      parent: [parent_zone_server]
+
+# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
+# records to the parent zone
+policy:
+    - id: auto_rollover
+      algorithm: ECDSAP256SHA256
+      cds-cdnskey-publish: always
+      ds-push: parent_zone_server
+      ksk-lifetime: 365d
+      ksk-submission: parent_zone_sbm
+      propagation-delay: 1s
+      signing-threads: 4
+      zone-max-ttl: 1s
+      zsk-lifetime: 60d
+
+# Same as auto_rollover, but with NSEC3 turned on
+policy:
+    - id: auto_rollover_nsec3
+      algorithm: ECDSAP256SHA256
+      cds-cdnskey-publish: always
+      ds-push: parent_zone_server
+      ksk-lifetime: 365d
+      ksk-submission: parent_zone_sbm
+      nsec3: on
+      nsec3-iterations: 10
+      propagation-delay: 1s
+      signing-threads: 4
+      zone-max-ttl: 1s
+      zsk-lifetime: 60d
+
+policy:
+    - id: untrusted
+      cds-cdnskey-publish: none
+
+# Manual ZSK/KSK management
+policy:
+    - id: manual
+      manual: on
+
+# Sign everything by default and propagate the respective DS records to the parent
+template:
+    - id: default
+      acl: update_acl
+      dnssec-policy: auto_rollover
+      dnssec-signing: on
+      file: "%s.zone"
+      semantic-checks: on
+      storage: "/var/lib/knot/zones"
+
+# A template for unsigned zones (i.e. without DNSSEC)
+template:
+    - id: unsigned
+      dnssec-signing: off
+      file: "%s.zone"
+      semantic-checks: on
+      storage: "/var/lib/knot/zones"
+
+zone:
+    # Create our own DNSSEC-aware root zone, so we can test the whole chain of
+    # trust. This needs a ZSK/KSK keypair to be generated before running knot +
+    # adding the respective keys to resolved's trust anchor store (see the
+    # test script for the setup steps).
+    - domain: .
+      dnssec-policy: manual
+      file: "root.zone"
+
+    # Turn NSEC3 on for the test. zone to spice things up
+    - domain: test
+      dnssec-policy: auto_rollover_nsec3
+
+    # A fully (pre-)signed zone
+    - domain: signed.test
+
+    # A fully (online)-signed zone
+    # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
+    # Note: ds-push is not supported in mod-onlinesign, so we have to push
+    #       the DS records to the parent zone manually (see the test script)
+    - domain: onlinesign.test
+      module: mod-onlinesign
+      dnssec-signing: off
+
+    # Signed zone without propagated DS records to test the allow-downgrade
+    # feature
+    - domain: untrusted.test
+      dnssec-policy: untrusted
+
+    # An unsigned zone
+    - domain: unsigned.test
+      template: unsigned
-- 
cgit v1.2.3