-- SPDX-License-Identifier: GPL-3.0-or-later
modules = {
    'hints > policy',
    'policy > iterate',
}

{% if kresd.verbose %}
log_level('debug')
{% endif %}

{% if kresd.ip %}
net.listen('{{ kresd.ip }}', {{ kresd.port }})
net.listen('{{ kresd.ip }}', {{ kresd.tls_port }}, {tls = true})
{% endif %}

{% if kresd.ip6 %}
net.listen('{{ kresd.ip6 }}', {{ kresd.port }})
net.listen('{{ kresd.ip6 }}', {{ kresd.tls_port }}, {tls = true})
{% endif %}

net.ipv4=true
net.ipv6=true

{% if kresd.tls_key_path and kresd.tls_cert_path %}
net.tls("{{ kresd.tls_cert_path }}", "{{ kresd.tls_key_path }}")
net.tls_sticket_secret('0123456789ABCDEF0123456789ABCDEF')
{% endif %}

hints['localhost.'] = '127.0.0.1'
{% for name, ip in kresd.hints.items() %}
hints['{{ name }}'] = '{{ ip }}'
{% endfor %}

policy.add(policy.all(policy.QTRACE))

{% if kresd.forward %}
policy.add(policy.all(
    {% if kresd.forward.proto == 'tls' %}
    policy.TLS_FORWARD({
        {"{{ kresd.forward.ip }}@{{ kresd.forward.port }}", hostname='{{ kresd.forward.hostname}}', ca_file='{{ kresd.forward.ca_file }}'}})
    {% endif %}
))
{% endif %}

{% if kresd.policy_test_pass %}
policy.add(policy.suffix(policy.PASS, {todname('test.')}))
{% endif %}

-- EDNS EDE tests
policy.add(policy.suffix(policy.DENY, {todname('deny.test.')}))
policy.add(policy.suffix(policy.REFUSE, {todname('refuse.test.')}))
policy.add(policy.suffix(policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('192.0.2.7'), ttl=300 } }), {todname('forge.test.')}))

-- make sure DNSSEC is turned off for tests
trust_anchors.remove('.')
modules.unload("ta_update")
modules.unload("ta_signal_query")
modules.unload("priming")
modules.unload("detect_time_skew")

-- choose a small cache, since it is preallocated
cache.size = 1 * MB