# SPDX-License-Identifier: LGPL-2.1-or-later server: rundir: "/run/knot" user: knot:knot listen: 10.0.0.1@53 log: - target: syslog any: info database: storage: "/var/lib/knot" acl: - id: update_acl address: 10.0.0.0/24 action: update remote: - id: parent_zone_server address: 10.0.0.1@53 submission: - id: parent_zone_sbm check-interval: 2s parent: [parent_zone_server] # Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS # records to the parent zone policy: - id: auto_rollover algorithm: ECDSAP256SHA256 cds-cdnskey-publish: always ds-push: parent_zone_server ksk-lifetime: 365d ksk-submission: parent_zone_sbm propagation-delay: 1s signing-threads: 4 zone-max-ttl: 1s zsk-lifetime: 60d # Same as auto_rollover, but with NSEC3 turned on policy: - id: auto_rollover_nsec3 algorithm: ECDSAP256SHA256 cds-cdnskey-publish: always ds-push: parent_zone_server ksk-lifetime: 365d ksk-submission: parent_zone_sbm nsec3: on nsec3-iterations: 10 propagation-delay: 1s signing-threads: 4 zone-max-ttl: 1s zsk-lifetime: 60d policy: - id: untrusted cds-cdnskey-publish: none # Manual ZSK/KSK management policy: - id: manual manual: on # Sign everything by default and propagate the respective DS records to the parent template: - id: default acl: update_acl dnssec-policy: auto_rollover dnssec-signing: on file: "%s.zone" semantic-checks: on storage: "/var/lib/knot/zones" # A template for unsigned zones (i.e. without DNSSEC) template: - id: unsigned dnssec-signing: off file: "%s.zone" semantic-checks: on storage: "/var/lib/knot/zones" zone: # Create our own DNSSEC-aware root zone, so we can test the whole chain of # trust. This needs a ZSK/KSK keypair to be generated before running knot + # adding the respective keys to resolved's trust anchor store (see the # test script for the setup steps). - domain: . dnssec-policy: manual file: "root.zone" # Turn NSEC3 on for the test. zone to spice things up - domain: test dnssec-policy: auto_rollover_nsec3 # A fully (pre-)signed zone - domain: signed.test # A fully (online)-signed zone # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign # Note: ds-push is not supported in mod-onlinesign, so we have to push # the DS records to the parent zone manually (see the test script) - domain: onlinesign.test module: mod-onlinesign dnssec-signing: off # Signed zone without propagated DS records to test the allow-downgrade # feature - domain: untrusted.test dnssec-policy: untrusted # An unsigned zone - domain: unsigned.test template: unsigned