2022-04-17 21:50:16 +08:00
|
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
|
|
|
|
|
server:
|
|
|
|
rundir: "/run/knot"
|
|
|
|
user: knot:knot
|
|
|
|
listen: 10.0.0.1@53
|
2022-07-08 19:36:03 +08:00
|
|
|
listen: fd00:dead:beef:cafe::1@53
|
2022-04-17 21:50:16 +08:00
|
|
|
|
|
|
|
log:
|
|
|
|
- target: syslog
|
|
|
|
any: info
|
|
|
|
|
|
|
|
database:
|
|
|
|
storage: "/var/lib/knot"
|
|
|
|
|
|
|
|
acl:
|
|
|
|
- id: update_acl
|
|
|
|
address: 10.0.0.0/24
|
2022-07-08 19:36:03 +08:00
|
|
|
address: fd00:dead:beef:cafe::/64
|
2022-04-17 21:50:16 +08:00
|
|
|
action: update
|
|
|
|
|
|
|
|
remote:
|
|
|
|
- id: parent_zone_server
|
|
|
|
address: 10.0.0.1@53
|
2022-07-08 19:36:03 +08:00
|
|
|
address: fd00:dead:beef:cafe::1@53
|
2022-04-17 21:50:16 +08:00
|
|
|
|
|
|
|
submission:
|
|
|
|
- id: parent_zone_sbm
|
|
|
|
check-interval: 2s
|
|
|
|
parent: [parent_zone_server]
|
|
|
|
|
|
|
|
policy:
|
2024-01-07 20:32:14 +08:00
|
|
|
# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
|
|
|
|
# records to the parent zone
|
2022-04-17 21:50:16 +08:00
|
|
|
- id: auto_rollover
|
|
|
|
algorithm: ECDSAP256SHA256
|
|
|
|
cds-cdnskey-publish: always
|
|
|
|
ds-push: parent_zone_server
|
|
|
|
ksk-lifetime: 365d
|
|
|
|
ksk-submission: parent_zone_sbm
|
|
|
|
propagation-delay: 1s
|
|
|
|
signing-threads: 4
|
|
|
|
zone-max-ttl: 1s
|
|
|
|
zsk-lifetime: 60d
|
|
|
|
|
2024-01-07 20:32:14 +08:00
|
|
|
# Same as auto_rollover, but with NSEC3 turned on
|
2022-04-17 21:50:16 +08:00
|
|
|
- id: auto_rollover_nsec3
|
|
|
|
algorithm: ECDSAP256SHA256
|
|
|
|
cds-cdnskey-publish: always
|
|
|
|
ds-push: parent_zone_server
|
|
|
|
ksk-lifetime: 365d
|
|
|
|
ksk-submission: parent_zone_sbm
|
|
|
|
nsec3: on
|
|
|
|
nsec3-iterations: 10
|
|
|
|
propagation-delay: 1s
|
|
|
|
signing-threads: 4
|
|
|
|
zone-max-ttl: 1s
|
|
|
|
zsk-lifetime: 60d
|
|
|
|
|
|
|
|
- id: untrusted
|
|
|
|
cds-cdnskey-publish: none
|
|
|
|
|
2024-01-07 20:32:14 +08:00
|
|
|
# Manual ZSK/KSK management
|
2022-04-17 21:50:16 +08:00
|
|
|
- id: manual
|
|
|
|
manual: on
|
|
|
|
|
|
|
|
template:
|
2024-01-07 20:32:14 +08:00
|
|
|
# Sign everything by default and propagate the respective DS records to the parent
|
2022-04-17 21:50:16 +08:00
|
|
|
- id: default
|
|
|
|
acl: update_acl
|
|
|
|
dnssec-policy: auto_rollover
|
|
|
|
dnssec-signing: on
|
|
|
|
file: "%s.zone"
|
|
|
|
semantic-checks: on
|
|
|
|
storage: "/var/lib/knot/zones"
|
|
|
|
|
2024-01-07 20:32:14 +08:00
|
|
|
# A template for unsigned zones (i.e. without DNSSEC)
|
2022-04-17 21:50:16 +08:00
|
|
|
- id: unsigned
|
|
|
|
dnssec-signing: off
|
|
|
|
file: "%s.zone"
|
|
|
|
semantic-checks: on
|
|
|
|
storage: "/var/lib/knot/zones"
|
|
|
|
|
|
|
|
zone:
|
|
|
|
# Create our own DNSSEC-aware root zone, so we can test the whole chain of
|
|
|
|
# trust. This needs a ZSK/KSK keypair to be generated before running knot +
|
2022-10-15 22:06:20 +08:00
|
|
|
# adding the respective keys to resolved's trust anchor store (see the
|
2022-04-17 21:50:16 +08:00
|
|
|
# test script for the setup steps).
|
|
|
|
- domain: .
|
|
|
|
dnssec-policy: manual
|
|
|
|
file: "root.zone"
|
|
|
|
|
|
|
|
# Turn NSEC3 on for the test. zone to spice things up
|
|
|
|
- domain: test
|
|
|
|
dnssec-policy: auto_rollover_nsec3
|
|
|
|
|
|
|
|
# A fully (pre-)signed zone
|
|
|
|
- domain: signed.test
|
|
|
|
|
|
|
|
# A fully (online)-signed zone
|
|
|
|
# See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
|
|
|
|
# Note: ds-push is not supported in mod-onlinesign, so we have to push
|
|
|
|
# the DS records to the parent zone manually (see the test script)
|
|
|
|
- domain: onlinesign.test
|
|
|
|
module: mod-onlinesign
|
|
|
|
dnssec-signing: off
|
|
|
|
|
|
|
|
# Signed zone without propagated DS records to test the allow-downgrade
|
|
|
|
# feature
|
|
|
|
- domain: untrusted.test
|
|
|
|
dnssec-policy: untrusted
|
|
|
|
|
|
|
|
# An unsigned zone
|
|
|
|
- domain: unsigned.test
|
|
|
|
template: unsigned
|