1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
# SPDX-License-Identifier: LGPL-2.1-or-later
server:
rundir: "/run/knot"
user: knot:knot
listen: 10.0.0.1@53
listen: fd00:dead:beef:cafe::1@53
listen: 192.168.77.78@53
log:
- target: syslog
any: info
database:
storage: "/var/lib/knot"
acl:
- id: update_acl
address: 10.0.0.0/24
address: fd00:dead:beef:cafe::/64
action: update
- id: transfer_acl
address: 10.0.0.0/24
address: fd00:dead:beef:cafe::/64
action: transfer
remote:
- id: parent_zone_server
address: 10.0.0.1@53
address: fd00:dead:beef:cafe::1@53
- id: forwarded
address: 10.99.0.1@53
submission:
- id: parent_zone_sbm
check-interval: 2s
parent: [parent_zone_server]
policy:
# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
# records to the parent zone
- id: auto_rollover
algorithm: ECDSAP256SHA256
cds-cdnskey-publish: always
ds-push: parent_zone_server
ksk-lifetime: 365d
ksk-submission: parent_zone_sbm
propagation-delay: 1s
signing-threads: 4
zone-max-ttl: 1s
zsk-lifetime: 60d
# Same as auto_rollover, but with NSEC3 turned on
- id: auto_rollover_nsec3
algorithm: ECDSAP256SHA256
cds-cdnskey-publish: always
ds-push: parent_zone_server
ksk-lifetime: 365d
ksk-submission: parent_zone_sbm
nsec3-iterations: 0
nsec3: on
nsec3-salt-length: 8
propagation-delay: 1s
signing-threads: 4
zone-max-ttl: 1s
zsk-lifetime: 60d
- id: untrusted
cds-cdnskey-publish: none
# Manual ZSK/KSK management
- id: manual
manual: on
mod-dnsproxy:
- id: forwarded
remote: forwarded
fallback: off
template:
# Sign everything by default and propagate the respective DS records to the parent
- id: default
acl: update_acl
dnssec-policy: auto_rollover
dnssec-signing: on
file: "%s.zone"
semantic-checks: on
storage: "/var/lib/knot/zones"
# A template for unsigned zones (i.e. without DNSSEC)
- id: unsigned
dnssec-signing: off
file: "%s.zone"
semantic-checks: on
storage: "/var/lib/knot/zones"
- id: forwarded
dnssec-signing: off
module: mod-dnsproxy/forwarded
zonefile-load: none
zone:
# Create our own DNSSEC-aware root zone, so we can test the whole chain of
# trust. This needs a ZSK/KSK keypair to be generated before running knot +
# adding the respective keys to resolved's trust anchor store (see the
# test script for the setup steps).
- domain: .
dnssec-policy: manual
file: "root.zone"
# Turn NSEC3 on for the test. zone to spice things up
- domain: test
dnssec-policy: auto_rollover_nsec3
# A fully (pre-)signed zone with allowed zone transfers (AXFR/IXFR)
- domain: signed.test
acl: [update_acl, transfer_acl]
# A fully (online)-signed zone
# See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
# Note: ds-push is not supported in mod-onlinesign, so we have to push
# the DS records to the parent zone manually (see the test script)
- domain: onlinesign.test
module: mod-onlinesign
dnssec-signing: off
# Signed zone without propagated DS records to test the allow-downgrade
# feature
- domain: untrusted.test
dnssec-policy: untrusted
# An unsigned zone
- domain: unsigned.test
template: unsigned
# Forward all queries for this zone to our dummy test server
- domain: forwarded.test
template: forwarded
|
