systemd/test/knot-data/knot.conf
Frantisek Sumsal cb3244c0dc test: explicitly set nsec3-iterations to 0
knot v3.2 and later does this by default. knot v3.1 still has the default set to
10, but it also introduced a warning that the default will be changed to 0 in
later versions, so it effectively complains about its own default, which then
fails the config check. Let's just set the value explicitly to zero to avoid
that.

~# knotc --version
knotc (Knot DNS), version 3.1.6
~# grep nsec3-iterations test/knot-data/knot.conf || echo nope
nope
~# knotc -c /build/test/knot-data/knot.conf conf-check
warning: config, policy[auto_rollover_nsec3].nsec3-iterations defaults to 10, since version 3.2 the default becomes 0
Configuration is valid

Follow-up to 0652cf8e7b.
2024-01-30 17:53:10 +00:00

139 lines
3.5 KiB
Plaintext

# SPDX-License-Identifier: LGPL-2.1-or-later
server:
rundir: "/run/knot"
user: knot:knot
listen: 10.0.0.1@53
listen: fd00:dead:beef:cafe::1@53
log:
- target: syslog
any: info
database:
storage: "/var/lib/knot"
acl:
- id: update_acl
address: 10.0.0.0/24
address: fd00:dead:beef:cafe::/64
action: update
- id: transfer_acl
address: 10.0.0.0/24
address: fd00:dead:beef:cafe::/64
action: transfer
remote:
- id: parent_zone_server
address: 10.0.0.1@53
address: fd00:dead:beef:cafe::1@53
- id: forwarded
address: 10.99.0.1@53
submission:
- id: parent_zone_sbm
check-interval: 2s
parent: [parent_zone_server]
policy:
# Auto ZSK/KSK rollover for DNSSEC-enabled zones + pushing the respective DS
# records to the parent zone
- id: auto_rollover
algorithm: ECDSAP256SHA256
cds-cdnskey-publish: always
ds-push: parent_zone_server
ksk-lifetime: 365d
ksk-submission: parent_zone_sbm
propagation-delay: 1s
signing-threads: 4
zone-max-ttl: 1s
zsk-lifetime: 60d
# Same as auto_rollover, but with NSEC3 turned on
- id: auto_rollover_nsec3
algorithm: ECDSAP256SHA256
cds-cdnskey-publish: always
ds-push: parent_zone_server
ksk-lifetime: 365d
ksk-submission: parent_zone_sbm
nsec3-iterations: 0
nsec3: on
propagation-delay: 1s
signing-threads: 4
zone-max-ttl: 1s
zsk-lifetime: 60d
- id: untrusted
cds-cdnskey-publish: none
# Manual ZSK/KSK management
- id: manual
manual: on
mod-dnsproxy:
- id: forwarded
remote: forwarded
fallback: off
template:
# Sign everything by default and propagate the respective DS records to the parent
- id: default
acl: update_acl
dnssec-policy: auto_rollover
dnssec-signing: on
file: "%s.zone"
semantic-checks: on
storage: "/var/lib/knot/zones"
# A template for unsigned zones (i.e. without DNSSEC)
- id: unsigned
dnssec-signing: off
file: "%s.zone"
semantic-checks: on
storage: "/var/lib/knot/zones"
- id: forwarded
dnssec-signing: off
module: mod-dnsproxy/forwarded
zonefile-load: none
zone:
# Create our own DNSSEC-aware root zone, so we can test the whole chain of
# trust. This needs a ZSK/KSK keypair to be generated before running knot +
# adding the respective keys to resolved's trust anchor store (see the
# test script for the setup steps).
- domain: .
dnssec-policy: manual
file: "root.zone"
# Turn NSEC3 on for the test. zone to spice things up
- domain: test
dnssec-policy: auto_rollover_nsec3
# A fully (pre-)signed zone with allowed zone transfers (AXFR/IXFR)
- domain: signed.test
acl: [update_acl, transfer_acl]
# A fully (online)-signed zone
# See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
# Note: ds-push is not supported in mod-onlinesign, so we have to push
# the DS records to the parent zone manually (see the test script)
- domain: onlinesign.test
module: mod-onlinesign
dnssec-signing: off
# Signed zone without propagated DS records to test the allow-downgrade
# feature
- domain: untrusted.test
dnssec-policy: untrusted
# An unsigned zone
- domain: unsigned.test
template: unsigned
# Forward all queries for this zone to our dummy test server
- domain: forwarded.test
template: forwarded