-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathknot.conf
128 lines (99 loc) · 3.08 KB
/
knot.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Source Code for maxchernoff.ca
# https://github.com/gucci-on-fleek/maxchernoff.ca
# SPDX-License-Identifier: MPL-2.0+ OR CC-BY-SA-4.0+
# SPDX-FileCopyrightText: 2024 Max Chernoff
include: secrets.conf
server:
# TCP :53, UDP :53
listen: [0.0.0.0@53, ::@53]
async-start: on
automatic-acl: on
identity: ns.maxchernoff.ca.
log:
- target: stderr
any: info
policy:
- id: eddsa
algorithm: ed25519
single-type-signing: on
ksk-lifetime: 3650d
signing-threads: 4
remote:
- id: hurricane-electric-slave
address: ["216.218.133.2", "2001:470:600::2"]
key: maxchernoff-he
- id: hurricane-electric-notify
address: ["216.218.130.2", "2001:470:100::2"]
key: maxchernoff-he
- id: tug
address: ["46.4.94.215", "2a01:4f8:140:80be::2"]
acl:
- id: incoming
key: dnscontrol
action: update
- id: outgoing
key: [dnscontrol, maxchernoff-he]
action: transfer
- id: notify
key: maxchernoff-he
action: notify
- id: ddns
key: red-deer
action: [transfer, update]
update-owner: name
update-owner-match: equal
update-owner-name: [red-deer]
- id: tug
remote: tug
action: transfer
- id: dnscontrol-testing
key: [dnscontrol-testing-md5, dnscontrol-testing-sha1, dnscontrol-testing-sha224, dnscontrol-testing-sha256, dnscontrol-testing-sha384, dnscontrol-testing-sha512]
action: [transfer, update]
zone:
# maxchernoff.ca
- domain: maxchernoff.ca.
# Use DNSSEC
dnssec-signing: on
dnssec-policy: eddsa
# Needed, otherwise Knot won't work on the first load
file: /config/maxchernoff.ca.zone
zonefile-load: difference
# Only load data from zone transfers
zonefile-sync: -1
journal-content: all
# Write serials in YYYYMMDDnn format
serial-policy: dateserial
# Send notifies to Hurricane Electric
notify: hurricane-electric-notify
acl: [incoming, outgoing, notify, ddns, tug]
# For DNSControl testing.
# I'm using the .internal TLD for these test domains, see
# - https://www.icann.org/en/board-activities-and-meetings/materials/approved-resolutions-special-meeting-of-the-icann-board-29-07-2024-en#section2.a:~:text=the%20board%20reserves,applications
# - https://datatracker.ietf.org/doc/html/draft-davies-internal-tld
- domain: without-dnssec.dnscontrol.internal.
# Base zone file
file: /config/dnscontrol.internal.zone
zonefile-load: difference
# Only load data from zone transfers
zonefile-sync: -1
journal-content: all
# Write serials in YYYYMMDDnn format
serial-policy: dateserial
# Allow DNSControl to update this zone
acl: dnscontrol-testing
# No DNSSEC
dnssec-signing: off
- domain: with-dnssec.dnscontrol.internal.
# Base zone file
file: /config/dnscontrol.internal.zone
zonefile-load: difference
# Only load data from zone transfers
zonefile-sync: -1
journal-content: all
# Write serials in YYYYMMDDnn format
serial-policy: dateserial
# Allow DNSControl to update this zone
acl: dnscontrol-testing
# Use DNSSEC
dnssec-signing: on
dnssec-policy: eddsa