# This is a sample of a minimal configuration file for Knot DNS.
# See knot.conf(5) or refer to the server documentation.

server:
    rundir: "/run/knot"
    user: knot:knot
#    automatic-acl: on
#    listen: [ 127.0.0.1@53, ::1@53 ]
    listen: 172.18.1.21@53

log:
  - target: syslog
    any: info

database:
    storage: "/var/lib/knot"

key:
  - id: tsig-key
    algorithm: hmac-sha256
    secret: gWQl0C01ZKgNQLafAhUvWBb7B+8BBfEDc7XxdTzDwqc=

remote:
  - id: master
    address: 172.18.1.20@53
    key: tsig-key
    via: 172.18.1.21
  - id: slave1
    address: 172.18.1.22
    via: 172.18.1.21
  - id: slave2
    address: 172.18.1.23
    via: 172.18.1.21
  - id: auth_com
    address: 172.18.1.12
    via: 172.18.1.21

acl:
  - id: notify_from_master
    address: 172.18.1.20
    key: tsig-key
    action: notify
  - id: xfr_to_slave
    address: [ 172.18.1.22, 172.18.1.23 ]
    key: tsig-key
    action: transfer

submission:
  - id: ds_submission
    parent: auth_com

policy:
  - id: nsec3
    nsec3: on
    ksk-submission: ds_submission

template:
  - id: default
    master: master
    notify: [ slave1, slave2 ]
    acl: [ notify_from_master, xfr_to_slave ]
    dnssec-signing: on
    dnssec-policy: nsec3
    serial-policy: unixtime

zone:
  - domain: test.com