# Knot DNS Configuration
# Hidden Primary DNS server configuration for my-dnssec-test-domain.de
# This server acts as a hidden primary - it's not listed in NS records
# but provides zone transfers to the public secondary nameservers

server:
    # Server identification
    identity: "Hottis DNS Server"
    version: ""
    
    # Listen on all interfaces
    listen: [ "0.0.0.0@8053", "::@8053" ]
    
    # Disable recursion (authoritative only)
    answer-rotation: on
    
    # Security settings
    max-udp-payload: 4096
    max-tcp-clients: 100
    max-zone-size: 500M

# Database configuration
database:
    storage: "/var/lib/knot"
    journal-content: changes
    journal-max-usage: 100M
    journal-max-depth: 20

# Key management for DNSSEC
keystore:
  - id: default
    backend: pem
    config: "/var/lib/knot/keys"

# DNSSEC policy
policy:
  - id: default_policy
    algorithm: ECDSAP256SHA256
    ksk-lifetime: 365d
    zsk-lifetime: 90d
    propagation-delay: 3600
    dnskey-ttl: 3600
    zone-max-ttl: 86400
    ksk-submission: parent_ds
    cds-cdnskey-publish: always

# Remote server configuration (for zone transfers, notifications)
remote:
  - id: dns1_nsdns
    address: 109.234.111.215@53
    
  - id: dns2_nsdns
    address: 109.234.111.216@53
    
# Access Control Lists
acl:
  - id: transfer_acl
    address: [ "127.0.0.1", "109.234.111.215", "109.234.111.216" ]
    action: transfer
    
  - id: notify_acl
    address: [ "127.0.0.1", "109.234.111.215", "109.234.111.216" ]
    action: notify

# Zone template
template:
  - id: default_template
    storage: "/var/lib/knot"
    file: "%s.zone"
    
    # DNSSEC configuration
    dnssec-signing: on
    dnssec-policy: default_policy
    
    # Zone transfer settings (Hidden Primary)
    notify: [ dns1_nsdns, dns2_nsdns ]
    acl: [ transfer_acl, notify_acl ]
    
    # Serial policy
    serial-policy: dateserial
    
    # Zone journal
    journal-content: changes
    journal-max-usage: 10M

# Zone configuration
zone:
  - domain: my-dnssec-test-domain.de
    template: default_template
    file: "/var/lib/knot/my-dnssec-test-domain.de.zone"

# Control interface
control:
    listen: "/var/run/knot/knot.sock"
    timeout: 60

# Statistics
stats:
    timer: 3600

# Logging configuration  
log:
  - target: stderr
    any: info
    zone: warning
    server: info
    
  - target: syslog
    any: info