From 4fc51962e1af70a9cf2d255da8b90ad4ea9e5941 Mon Sep 17 00:00:00 2001 From: s3lph Date: Wed, 5 Jun 2024 01:15:25 +0200 Subject: [PATCH] feat: add knot_dnssec_policy_nsec3_salt_length with default 0 --- galaxy.yml | 2 +- roles/knot/defaults/main.yml | 2 ++ roles/knot/templates/etc/knot/knot.conf.j2 | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/galaxy.yml b/galaxy.yml index 187bd06..62a2595 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -7,7 +7,7 @@ namespace: s3lph name: nameserver # The version of the collection. Must be compatible with semantic versioning -version: "0.4.2" +version: "0.4.3" # The path to the Markdown (.md) readme file. This path is relative to the root of the collection readme: README.md diff --git a/roles/knot/defaults/main.yml b/roles/knot/defaults/main.yml index f46c4ab..745a7b7 100644 --- a/roles/knot/defaults/main.yml +++ b/roles/knot/defaults/main.yml @@ -25,6 +25,8 @@ knot_zone_dnssec_signing: 'on' knot_dnssec_policy_algorithm: ed25519 knot_dnssec_policy_nsec3: 'on' +# Use of a NSEC3 salt is discouraged by RFC 9276, section 3.1 +knot_dnssec_policy_nsec3_salt_length: 0 knot_dnssec_policy_ksk_shared: 'off' knot_dnssec_policy_ksk_size: 256 knot_dnssec_policy_zsk_size: 256 diff --git a/roles/knot/templates/etc/knot/knot.conf.j2 b/roles/knot/templates/etc/knot/knot.conf.j2 index 8e4c49b..f411c2e 100644 --- a/roles/knot/templates/etc/knot/knot.conf.j2 +++ b/roles/knot/templates/etc/knot/knot.conf.j2 @@ -104,7 +104,8 @@ policy: - id: dnssec-{{ zone.name }} algorithm: {{ zone.algorithm | default(knot_dnssec_policy_algorithm) }} - nsec3: {{ knot_dnssec_policy_nsec3 }} + nsec3: {{ zone.nsec3 | default(knot_dnssec_policy_nsec3) }} + nsec3-salt-length: {{ zone.nsec3_salt_length | default(knot_dnssec_policy_nsec3_salt_length) }} ksk-size: {{ zone.ksk_size | default(knot_dnssec_policy_ksk_size) }} zsk-size: {{ zone.zsk_size | default(knot_dnssec_policy_zsk_size) }} zsk-lifetime: {{ zone.zsk_lifetime | default(knot_dnssec_policy_zsk_lifetime) }}