feat: add knot_dnssec_policy_nsec3_salt_length with default 0

galaxy.yml

@@ -7,7 +7,7 @@ namespace: s3lph
 name: nameserver
 
 # The version of the collection. Must be compatible with semantic versioning
-version: "0.4.2"
+version: "0.4.3"
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

roles/knot/defaults/main.yml

@@ -25,6 +25,8 @@ knot_zone_dnssec_signing: 'on'
 
 knot_dnssec_policy_algorithm: ed25519
 knot_dnssec_policy_nsec3: 'on'
+# Use of a NSEC3 salt is discouraged by RFC 9276, section 3.1
+knot_dnssec_policy_nsec3_salt_length: 0
 knot_dnssec_policy_ksk_shared: 'off'
 knot_dnssec_policy_ksk_size: 256
 knot_dnssec_policy_zsk_size: 256

roles/knot/templates/etc/knot/knot.conf.j2

@@ -104,7 +104,8 @@ policy:
 
   - id: dnssec-{{ zone.name }}
     algorithm: {{ zone.algorithm | default(knot_dnssec_policy_algorithm) }}
-    nsec3: {{ knot_dnssec_policy_nsec3 }}
+    nsec3: {{ zone.nsec3 | default(knot_dnssec_policy_nsec3) }}
+    nsec3-salt-length: {{ zone.nsec3_salt_length | default(knot_dnssec_policy_nsec3_salt_length) }}
     ksk-size: {{ zone.ksk_size | default(knot_dnssec_policy_ksk_size) }}
     zsk-size: {{ zone.zsk_size | default(knot_dnssec_policy_zsk_size) }}
     zsk-lifetime: {{ zone.zsk_lifetime | default(knot_dnssec_policy_zsk_lifetime) }}