Add support for configuring ZSK and KSK rollovers, including submission checks
This commit is contained in:
parent
9402eee1c1
commit
a9be647f84
2 changed files with 23 additions and 2 deletions
|
@ -21,7 +21,12 @@ knot_zone_dnssec_signing: 'on'
|
||||||
|
|
||||||
knot_dnssec_policy_algorithm: ecdsap384sha384
|
knot_dnssec_policy_algorithm: ecdsap384sha384
|
||||||
knot_dnssec_policy_nsec3: 'on'
|
knot_dnssec_policy_nsec3: 'on'
|
||||||
knot_dnssec_policy_ksk_shared: 'on'
|
knot_dnssec_policy_ksk_shared: 'off'
|
||||||
knot_dnssec_policy_ksk_size: 384
|
knot_dnssec_policy_ksk_size: 384
|
||||||
knot_dnssec_policy_zsk_size: 384
|
knot_dnssec_policy_zsk_size: 384
|
||||||
|
knot_dnssec_policy_zsk_lifetime: 30d
|
||||||
|
knot_dnssec_policy_ksk_lifetime: 0
|
||||||
knot_dnssec_policy_cds_publish: 'double-ds'
|
knot_dnssec_policy_cds_publish: 'double-ds'
|
||||||
|
|
||||||
|
knot_dnssec_submission_check_interval: 1h
|
||||||
|
knot_dnssec_submission_timeout: 0
|
||||||
|
|
|
@ -35,7 +35,7 @@ key:
|
||||||
|
|
||||||
|
|
||||||
remote:
|
remote:
|
||||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='parents') | select('defined') ) ) | flatten | unique %}
|
||||||
|
|
||||||
- id: remote-{{ remote }}
|
- id: remote-{{ remote }}
|
||||||
{% if knot_tsig_key is defined and 'knot_tsig_key' in hostvars[remote] %}
|
{% if knot_tsig_key is defined and 'knot_tsig_key' in hostvars[remote] %}
|
||||||
|
@ -84,6 +84,18 @@ acl:
|
||||||
# MASTER ZONES
|
# MASTER ZONES
|
||||||
#
|
#
|
||||||
|
|
||||||
|
submission:
|
||||||
|
{% for zone in zones %}
|
||||||
|
|
||||||
|
- id: submission: {{ zone.name }}
|
||||||
|
check-interval: {{ knot_dnssec_submission_check_interval }}
|
||||||
|
timeout: {{ knot_dnssec_submission_timeout }}
|
||||||
|
parent:
|
||||||
|
{% for parent in zone.parents | default([]) %}
|
||||||
|
- {{ parent }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
policy:
|
policy:
|
||||||
{% for zone in zones %}
|
{% for zone in zones %}
|
||||||
{% if inventory_hostname in zone.masters %}
|
{% if inventory_hostname in zone.masters %}
|
||||||
|
@ -93,6 +105,10 @@ policy:
|
||||||
nsec3: {{ knot_dnssec_policy_nsec3 }}
|
nsec3: {{ knot_dnssec_policy_nsec3 }}
|
||||||
ksk-size: {{ knot_dnssec_policy_ksk_size }}
|
ksk-size: {{ knot_dnssec_policy_ksk_size }}
|
||||||
zsk-size: {{ knot_dnssec_policy_zsk_size }}
|
zsk-size: {{ knot_dnssec_policy_zsk_size }}
|
||||||
|
zsk-size: {{ knot_dnssec_policy_zsk_size }}
|
||||||
|
zsk-lifetime: {{ zone.zsk_lifetime | default(knot_dnssec_policy_zsk_lifetime) }}
|
||||||
|
ksk-lifetime: {{ zone.ksk_lifetime | default(knot_dnssec_policy_ksk_lifetime) }}
|
||||||
|
ksk-submission: submission-{{ zone.name }}
|
||||||
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
|
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
|
||||||
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
|
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
Loading…
Reference in a new issue