Add support for configuring ZSK and KSK rollovers, including submission checks

This commit is contained in:
s3lph 2021-09-29 23:17:38 +02:00
parent 9402eee1c1
commit a9be647f84
2 changed files with 23 additions and 2 deletions

View file

@ -21,7 +21,12 @@ knot_zone_dnssec_signing: 'on'
knot_dnssec_policy_algorithm: ecdsap384sha384
knot_dnssec_policy_nsec3: 'on'
knot_dnssec_policy_ksk_shared: 'on'
knot_dnssec_policy_ksk_shared: 'off'
knot_dnssec_policy_ksk_size: 384
knot_dnssec_policy_zsk_size: 384
knot_dnssec_policy_zsk_lifetime: 30d
knot_dnssec_policy_ksk_lifetime: 0
knot_dnssec_policy_cds_publish: 'double-ds'
knot_dnssec_submission_check_interval: 1h
knot_dnssec_submission_timeout: 0

View file

@ -35,7 +35,7 @@ key:
remote:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='parents') | select('defined') ) ) | flatten | unique %}
- id: remote-{{ remote }}
{% if knot_tsig_key is defined and 'knot_tsig_key' in hostvars[remote] %}
@ -84,6 +84,18 @@ acl:
# MASTER ZONES
#
submission:
{% for zone in zones %}
- id: submission: {{ zone.name }}
check-interval: {{ knot_dnssec_submission_check_interval }}
timeout: {{ knot_dnssec_submission_timeout }}
parent:
{% for parent in zone.parents | default([]) %}
- {{ parent }}
{% endfor %}
{% endfor %}
policy:
{% for zone in zones %}
{% if inventory_hostname in zone.masters %}
@ -93,6 +105,10 @@ policy:
nsec3: {{ knot_dnssec_policy_nsec3 }}
ksk-size: {{ knot_dnssec_policy_ksk_size }}
zsk-size: {{ knot_dnssec_policy_zsk_size }}
zsk-size: {{ knot_dnssec_policy_zsk_size }}
zsk-lifetime: {{ zone.zsk_lifetime | default(knot_dnssec_policy_zsk_lifetime) }}
ksk-lifetime: {{ zone.ksk_lifetime | default(knot_dnssec_policy_ksk_lifetime) }}
ksk-submission: submission-{{ zone.name }}
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
{% endif %}