From b1795f2e767ded33c80a3341ec506d2188cd5996 Mon Sep 17 00:00:00 2001 From: s3lph Date: Tue, 4 Apr 2023 20:46:54 +0200 Subject: [PATCH] Add support for on-secondary signing --- galaxy.yml | 4 ++-- roles/knot/templates/etc/knot/knot.conf.j2 | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/galaxy.yml b/galaxy.yml index 79f47d2..464f8aa 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -7,7 +7,7 @@ namespace: s3lph name: nameserver # The version of the collection. Must be compatible with semantic versioning -version: "0.3.4" +version: "0.3.5" # The path to the Markdown (.md) readme file. This path is relative to the root of the collection readme: README.md @@ -15,7 +15,7 @@ readme: README.md # A list of the collection's content authors. Can be just the name or in the format 'Full Name (url) # @nicks:irc/im.site#channel' authors: -- s3lph +- s3lph <1375407-s3lph@users.noreply.gitlab.com> ### OPTIONAL but strongly recommended diff --git a/roles/knot/templates/etc/knot/knot.conf.j2 b/roles/knot/templates/etc/knot/knot.conf.j2 index bfb197e..3b931a7 100644 --- a/roles/knot/templates/etc/knot/knot.conf.j2 +++ b/roles/knot/templates/etc/knot/knot.conf.j2 @@ -100,7 +100,7 @@ submission: policy: {% for zone in zones %} -{% if inventory_hostname in zone.masters %} +{% if inventory_hostname in zone.masters or (inventory_hostname in zone.replicas and zone.sign_on_secondary | default(false)) %} - id: dnssec-{{ zone.name }} algorithm: {{ zone.algorithm | default(knot_dnssec_policy_algorithm) }} @@ -161,6 +161,10 @@ zone: {% for master in zone.masters %} master: remote-{{ master }} {% endfor %} +{% if zone.sign_on_secondary | default(false) %} + dnssec-signing: {{ knot_zone_dnssec_signing }} + dnssec-policy: dnssec-{{ zone.name }} +{% endif %} {% endif %} {% endfor %}