--- # Optional: Override nameserver identity and NSID knot_server_identity: ns1.example.org knot_server_nsid: ns1.example.org # Mandatory for replicated setup: Addresses under which the nameserver # is reachable knot_dns_addresses: - "2001:db8:42::1" - "10.42.0.1" # Optional for replicated setup: TSIG keys for notify/xfer/update. If # not present, ACL will use knot_dns_addresses instead... # THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE knot_tsig_key: name: tsig.ns1.example.org. algorithm: hmac-sha384 secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN # Change other host specific options here # knot 2.7 in Debian stable doesn't know double-ds yet knot_dnssec_policy_cds_publish: always