---

knot_repository_install: false
knot_repository_url: https://deb.knot-dns.cz/knot/
knot_repository_distribution: "{{ ansible_facts.distribution_release }}"

knot_server_rundir: /run/knot
knot_server_user: knot
knot_server_group: knot
knot_server_identity: "{{ ansible_facts.hostname }}"
knot_server_nsid: "{{ ansible_facts.hostname }}"
knot_server_version: "{{ ansible_facts.hostname }}"
knot_server_listen:
  - "::@53"
  - "0.0.0.0@53"

knot_log_targets:
  - target: syslog
    level: info

knot_zone_master_storage_path: /var/lib/knot/master
knot_zone_replica_storage_path: /var/lib/knot/replica
knot_zone_semantic_checks: 'on'
knot_zone_dnssec_signing: 'on'

knot_dnssec_policy_algorithm: ed25519
knot_dnssec_policy_nsec3: 'on'
# Use of a NSEC3 salt is discouraged by RFC 9276, section 3.1
knot_dnssec_policy_nsec3_salt_length: 0
knot_dnssec_policy_ksk_shared: 'off'
knot_dnssec_policy_ksk_size: 256
knot_dnssec_policy_zsk_size: 256
knot_dnssec_policy_zsk_lifetime: 30d
knot_dnssec_policy_ksk_lifetime: 0
# double-ds breaks algorithm rollovers: https://gitlab.nic.cz/knot/knot-dns/-/issues/804
knot_dnssec_policy_cds_publish: 'always'
knot_dnssec_policy_propagation_delay: 1h

knot_dnssec_submission_check_interval: 1h
knot_dnssec_submission_timeout: 0