---

# Optional: Override nameserver identity and NSID
knot_server_identity: ns2.example.org
knot_server_nsid: ns2.example.org

# Mandatory for replicated setup: Addresses under which the nameserver
# is reachable
knot_dns_addresses:
  - "2001:db8:42::2"
  - "10.42.0.2"

# Optional for replicated setup: TSIG keys for notify/xfer/update.  If
# not present, ACL will use knot_dns_addresses instead...
# THIS REEEAAAALLY SHOULD GO INTO A VAULT-ENCRYPTED FILE
knot_tsig_key:
  name: tsig.ns2.example.org.
  algorithm: hmac-sha384
  secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M
# Change other host specific options here

# knot 2.7 in Debian stable doesn't know double-ds yet
knot_dnssec_policy_cds_publish: always