From 3541c68357d2e8367714b414a9ac6d828670ba2b Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 19 May 2026 11:01:51 +0200
Subject: [PATCH] disable dnssec for catalog zones on auth-dns

Catalog zones are not real zones in the DNS hierarchy and don't
have a parent zone. Therefore they will never have a valid DNSSEC
delegation so we should skip signing those zones.
---
 roles/knot/templates/knot.conf.j2 | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/roles/knot/templates/knot.conf.j2 b/roles/knot/templates/knot.conf.j2
index c661e25..45a0f8d 100644
--- a/roles/knot/templates/knot.conf.j2
+++ b/roles/knot/templates/knot.conf.j2
@@ -67,8 +67,7 @@ template:
   # template for automatically created special zones
   - id: catalog
     catalog-role: generate
-    dnssec-signing: on
-    dnssec-policy: default
+    dnssec-signing: off
 
 
 # define zones on this server