enable auth-dns role to actually configure useful zones

2026-04-30 22:53:07 +02:00 · 2026-04-30 22:53:07 +02:00 · f61640ec39
commit f61640ec39
parent c45fbaedda
7 changed files with 175 additions and 14 deletions
--- a/roles/auth-dns/templates/knot.conf.j2
+++ b/roles/auth-dns/templates/knot.conf.j2
@ -15,13 +15,21 @@ database:
    storage: "/var/lib/knot"

 key:
-  - id: auth-dns.hamburg.ccc.de
+  - id: {{ knot__dnssec_key_id }}
    algorithm: hmac-sha512
-    secret: ""
+    secret: "{{ knot__dnssec_key_secret }}"

 remote:
+  # static, external and public remote used for DNSSEC KSK checking
  - id: quad9
    address: "2620:fe::fe"
+  {% if knot__remotes -%}
+  # additional remotes used in the config
+  {% for i_remote in knot__remotes -%}
+  - id: "{{ i_remote.id }}"
+    address: [ {% for i_addr in i_remote.address %}"{{ i_addr}}"{% if not loop.last %},{% endif %} {% endfor %} ]
+  {% endfor %}
+  {% endif %}

 # define how the presence of parent KSK keys is checked
 # in this case, we just ask quad9 which is an open resolver
@ -31,7 +39,7 @@ submission:
    parent-delay: 1h

 # define how dnssec signing is done
-# in this case we don't do anything special but teach knot how to check of KSK presence
+# in this case we don't do anything special but teach knot how to check for KSK presence
 policy:
  - id: default
    ksk-submission: default
@ -40,25 +48,48 @@ policy:

 # define default settings that apply to all zones
 template:
+  # template for general-purpose user zones
  - id: default
    storage: "/etc/knot/zones"
    file: "%s.zone"
    semantic-checks: on
    zonefile-sync: -1
    zonefile-load: difference-no-serial
+    serial-policy: dateserial
    journal-content: all
-    default-ttl: 60
-    catalog-role: member
-    catalog-zone: hamburg.ccc.de.catalog.
+    default-ttl: 7200
    dnssec-signing: on
    dnssec-policy: default
-    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}

-  - id: minimal
-    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}
+    {# catalog-role: member #}
+    {# catalog-zone: hamburg.ccc.de.catalog. #}

+  # template for automatically created special zones
+  - id: catalog
+    catalog-role: generate
+    dnssec-signing: on
+    dnssec-policy: default
+
+
+# define zones on this server
+# See https://www.knot-dns.cz/docs/3.4/html/reference.html#zone-section
 zone:
-  {# - domain: onsite.eurofurence.catalog. #}
-    {# template: minimal #}
-    {# catalog-role: generate #}
+  # catalog zones
+  {% for i_zone in knot__catalog_zones -%}
+  - domain: "{{ i_zone.domain }}"
+    template: catalog
+    notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
+  {% endfor %}
+
+  # normal zones
+  {% for i_zone in knot__zones -%}
+  - domain: "{{ i_zone.domain }}"
+    template: default
+    notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
+    {% if i_zone.catalog_member | default(False) -%}
+    catalog-role: member
+    catalog-zone: "{{ i_zone.catalog_member }}"
+    {% endif %}
+  {% endfor %}
+
  {# - domain: "onsite.eurofurence.org" #}