# {{ ansible_managed }}
# See knot.conf(5) or refer to the server documentation.

server:
    rundir: "/rundir"
    user: knot:knot
    automatic-acl: on
    {% for i in (ansible_all_ipv4_addresses + ansible_all_ipv6_addresses) -%}
    listen: "{{ i }}"
    {% endfor %}
    {# listen: [ "{{ ansible_default_ipv4.address }}@53", "{{ ansible_default_ipv6.address }}@53" ] #}

log:
  - target: stderr
    any: info

database:
    storage: "/storage"

key:
  - id: auth-dns.hamburg.ccc.de
    algorithm: hmac-sha512
    secret: ""

remote:
  - id: quad9
    address: "2620:fe::fe"

# define how the presence of parent KSK keys is checked
# in this case, we just ask quad9 which is an open resolver
submission:
  - id: default
    parent: quad9
    parent-delay: 1h

# define how dnssec signing is done
# in this case we don't do anything special but teach knot how to check of KSK presence
policy:
  - id: default
    ksk-submission: default
    nsec3: true
    nsec3-salt-length: 0

# define default settings that apply to all zones
template:
  - id: default
    storage: "/config/zones"
    file: "%s.zone"
    semantic-checks: on
    zonefile-sync: -1
    zonefile-load: difference-no-serial
    journal-content: all
    default-ttl: 60
    catalog-role: member
    catalog-zone: hamburg.ccc.de.catalog.
    dnssec-signing: on
    dnssec-policy: default
    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}

  - id: minimal
    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}

zone:
  {# - domain: onsite.eurofurence.catalog. #}
    {# template: minimal #}
    {# catalog-role: generate #}
  {# - domain: "onsite.eurofurence.org" #}