dns/master: Configured dnssec-policy for automatic KASP

4 years ago · 0232319ccd
parent ab39f9337e
commit 0232319ccd
2 changed files with 18 additions and 19 deletions
--- a/roles/dns/master/tasks/main.yml
+++ b/roles/dns/master/tasks/main.yml
@ -33,24 +33,6 @@
    group: root
    mode: u=rwx,g=rx,o=

- name: Determine if keys are generated already
-  find:
-    paths: "{{ keys_directory }}"
-    patterns: "K{{ domain }}.+*+*"
-  register: keys_found
-
- name: Generate key signing key for zone {{ domain }}
-  command: >-
-    dnssec-keygen
-    -f KSK
-    -3
-    -a {{ dnssec_algorithm | quote }}
-    -b {{ dnssec_key_length | quote }}
-    -n ZONE {{ domain | quote }}
-  args:
-    chdir: "{{ keys_directory }}"
-  when: keys_found.matched < 2
-
 # TODO Copy public ZSK to localhost

 - name: Store main database of zone {{ domain }}
--- a/roles/dns/master/templates/zone.conf
+++ b/roles/dns/master/templates/zone.conf
@ -1,10 +1,27 @@
+dnssec-policy "{{ domain }}-policy" {
+  keys {
+    ksk key-directory lifetime unlimited algorithm {{ dnssec_algorithm }} {{ dnssec_key_length }};
+    zsk key-directory lifetime P30D algorithm {{ dnssec_algorithm }} {{ dnssec_key_length }};
+  };
+  publish-safety P1D;
+  retire-safety P1D;
+  signatures-refresh P5D;
+  signatures-validity P10D;
+  signatures-validity-dnskey P10D;
+  max-zone-ttl PT24H;
+  zone-propagation-delay PT5M;
+  parent-ds-ttl P1D;
+  parent-propagation-delay PT1H;
+  parent-registration-delay P5D;
+};
+
 zone "{{ domain }}" {
  type master;
  file "{{ database_file }}";
  key-directory "{{ keys_directory }}";
  // dnssec
  inline-signing yes;
-  auto-dnssec maintain;
+  dnssec-policy "{{ domain }}-policy";
  // notify & transfer
  notify yes;
  allow-transfer {