diff --git a/roles/dns/master/tasks/main.yml b/roles/dns/master/tasks/main.yml index 8573dad..d65c3c1 100644 --- a/roles/dns/master/tasks/main.yml +++ b/roles/dns/master/tasks/main.yml @@ -33,24 +33,6 @@ group: root mode: u=rwx,g=rx,o= -- name: Determine if keys are generated already - find: - paths: "{{ keys_directory }}" - patterns: "K{{ domain }}.+*+*" - register: keys_found - -- name: Generate key signing key for zone {{ domain }} - command: >- - dnssec-keygen - -f KSK - -3 - -a {{ dnssec_algorithm | quote }} - -b {{ dnssec_key_length | quote }} - -n ZONE {{ domain | quote }} - args: - chdir: "{{ keys_directory }}" - when: keys_found.matched < 2 - # TODO Copy public ZSK to localhost - name: Store main database of zone {{ domain }} diff --git a/roles/dns/master/templates/zone.conf b/roles/dns/master/templates/zone.conf index 074ab0d..3f49024 100644 --- a/roles/dns/master/templates/zone.conf +++ b/roles/dns/master/templates/zone.conf @@ -1,10 +1,27 @@ +dnssec-policy "{{ domain }}-policy" { + keys { + ksk key-directory lifetime unlimited algorithm {{ dnssec_algorithm }} {{ dnssec_key_length }}; + zsk key-directory lifetime P30D algorithm {{ dnssec_algorithm }} {{ dnssec_key_length }}; + }; + publish-safety P1D; + retire-safety P1D; + signatures-refresh P5D; + signatures-validity P10D; + signatures-validity-dnskey P10D; + max-zone-ttl PT24H; + zone-propagation-delay PT5M; + parent-ds-ttl P1D; + parent-propagation-delay PT1H; + parent-registration-delay P5D; +}; + zone "{{ domain }}" { type master; file "{{ database_file }}"; key-directory "{{ keys_directory }}"; // dnssec inline-signing yes; - auto-dnssec maintain; + dnssec-policy "{{ domain }}-policy"; // notify & transfer notify yes; allow-transfer {