Config for DNSSEC zones with ksk-submission gets redundant and bloated
When you have a lot of zones where you want to to automatic ksk-submission checks configuration gets redundant very quickly:
policy:
- id: rsa-de
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
ksk-submission: tld_de
- id: rsa-xyz
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
ksk-submission: tld_xyz
- id: ecdsap256
algorithm: ecdsap256sha256
ksk-submission: tld_de
- id: ecdsap256-de
algorithm: ecdsap256sha256
ksk-submission: tld_de
- id: ecdsap256-xyz
algorithm: ecdsap256sha256
ksk-submission: tld_xyz
template:
- id: slave-dnssec-ecdsap256-de
storage: "/var/lib/knot/slave"
file: "%s.zone"
zonefile-load: difference
dnssec-signing: on
dnssec-policy: ecdsap256-de
master: ns1_signer
notify: ns1
acl: acl_ns1
- id: slave-dnssec-ecdsap256-xyz
storage: "/var/lib/knot/slave"
file: "%s.zone"
zonefile-load: difference
dnssec-signing: on
dnssec-policy: ecdsap256-xyz
master: ns1_signer
notify: ns1
acl: acl_ns1
- id: slave-dnssec-rsa-de
storage: "/var/lib/knot/slave"
file: "%s.zone"
zonefile-load: difference
dnssec-signing: on
dnssec-policy: rsa-de
master: ns1_signer
notify: ns1
acl: acl_ns1
- id: slave-dnssec-rsa-xyz
storage: "/var/lib/knot/slave"
file: "%s.zone"
zonefile-load: difference
dnssec-signing: on
dnssec-policy: rsa-xyz
master: ns1_signer
notify: ns1
acl: acl_ns1
And that is only for two tlds with two algorithms. I could generate this part of the configuration automatically with ansible or something like it but maybe it might be possible to make this easier in the configuration itself.
Maybe it would be okay to have the ksk-submission
statement directly in the zone/template? I'm open to other ideas as well.