20 Led
2019
20 Led
'19
20:31
Hi,
I want to use Ansible to deploy zone files to my Knot signer (hidden
master). The zone files should be generated from the Ansible playbook
data and will not contain any DNSSEC related information, just SOA, NS,
A, AAAA, TXT and MX records. I'd like to use Knot DNSSEC auto-signing. I
can stop the Knot process before deploying new zone files. I use
zonefile-load: difference in this case, as of the DNSKEY / CDNSKEY / CDS
data should not be replaced with something new. Should this work for me,
or is there anything I miss or is there even a better option?
Kind regards,
Volker
21 Led
21 Led
9:13
Hello Volker,
I have been using this setup for about two years now. You need:
zonefile-sync: -1
zonefile-load: difference-no-serial
serial-policy: unixtime
Maybe as a side effect of this setup, on some very rare occasions I had
to purge the journal for my zone after a knot upgrade. You find out
about this if you reload knot after the upgrade and it fails to load the
zone.
knotc -f zone-purge +journal <zone>
Best regards,
Daniel
On 20.01.19 20:31, Volker Janzen wrote:
Hi,
I want to use Ansible to deploy zone files to my Knot signer (hidden
master). The zone files should be generated from the Ansible playbook
data and will not contain any DNSSEC related information, just SOA, NS,
A, AAAA, TXT and MX records. I'd like to use Knot DNSSEC auto-signing. I
can stop the Knot process before deploying new zone files. I use
zonefile-load: difference in this case, as of the DNSKEY / CDNSKEY / CDS
data should not be replaced with something new. Should this work for me,
or is there anything I miss or is there even a better option?
Kind regards,
Volker
2131
days inactive
2132
days old
1 comments
2 participants
participants (2)
-
Daniel Stirnimann -
Volker Janzen