From c8c5313ecfe8958819509a00528b1eb27a415bbd Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 22 Feb 2022 11:30:39 +0100 Subject: ... --- hosts/surtr/dns/default.nix | 24 +++++++++++++++++++++++- hosts/surtr/dns/keys/knot_local_key.yaml | 26 ++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 hosts/surtr/dns/keys/knot_local_key.yaml (limited to 'hosts/surtr/dns') diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 5f69c350..695ac292 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -25,6 +25,7 @@ in { enable = true; keyFiles = [ config.sops.secrets."rheperire.org_acme_key.yaml".path + config.sops.secrets."knot_local_key.yaml".path ]; extraConfig = '' server: @@ -38,6 +39,9 @@ in { address: 185.181.104.96@53 - id: recursive address: ::1@5353 + - id: local + address: ::1@53 + key: local_key acl: - id: inwx_acl @@ -46,6 +50,10 @@ in { - id: rheperire.org_acme_acl key: rheperire.org_acme_key action: update + - id: local_acl + key: local_key + action: update + update-type: DS mod-rrl: - id: default @@ -75,6 +83,15 @@ in { ksk-lifetime: 360d signing-threads: 2 ksk-submission: validating-resolver + - id: ed25519_local-push + algorithm: ed25519 + nsec3: on + nsec3-iterations: 0 + ksk-lifetime: 360d + signing-threads: 2 + ksk-submission: validating-resolver + cds-cdnskey-publish: none + ds-push: [local] template: - id: default @@ -98,7 +115,7 @@ in { journal-content: all semantic-checks: on dnssec-signing: on - dnssec-policy: ed25519 + dnssec-policy: ed25519_local-push zone: - domain: yggdrasil.li @@ -145,6 +162,11 @@ in { owner = "knot"; sopsFile = ./keys/rheperire.org_acme.yaml; }; + "knot_local_key.yaml" = { + format = "binary"; + owner = "knot"; + sopsFile = ./keys/local_key.yaml; + }; }; diff --git a/hosts/surtr/dns/keys/knot_local_key.yaml b/hosts/surtr/dns/keys/knot_local_key.yaml new file mode 100644 index 00000000..a170ff72 --- /dev/null +++ b/hosts/surtr/dns/keys/knot_local_key.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:kSTzSFxJhKHPlAfdDT04v88yha8cIagAZZ3hJKqKrfB5tHi5Ek2Yzz/qndvjyBHb3B2PbbeVOUGuNXdZziJYpT0rdwK9vTGnxkaZS1cw0jKf9p/CLRAi3bDgCUti4oPjtQDh5Jj8gDokRs3u6SthaBcz2tZOqDyjKfWWzGlIMtRfSnx7KjgX2Anrhf2/B7vr2Van9XhMTTFiacLpYjZUXeo7v6ZOb49G2b+XxzxrYrY=,iv:b5DeWUu+BpvxhYrKBxpr6m+Ivz+1oLPY5sTZYq6GsJA=,tag:Tvb6w/8Qbro3I7MZ97HKlA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-22T10:29:34Z", + "mac": "ENC[AES256_GCM,data:wBzMMSuaNfITvC42rOCWznMCATwjLrz66h+0QURoJONGw/GMVejkdQ+F9s0UFz7PyVKPAxWgSC4Km+ve9nX2c+f1lGyo4YpWDYKtVlZuUd7/Alf1ctl4epZLZihZVc0XLRNgH/Th7D4c+7WyHi8XT1l/AHmbixG4Jxwh8/b0TIY=,iv:vTs3qIMHLIt39RSze3YRkJUkuOUganvtIs90qsXekcc=,tag:EaVQq7DyPvM1CufOtrFDsw==,type:str]", + "pgp": [ + { + "created_at": "2022-02-22T10:29:34Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAqtTjcOaobAeRPtdIlgNBWcHMyJjWoeDdXI/s/Um0lX4w\nIe0pVT/t8t5vakDey0Mu6uTZOM64UKFyH2mTJCOWtbf96tI1ML+03bJGrKNTKEKU\n0l4BTRKRJwKrnjST0/NBc6YwBYfBeKoStoh60aBm072JlWS5/SprDysqMa9xpSxy\npz9HuF5g3/slPaeohUCh8457LtdQgLzZDBbpOWHwpU55Oix+518qAEZ5AspdnHHe\n=8Y8Z\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-02-22T10:29:34Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAk0ne1fjj2mV1P+4GDfDE/1SuyvWJ6sqKjkfYgdneNEIw\ns1qLAQzboXcMm073fV/XiegSP4AVL5sa6TOy+ajHGedOk2AkTBa9dYj0QJLJAxxW\n0l4BJdS01hYhj51x2CjAMan37oDZaoNr1Z9V6SPxfnLIs74kPZuAWT9U5YvoD8bj\nwEPGgvJOHPSQbmKpRXsd7MIHxRAe2PEsTGujd6CEv+ZAfjG95EpW5P6Aie73ZZE+\n=1kB3\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file -- cgit v1.2.3