Struct DNSSECSigningConfig 

pub struct DNSSECSigningConfig {
    pub enabled: bool,
    pub policy: Option<String>,
    pub algorithm: Option<String>,
    pub ksk_lifetime: Option<String>,
    pub zsk_lifetime: Option<String>,
    pub nsec3: Option<bool>,
    pub nsec3_salt: Option<String>,
    pub nsec3_iterations: Option<u32>,
    pub keys_from: Option<DNSSECKeySource>,
    pub auto_generate: Option<bool>,
    pub export_to_secret: Option<bool>,
}

DNSSEC zone signing configuration

Configures automatic DNSSEC key generation, zone signing, and key rotation. Uses BIND9’s modern dnssec-policy for declarative key management.

Key Management Options

1. User-Supplied Keys (Production): Keys managed externally via Secrets
2. Auto-Generated Keys (Dev/Test): BIND9 generates keys, operator backs up to Secrets
3. Persistent Storage (Legacy): Keys stored in PersistentVolume

Example

signing:
  enabled: true
  policy: "default"
  algorithm: "ECDSAP256SHA256"
  kskLifetime: "365d"
  zskLifetime: "90d"
  nsec3: true
  nsec3Iterations: 0

Fields

enabled: bool

Enable DNSSEC signing for zones

When true, zones will be automatically signed with DNSSEC. Keys are generated and managed according to the configured policy.

Default: false

policy: Option<String>

DNSSEC policy name

Name of the DNSSEC policy to apply. Built-in policies:

• "default" - Standard policy with ECDSA P-256, 365d KSK, 90d ZSK

Custom policies can be defined in future enhancements.

Default: "default"

algorithm: Option<String>

DNSSEC algorithm

Cryptographic algorithm for DNSSEC signing. Supported algorithms:

• "ECDSAP256SHA256" (13) - ECDSA P-256 with SHA-256 (recommended, fast)
• "ECDSAP384SHA384" (14) - ECDSA P-384 with SHA-384 (higher security)
• "RSASHA256" (8) - RSA with SHA-256 (widely compatible)

ECDSA algorithms are recommended for performance and smaller key sizes.

Default: "ECDSAP256SHA256"

ksk_lifetime: Option<String>

Key Signing Key (KSK) lifetime

Duration before KSK is rotated. Format: “365d”, “1y”, “8760h”

KSK signs the DNSKEY RRset and is published in the parent zone as a DS record. Longer lifetimes reduce DS update frequency but increase impact of key compromise.

Default: "365d" (1 year)

zsk_lifetime: Option<String>

Zone Signing Key (ZSK) lifetime

Duration before ZSK is rotated. Format: “90d”, “3m”, “2160h”

ZSK signs all other records in the zone. Shorter lifetimes improve security but increase signing overhead.

Default: "90d" (3 months)

nsec3: Option<bool>

Use NSEC3 instead of NSEC for authenticated denial of existence

NSEC3 hashes zone names to prevent zone enumeration attacks. Recommended for privacy-sensitive zones.

Default: false (use NSEC)

nsec3_salt: Option<String>

NSEC3 salt (hex string)

Salt value for NSEC3 hashing. If not specified, BIND9 auto-generates. Format: hex string (e.g., “AABBCCDD”)

Default: Auto-generated by BIND9

nsec3_iterations: Option<u32>

NSEC3 iterations

Number of hash iterations for NSEC3. RFC 9276 recommends 0 for performance.

Important: Higher values significantly impact query performance.

Default: 0 (per RFC 9276 recommendation)

keys_from: Option<DNSSECKeySource>

DNSSEC key source configuration

Specifies where DNSSEC keys come from:

• User-supplied Secret (recommended for production)
• Persistent storage (legacy)

If not specified and auto_generate is true, keys are generated in emptyDir and optionally backed up to Secrets.

auto_generate: Option<bool>

Auto-generate DNSSEC keys if no keys_from specified

When true, BIND9 generates keys automatically using the configured policy. Recommended for development and testing.

Default: true

export_to_secret: Option<bool>

Export auto-generated keys to Secret for backup/restore

When true, operator exports BIND9-generated keys to a Kubernetes Secret. Enables self-healing: keys are restored from Secret on pod restart.

Secret name format: dnssec-keys-<zone-name>-generated

Default: true

Trait Implementations

impl Clone for DNSSECSigningConfig

fn clone(&self) -> DNSSECSigningConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DNSSECSigningConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for DNSSECSigningConfig

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl JsonSchema for DNSSECSigningConfig

fn schema_name() -> Cow<'static, str>

The name of the generated JSON Schema.

fn schema_id() -> Cow<'static, str>

Returns a string that uniquely identifies the schema produced by this type.

fn json_schema(generator: &mut SchemaGenerator) -> Schema

Generates a JSON Schema for this type.

fn inline_schema() -> bool

Whether JSON Schemas generated for this type should be included directly in parent schemas, rather than being re-used where possible using the $ref keyword.

impl PartialEq for DNSSECSigningConfig

fn eq(&self, other: &DNSSECSigningConfig) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for DNSSECSigningConfig

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for DNSSECSigningConfig