Add KSK and ZSK size to config.ini

config.ini.sample

@@ -31,6 +31,17 @@ ksk_validity=366
 # Valid algorithms are RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384.
 algorithm=RSASHA256
 
+# Size of the created KSK. Only the first created KSK of a zone will use this size.
+# Any renewed key will use the exact same parameters (name, algorithm, size, and type)
+# as the renewed key.
+ksk_size=2024
+
+# Size of the created ZSK. Only the first created ZSK of a zone will use this size.
+# Any renewed key will use the exact same parameters (name, algorithm, size, and type)
+# as the renewed key.
+ksk_size=1024
+
+
 [path]
 
 # path to the dnssec-settime binary

dnssec_keys_management.py

@@ -416,9 +416,9 @@ class Key(object):
         path = os.path.join(BASE, name)
         cmd = [DNSSEC_KEYGEN, "-a", ALGORITHM]
         if typ == "KSK":
-            cmd.extend(["-b", "2048", "-f", "KSK"])
+            cmd.extend(["-b", KSK_SIZE, "-f", "KSK"])
         elif typ == "ZSK":
-            cmd.extend(["-b", "1024"])
+            cmd.extend(["-b", ZSK_SIZE])
         else:
             raise ValueError("typ must be KSK or ZSK")
         cmd.extend(options)
@@ -701,6 +701,12 @@ if __name__ == '__main__':
                         "Supported algorithms are %s" % (ALGORITHM, ", ".join(SUPPORTED_ALGORITHMS))
                     )
 
+            if config_parser.has_option("dnssec", "zsk_size"):
+                ZSK_SIZE = config_parser.get("dnssec", "zsk_size")
+
+            if config_parser.has_option("dnssec", "ksk_size"):
+                KSK_SIZE = config_parser.get("dnssec", "ksk_size")
+
         if config_parser.has_section("path"):
             if config_parser.has_option("path", "dnssec_settime"):
                 DNSSEC_SETTIME = config_parser.get("path", "dnssec_settime")