Add another dnssec policy, use it

author David Blacka <david@blacka.com>

Sun, 26 Feb 2023 14:59:43 +0000 (09:59 -0500)

committer David Blacka <david@blacka.com>

Sun, 26 Feb 2023 15:02:08 +0000 (10:02 -0500)
author David Blacka <david@blacka.com>
Sun, 26 Feb 2023 14:59:43 +0000 (09:59 -0500)
committer David Blacka <david@blacka.com>
Sun, 26 Feb 2023 15:02:08 +0000 (10:02 -0500)
diff --git a/cfg/named.dnssec.conf b/cfg/named.dnssec.conf

index 7e7795e..9704587 100644 (file)
--- a/cfg/named.dnssec.conf
+++ b/cfg/named.dnssec.conf
@@ -4,4 +4,12 @@ dnssec-policy "simple_alg15" {
          csk lifetime unlimited algorithm ed25519;
      };
      nsec3param iterations 0 optout no salt-length 0;
+};
+
+dnssec-policy "default_alg13" {
+    dnskey-ttl 86400;
+    keys {
+        ksk lifetime unlimited algorithm 13;
+        zsk lifetime P90D algorithm 13;
+    };
  };
 \ No newline at end of file
diff --git a/cfg/named.primary.conf b/cfg/named.primary.conf

index cef4855..78e9e10 100644 (file)
--- a/cfg/named.primary.conf
+++ b/cfg/named.primary.conf
@@ -20,6 +20,9 @@ zone "blacka.com" {
  zone "ecotroph.net" {
      type primary;
      file "/var/lib/bind/ecotroph.net";
+    dnssec-policy "default_alg13";
+    inline-signing yes;
+
      notify yes;
      allow-transfer {
          127.0.0.1;
diff --git a/cfg/run.sh b/cfg/run.sh

index 13786bf..2a74009 100755 (executable)
--- a/cfg/run.sh
+++ b/cfg/run.sh
@@ -2,4 +2,4 @@
  # run in the forground, but not in debug-mode
  # use IPv4 only -- if zeke ever gets IPv6 access, we can turn that on
  # use the built-in `bind` user
-exec /usr/sbin/named -f -4 -u bind
+exec /usr/sbin/named -c /etc/bind/named.conf -f -4 -u bind
author	David Blacka <david@blacka.com>
	Sun, 26 Feb 2023 14:59:43 +0000 (09:59 -0500)
committer	David Blacka <david@blacka.com>
	Sun, 26 Feb 2023 15:02:08 +0000 (10:02 -0500)
cfg/named.dnssec.conf		patch \| blob \| history
cfg/named.primary.conf		patch \| blob \| history
cfg/run.sh		patch \| blob \| history