Add another dnssec policy, use it

cfg/named.dnssec.conf

@@ -4,4 +4,12 @@ dnssec-policy "simple_alg15" {
         csk lifetime unlimited algorithm ed25519;
     };
     nsec3param iterations 0 optout no salt-length 0;
-};
+};
+
+dnssec-policy "default_alg13" {
+    dnskey-ttl 86400;
+    keys {
+        ksk lifetime unlimited algorithm 13;
+        zsk lifetime P90D algorithm 13;
+    };
+}

cfg/named.primary.conf

@@ -20,6 +20,9 @@ zone "blacka.com" {
 zone "ecotroph.net" {
     type primary;
     file "/var/lib/bind/ecotroph.net";
+    dnssec-policy "default_alg13";
+    inline-signing yes;
+
     notify yes;
     allow-transfer {
         127.0.0.1;

cfg/run.sh

@@ -2,4 +2,4 @@
 # run in the forground, but not in debug-mode
 # use IPv4 only -- if zeke ever gets IPv6 access, we can turn that on
 # use the built-in `bind` user
-exec /usr/sbin/named -f -4 -u bind
+exec /usr/sbin/named -c /etc/bind/named.conf -f -4 -u bind