From 0eb3e5791c20a71a2cad027fb336938490809b1d Mon Sep 17 00:00:00 2001
From: David Blacka <david@blacka.com>
Date: Sun, 26 Feb 2023 09:59:43 -0500
Subject: [PATCH] Add another dnssec policy, use it

---
 cfg/named.dnssec.conf  | 10 +++++++++-
 cfg/named.primary.conf |  3 +++
 cfg/run.sh             |  2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/cfg/named.dnssec.conf b/cfg/named.dnssec.conf
index 7e7795e..a1da362 100644
--- a/cfg/named.dnssec.conf
+++ b/cfg/named.dnssec.conf
@@ -4,4 +4,12 @@ dnssec-policy "simple_alg15" {
         csk lifetime unlimited algorithm ed25519;
     };
     nsec3param iterations 0 optout no salt-length 0;
-};
\ No newline at end of file
+};
+
+dnssec-policy "default_alg13" {
+    dnskey-ttl 86400;
+    keys {
+        ksk lifetime unlimited algorithm 13;
+        zsk lifetime P90D algorithm 13;
+    };
+}
\ No newline at end of file
diff --git a/cfg/named.primary.conf b/cfg/named.primary.conf
index cef4855..78e9e10 100644
--- a/cfg/named.primary.conf
+++ b/cfg/named.primary.conf
@@ -20,6 +20,9 @@ zone "blacka.com" {
 zone "ecotroph.net" {
     type primary;
     file "/var/lib/bind/ecotroph.net";
+    dnssec-policy "default_alg13";
+    inline-signing yes;
+
     notify yes;
     allow-transfer {
         127.0.0.1;
diff --git a/cfg/run.sh b/cfg/run.sh
index 13786bf..2a74009 100755
--- a/cfg/run.sh
+++ b/cfg/run.sh
@@ -2,4 +2,4 @@
 # run in the forground, but not in debug-mode
 # use IPv4 only -- if zeke ever gets IPv6 access, we can turn that on
 # use the built-in `bind` user
-exec /usr/sbin/named -f -4 -u bind
+exec /usr/sbin/named -c /etc/bind/named.conf -f -4 -u bind