From 66f763277768ae24ca7bca85d9b1976151875d4b Mon Sep 17 00:00:00 2001
From: David Blacka <david@blacka.com>
Date: Sun, 26 Feb 2023 09:59:43 -0500
Subject: [PATCH] Add another dnssec policy, use it

---
 cfg/named.dnssec.conf  | 8 ++++++++
 cfg/named.primary.conf | 3 +++
 cfg/run.sh             | 2 +-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/cfg/named.dnssec.conf b/cfg/named.dnssec.conf
index 7e7795e..9704587 100644
--- a/cfg/named.dnssec.conf
+++ b/cfg/named.dnssec.conf
@@ -4,4 +4,12 @@ dnssec-policy "simple_alg15" {
         csk lifetime unlimited algorithm ed25519;
     };
     nsec3param iterations 0 optout no salt-length 0;
+};
+
+dnssec-policy "default_alg13" {
+    dnskey-ttl 86400;
+    keys {
+        ksk lifetime unlimited algorithm 13;
+        zsk lifetime P90D algorithm 13;
+    };
 };
\ No newline at end of file
diff --git a/cfg/named.primary.conf b/cfg/named.primary.conf
index cef4855..78e9e10 100644
--- a/cfg/named.primary.conf
+++ b/cfg/named.primary.conf
@@ -20,6 +20,9 @@ zone "blacka.com" {
 zone "ecotroph.net" {
     type primary;
     file "/var/lib/bind/ecotroph.net";
+    dnssec-policy "default_alg13";
+    inline-signing yes;
+
     notify yes;
     allow-transfer {
         127.0.0.1;
diff --git a/cfg/run.sh b/cfg/run.sh
index 13786bf..2a74009 100755
--- a/cfg/run.sh
+++ b/cfg/run.sh
@@ -2,4 +2,4 @@
 # run in the forground, but not in debug-mode
 # use IPv4 only -- if zeke ever gets IPv6 access, we can turn that on
 # use the built-in `bind` user
-exec /usr/sbin/named -f -4 -u bind
+exec /usr/sbin/named -c /etc/bind/named.conf -f -4 -u bind