Add another dnssec policy, use it

This commit is contained in:
David Blacka 2023-02-26 09:59:43 -05:00
parent be25d603f4
commit 66f7632777
3 changed files with 12 additions and 1 deletions

View File

@ -4,4 +4,12 @@ dnssec-policy "simple_alg15" {
csk lifetime unlimited algorithm ed25519; csk lifetime unlimited algorithm ed25519;
}; };
nsec3param iterations 0 optout no salt-length 0; nsec3param iterations 0 optout no salt-length 0;
};
dnssec-policy "default_alg13" {
dnskey-ttl 86400;
keys {
ksk lifetime unlimited algorithm 13;
zsk lifetime P90D algorithm 13;
};
}; };

View File

@ -20,6 +20,9 @@ zone "blacka.com" {
zone "ecotroph.net" { zone "ecotroph.net" {
type primary; type primary;
file "/var/lib/bind/ecotroph.net"; file "/var/lib/bind/ecotroph.net";
dnssec-policy "default_alg13";
inline-signing yes;
notify yes; notify yes;
allow-transfer { allow-transfer {
127.0.0.1; 127.0.0.1;

View File

@ -2,4 +2,4 @@
# run in the forground, but not in debug-mode # run in the forground, but not in debug-mode
# use IPv4 only -- if zeke ever gets IPv6 access, we can turn that on # use IPv4 only -- if zeke ever gets IPv6 access, we can turn that on
# use the built-in `bind` user # use the built-in `bind` user
exec /usr/sbin/named -f -4 -u bind exec /usr/sbin/named -c /etc/bind/named.conf -f -4 -u bind