I shouldn’t have tried to write that on the phone from memory.
dnssec-policy “unlimited” {
keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};
zone "jungersen.dk” {
type master;
file "/etc/bind/zones/db.jungersen.dk”;
allow-transfer { 192.168.20.11; };
dnssec-policy "unlimited";
};
Mark
> On 13 Mar 2025, at 09:13, Danjel Jungersen <dan...@jungersen.dk> wrote:
>
> On 20-02-2025 08:40, Mark Andrews wrote:
>>> The zone is available publicly, but from public serveres not hosted by me
>>> (one.com).
>>> And points to my external ip.
>>> My internal bind redirects local traffic directly to local servers on local
>>> ip's.
>> DNSSEC is designed to stop spoofed answers being accepted. When you create
>> a local zone that overrides what is in the public zones you are effectively
>> spoofing answers. As you have a DNSSEC signed public zone if you want to
>> have these spoofed answers accepted you need to do one of the following:
>>
>> 1) create a working chain of trust that links to your private zone content
>> Long 1 is the best long term solution....
> So this is the way I will try to go.
>> You currently have the following DS which means you are using
>> ECDSAP256SHA256 (13) as the DNSSEC key algorithm.
>>
>> jungersen.dk. 7200 IN DS 26658 13 2
>> 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>>
>> I would add “dnssec-policy { csk lifetime unlimited algorithm
>> ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.
>> This will add a DNSKEY record to the zone and cause it to be signed. You
>> can then take the generated DNSKEY and install it as a trust anchor on the
>> postfix boxes.
>>
>> You will need to do some reading first. Others here can give you more advice.
>>
> I have now read a lot, and I think that actually understood some of it.
>
> I have:
> zone "jungersen.dk" {
> type master;
> file "/etc/bind/zones/db.jungersen.dk";
> allow-transfer { 192.168.20.11; };
> dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
>
> in named.conf.local
>
> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
>
> Line 15 is the dnssec-policy line.
>
> If I uncomment this line all is well.
>
> Can anyone tell me what is wrong with this line?
> I have copy pasted it from the suggestion, and have read some online, to me
> it looks good.
>
> ????
>
> BR
> Danjel
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
