use dnssec-policy (not deprecated auto-dnssec maintain)

3 files changed, 10 insertions, 2 deletions

diff --git a/bind/named.conf.acl b/bind/named.conf.acl
index bb2ddbd..f3e3053 100644
--- a/bind/named.conf.acl
+++ b/bind/named.conf.acl
@@ -7,3 +7,11 @@ acl jones_peers {
 	194.45.78.41;   // dns.jones.dk
 	217.70.177.40;   // ns6.gandi.net
 };
+
+dnssec-policy jones_no_rotate {
+	keys {
+		ksk key-directory lifetime unlimited algorithm 13;
+		zsk key-directory lifetime unlimited algorithm 13;
+	};
+	nsec3param;
+};
diff --git a/bind/named.conf.fake-222 b/bind/named.conf.fake-222
index 905eddd..bc3938f 100644
--- a/bind/named.conf.fake-222
+++ b/bind/named.conf.fake-222
@@ -48,7 +48,7 @@ zone "homebase.dk" {
 	file "/etc/local-JONES.DK/bind/fake-222/OFF"; }; // Jones
 zone "jones.dk" {
 	type master; allow-transfer { none; };
-	key-directory "/etc/bind/keys"; inline-signing yes; auto-dnssec maintain;
+	key-directory "/etc/bind/keys"; inline-signing yes; dnssec-policy; dnssec-policy "jones_no_rotate";
 	file "JONES.DK/fake-222/jones.dk"; }; // Jones
 zone "kassandra-production.dk" {
 	type master; allow-transfer { none; };
diff --git a/bind/named.conf.pri b/bind/named.conf.pri
index f4e2332..ef2ff26 100644
--- a/bind/named.conf.pri
+++ b/bind/named.conf.pri
@@ -46,7 +46,7 @@ zone "homebase.dk" {
 	file "/etc/local-JONES.DK/bind/pri/OFF"; }; // Jones
 zone "jones.dk" {
 	type master; allow-transfer { jones_peers; };
-	key-directory "/etc/bind/keys"; inline-signing yes; auto-dnssec maintain;
+	key-directory "/etc/bind/keys"; inline-signing yes; dnssec-policy; dnssec-policy "jones_no_rotate";
 	file "JONES.DK/pri/jones.dk"; }; // Jones
 zone "kassandra-production.dk" {
 	type master; allow-transfer { jones_peers; };