From 6b2dcad324a262057d6b0e781183cd8f5456b83b Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Wed, 10 May 2023 19:52:20 +0200
Subject: use dnssec-policy (not deprecated auto-dnssec maintain)

---
 bind/named.conf.acl      | 8 ++++++++
 bind/named.conf.fake-222 | 2 +-
 bind/named.conf.pri      | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/bind/named.conf.acl b/bind/named.conf.acl
index bb2ddbd..f3e3053 100644
--- a/bind/named.conf.acl
+++ b/bind/named.conf.acl
@@ -7,3 +7,11 @@ acl jones_peers {
 	194.45.78.41;   // dns.jones.dk
 	217.70.177.40;   // ns6.gandi.net
 };
+
+dnssec-policy jones_no_rotate {
+	keys {
+		ksk key-directory lifetime unlimited algorithm 13;
+		zsk key-directory lifetime unlimited algorithm 13;
+	};
+	nsec3param;
+};
diff --git a/bind/named.conf.fake-222 b/bind/named.conf.fake-222
index 905eddd..bc3938f 100644
--- a/bind/named.conf.fake-222
+++ b/bind/named.conf.fake-222
@@ -48,7 +48,7 @@ zone "homebase.dk" {
 	file "/etc/local-JONES.DK/bind/fake-222/OFF"; }; // Jones
 zone "jones.dk" {
 	type master; allow-transfer { none; };
-	key-directory "/etc/bind/keys"; inline-signing yes; auto-dnssec maintain;
+	key-directory "/etc/bind/keys"; inline-signing yes; dnssec-policy; dnssec-policy "jones_no_rotate";
 	file "JONES.DK/fake-222/jones.dk"; }; // Jones
 zone "kassandra-production.dk" {
 	type master; allow-transfer { none; };
diff --git a/bind/named.conf.pri b/bind/named.conf.pri
index f4e2332..ef2ff26 100644
--- a/bind/named.conf.pri
+++ b/bind/named.conf.pri
@@ -46,7 +46,7 @@ zone "homebase.dk" {
 	file "/etc/local-JONES.DK/bind/pri/OFF"; }; // Jones
 zone "jones.dk" {
 	type master; allow-transfer { jones_peers; };
-	key-directory "/etc/bind/keys"; inline-signing yes; auto-dnssec maintain;
+	key-directory "/etc/bind/keys"; inline-signing yes; dnssec-policy; dnssec-policy "jones_no_rotate";
 	file "JONES.DK/pri/jones.dk"; }; // Jones
 zone "kassandra-production.dk" {
 	type master; allow-transfer { jones_peers; };
-- 
cgit v1.2.3