Authoritative and caching

[Danjel Jungersen]

On 20-02-2025 08:40, Mark Andrews wrote:
>> The zone is available publicly, but from public serveres not hosted by me (one.com).
>> And points to my external ip.
>> My internal bind redirects local traffic directly to local servers on local ip's.
> DNSSEC is designed to stop spoofed answers being accepted.  When you create a local zone that overrides what is in the public zones you are effectively spoofing answers.  As you have a DNSSEC signed public zone if you want to have these spoofed answers accepted you need to do one of the following:
>
> 1) create a working chain of trust that links to your private zone content
> Long 1 is the best long term solution....
So this is the way I will try to go.
> You currently have the following DS which means you are using ECDSAP256SHA256 (13) as the DNSSEC key algorithm.
>
> jungersen.dk. 7200 IN DS 26658 13 2 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>
> I would add “dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.  This will add a DNSKEY record to the zone and cause it to be signed.  You can then take the generated DNSKEY and install it as a trust anchor on the postfix boxes.
>
> You will need to do some reading first. Others here can give you more advice.
>
I have now read a lot, and I think that actually understood some of it.

I have:
zone "jungersen.dk" {
         type master;
         file "/etc/bind/zones/db.jungersen.dk";
         allow-transfer { 192.168.20.11; };
         dnssec-policy { csk lifetime unlimited algorithm 
ECDSAP256SHA256; };
};

in named.conf.local

I throws an error, /etc/bind/named.conf.local:15: expected string near '{'

Line 15 is the dnssec-policy line.

If I uncomment this line all is well.

Can anyone tell me what is wrong with this line?
I have copy pasted it from the suggestion, and have read some online, to 
me it looks good.

????

BR
Danjel