From 858795db02776ed266c51c3211af49667ea5f21e Mon Sep 17 00:00:00 2001
From: sinanmohd <sinan@sinanmohd.com>
Date: Fri, 2 Feb 2024 14:38:25 +0530
Subject: kay/dns: init DNSSEC

---
 .../dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone      |  2 +-
 hosts/kay/modules/dns/default.nix                  | 28 ++++++++++++++++++----
 hosts/kay/modules/dns/sinanmohd.com.zone           |  2 +-
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone b/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone
index c12f969..3991e1f 100644
--- a/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone
+++ b/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone
@@ -2,7 +2,7 @@ $ORIGIN 5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.
 $TTL 2d
 
 @	IN	SOA	ns1.sinanmohd.com.	sinan.sinanmohd.com. (
-			2024020100 ; serial
+			2024020400 ; serial
 			2h         ; refresh
 			5m         ; retry
 			1d         ; expire
diff --git a/hosts/kay/modules/dns/default.nix b/hosts/kay/modules/dns/default.nix
index 6bd4774..28e48c5 100644
--- a/hosts/kay/modules/dns/default.nix
+++ b/hosts/kay/modules/dns/default.nix
@@ -20,10 +20,28 @@ in {
     settings = {
       server.listen = listen_addr;
 
-      remote = [{
-        id = "ns1.he.net";
-        address = [ "2001:470:100::2" "216.218.130.2" ];
-        via = "2001:470:ee65::1";
+      remote = [
+        {
+          id = "ns1.he.net";
+          address = [ "2001:470:100::2" "216.218.130.2" ];
+          via = "2001:470:ee65::1";
+        }
+        {
+          id = "m.gtld-servers.net";
+          address = [ "2001:501:b1f9::30"  "192.55.83.30" ];
+        }
+      ];
+
+      submission = [{
+        id = "gtld-servers.net";
+        parent = "m.gtld-servers.net";
+      }];
+
+      policy = [{
+        id = "gtld-servers.net";
+        algorithm = "ecdsap384sha384";
+        ksk-lifetime = "365d";
+        ksk-submission = "gtld-servers.net";
       }];
 
       # generate TSIG key with keymgr -t name
@@ -56,6 +74,8 @@ in {
         }
         {
           id = "master";
+          dnssec-signing = "on";
+          dnssec-policy = "gtld-servers.net";
           semantic-checks = "on";
           notify = [ "ns1.he.net" ];
           acl = [ "ns1.he.net" "localhost" ];
diff --git a/hosts/kay/modules/dns/sinanmohd.com.zone b/hosts/kay/modules/dns/sinanmohd.com.zone
index 9cff3c5..1c92366 100644
--- a/hosts/kay/modules/dns/sinanmohd.com.zone
+++ b/hosts/kay/modules/dns/sinanmohd.com.zone
@@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com.
 $TTL 2d
 
 @	IN	SOA	ns1	sinan (
-			2024020100 ; serial
+			2024020400 ; serial
 			2h         ; refresh
 			5m         ; retry
 			1d         ; expire
-- 
cgit v1.2.3