From 4052aeac6b1a02e0b9f62511b9f3b26d1985f2f1 Mon Sep 17 00:00:00 2001
From: Brendan Golden <git_laptop@brendan.ie>
Date: Tue, 25 Apr 2023 15:11:02 +0100
Subject: [PATCH] dns: setup dnssec (need to backup the required folders later)

Also it cleared out the spam of errors
---
 applications/dns.nix | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/applications/dns.nix b/applications/dns.nix
index 3a77e5c..44003af 100644
--- a/applications/dns.nix
+++ b/applications/dns.nix
@@ -88,9 +88,9 @@ in {
       '';
 
       # piles of no valid RRSIG resolving 'com/DS/IN' errors
-      #extraOptions = ''
-      #  dnssec-validation auto;
-      #'';
+      extraOptions = ''
+        dnssec-validation yes;
+      '';
 
       # set the upstream dns servers
       # overrides the default dns servers
@@ -126,7 +126,12 @@ in {
         */
 
         "skynet.ie" = {
-          extraConfig = "allow-update { key rfc2136key.skynet.ie.; };";
+          extraConfig = ''
+            allow-update { key rfc2136key.skynet.ie.; };
+
+            dnssec-policy default;
+            inline-signing yes;
+          '';
           # really wish teh nixos config didnt use master/slave
           master = true;
           slaves = [ ];