knot-dns: update DNSSEC procedure

alpha: allow 25/tcp
2024-10-13 03:02:31 +02:00 · 2024-10-13 03:02:31 +02:00
2 changed files with 9 additions and 2 deletions
--- a/hosts/alpha/knot-dns.nix
+++ b/hosts/alpha/knot-dns.nix
@ -55,9 +55,10 @@
          # Enable automatic DNSSEC signing on all zones. The KSK must be
          # configured in the parent zone. Use the following command to get the
          # required record(s):
-          # > nix shell nixpkgs#knot-dns -c sudo keymgr caspervk.net ds
+          # > sudo keymgr caspervk.net ds
          # [<zone> <record-type> <key-tag> <algorithm-type> <digest-type> <digest>]
          # https://knot.readthedocs.io/en/master/configuration.html#automatic-dnssec-signing
+          # DNSSEC can be validated using https://dnsviz.net.
          dnssec-signing = "on";
          dnssec-policy = "default";
          # Knot overwrites the zonefiles with auto-generated DNSSEC records by
--- a/hosts/alpha/network.nix
+++ b/hosts/alpha/network.nix
@ -91,7 +91,13 @@
  };

  networking = {
-    firewall.allowedUDPPorts = [51820 51821];
+    firewall.allowedTCPPorts = [
+      25 # @sortseer.dk
+    ];
+    firewall.allowedUDPPorts = [
+      51820 # wg-sigma-public
+      51821 # wg-sigma-p2p
+    ];
  };

  age.secrets.wireguard-preshared-key-file = {
Author	SHA1	Message	Date
Casper V. Kristensen	7c362f5a42	knot-dns: update DNSSEC procedure	2024-10-13 03:02:31 +02:00
Casper V. Kristensen	70a3d521c2	alpha: allow 25/tcp	2024-10-13 03:02:31 +02:00