From d07e7535a9968e0061d2236e3c4efa7c3b64115c Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 6 Aug 2018 14:40:37 +0200
Subject: negative trust anchors

---
 hel.nix | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/hel.nix b/hel.nix
index d735a365..b08cf633 100644
--- a/hel.nix
+++ b/hel.nix
@@ -569,12 +569,32 @@
     '';
   };
 
-  systemd.network.networks."yggdrasil" = {
-    name = "yggdrasil";
-    networkConfig = {
-      DNSSECNegativeTrustAnchors = [ "10.in-addr.arpa" "yggdrasil" "168.192.in-addr.arpa" "box" ];
-    };
-  };
+  environment.etc."dnssec-trust-anchors.d/local-ip.negative".text = ''
+    10.in-addr.arpa
+    16.172.in-addr.arpa
+    17.172.in-addr.arpa
+    18.172.in-addr.arpa
+    19.172.in-addr.arpa
+    20.172.in-addr.arpa
+    21.172.in-addr.arpa
+    22.172.in-addr.arpa
+    23.172.in-addr.arpa
+    24.172.in-addr.arpa
+    25.172.in-addr.arpa
+    26.172.in-addr.arpa
+    27.172.in-addr.arpa
+    28.172.in-addr.arpa
+    29.172.in-addr.arpa
+    30.172.in-addr.arpa
+    31.172.in-addr.arpa
+    168.192.in-addr.arpa
+    d.f.ip6.arpa
+  '';
+
+  environment.etc."dnssec-trust-anchors.d/local-domains.negative" = ''
+    yggdrasil
+    box
+  '';
 
   system = {
     stateVersion = "16.09";
-- 
cgit v1.2.3