named-checkconf errors when using a custom dnssec-policy statement
Summary
When configuring a "custom" dnssec-policy statement, named-checkconf produces two errors when attempting to start BIND
BIND version used
BIND 9.18.10 (Stable Release)
running on FreeBSD amd64 13.1-RELEASE-p3
Steps to reproduce
Insert a custom dnssec-policy statement
dnssec-policy "custom" {
versus using
dnssec-policy "none";
or dnssec-policy "default";
What is the current bug behavior?
named-checkconf produces the following errors and BIND does not start
/usr/local/etc/namedb/named.conf:153: missing ';' before '{' /usr/local/etc/namedb/named.conf:153: '}' expected near '{' /usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed
The affected line number is the line that begins the statement: dnssec-policy "custom" {
Relevant configuration files
Copy/pasted from https://bind9.readthedocs.io/en/v9_18_10/chapter5.html#fully-automated-key-and-signing-policy
dnssec-policy "custom" { dnskey-ttl 600; keys { ksk lifetime P1Y algorithm ecdsap384sha384; zsk lifetime 60d algorithm ecdsap384sha384; }; nsec3param iterations 0 optout no salt-length 0; };