Components

The KASP is one of the configuration files for OpenDNSSEC (more on configuration files here). It specifies a Key And Signing Policy which controls the following aspects of DNSSEC

• key strength
• key algorithm
• key lifetime
• signature lifetime
• NSEC vs NSEC3
• etc.

There can one or many policies and these can be associated with different zones for fine control of DNSSEC.

The KASP enforcer (also known as just "the enforcer") is responsible for the management of keys. It has runs as a daemon and wakes periodically to check if key states need updating. It also has a command interface (ods-ksmutil) to provide information on key and zones states. It does the following tasks

• manages key creation using the HSM
• manages which zones are associated with which policies
• manages the key states and transition
• manages key rollovers; chooses which keys to use to sign the zone
• manages key backup

The Signer Engine (also known as just "the signer") is responsible for actually performing the zone signing. It has runs as a daemon and wakes periodically to check if the zones need updating. It also has a command interface (ods-signer) to manually control zone signing. It consumes information generated by the enforcer and unsigned zones and then generates zones signed with the specified keys:

• it can reuse signatures that are not too old
• it can spread signature expiration time over time (jitter)
• it maintains the NSEC/NSEC3 chain

The Adaptors are responsible for obtaining the unsigned zone and distributing the signed zone. Currently supported mechanisms are (for both input and ouput):

• File: the zone files are held on disk
• AXFR: the zone files are obtained/distributed via AXFR
• IXFR: the zone files are obtained/distributed via IXFR where this is supported