The default configuration installs good default values for anyone who just wants to sign their domains with DNSSEC. There are four configuration files for the basic OpenDNSSEC installation. You have
- conf.xml which is the overall configuration of the system,
- kasp.xml which contains the policy of signing,
- zonelist.xml where you list all the zones that you are going to sign,
- addns.xml (per zone, optional) for zone transfers.
Click on the filenames below to see details of the file contents.
Please read this description of how date/time durations are used in the configuration files.
The overall configuration of OpenDNSSEC is defined by the contents of the file /etc/opendnssec/conf.xml. In this configuration file you specify logging facilities (only syslog is supported now), system paths, key repositories, privileges, and the database where all key and zone information is stored.
kasp.xml - found by default in /etc/opendnssec - is the file that defines policies used to sign zones. KASP stands for "Key and Signature Policy”, and each policy details
- security parameters used for signing zones
- timing parameters used for signing zones
You can have any number of policies and refer to the proper one by name in for example the zonelist.xml configuration file.
The zonelist.xml file is used when first setting up the system, but also used by the ods-signerd when signing zones. For each zone, it contains a Zone tag with information about
- the zone's DNS name
- the policy from kasp.xml used to sign the zone
- how to obtain the zone
- how to publish the zone
OpenDNSSEC can sign zone files on disk, but can also receive and server zone transfers (both AXFR and IXFR). If you configure a listener in conf.xml, the Signer Engine will kick off a DNS handler that will listen to queries, NOTIFY messages from the master and zone transfer requests from secondaries.
Information in this file details
- where to fetch zone data from
- protection mechanisms to be used
There are also xml files for each of the zones that the user wants to sign, but those are only used for communication between the Enforcer and the Signer Engine. And they are created automatically be the Enforcer. The location of these files can be found in zonelist.xml.
Read more details about Signer configuration
Checking your configuration files
The OpenDNSSEC XML configuration files (conf.xml and kasp.xml) offer the user many options to customise the OpenDNSSEC signing system. Not all possible configuration texts are meaningful however.
A tool (ods-kaspcheck) is provided to check that the configuration files (conf.xml and kasp.xml) are semantically sane and contain no inconsistencies.
It is advisable to use this tool to check your configuration before starting to use OpenDNSSEC.