OpenDNSSEC Documentation
Space shortcuts
OpenDNSSEC Project Wiki

Links

OpenDNSSEC Developer Wiki
OpenDNSSEC Documentation
SoftHSM Developer Wiki
SoftHSM Documentation

OpenDNSSEC Home

All Versions

OpenDNSSEC v2.0
OpenDNSSEC v1.4
OpenDNSSEC v1.3
OpenDNSSEC v1.2.0
OpenDNSSEC v1.1.1
OpenDNSSEC v1.1.0
OpenDNSSEC v1.0.0

 

Current location:

OpenDNSSEC Documentation 1.4

Child pages
  • Files
Skip to end of metadata
Go to start of metadata

This page describes the default setup of OpenDNSSEC.

 

OpenDNSSEC manages various information on disk which includes the following
 

  • Configuration files (blue): xml files that specify the settings for the system
     
  • Zone files (orange): unsigned and signed copies of the zones
     
  • Working files/directories (grey): temporary files used by the system to exchange infomation between components and track internal state information
     
  • Database (green): a database backend used by the enforcer to track key and zone status (assumes a SQLite database backend)

Configuration files

Default location: /etc/opendnssec

NameInformation
conf.xml
  • Repository list (i.e. HSM configuration)
  • Common (logging, file locations)
  • Enforcer (database location, wake interval, etc.)
  • Signer (working directory, worker threads, etc.)
kasp.xml

Policy specifications:

    • Signature specifications (resign, validity, jitter, etc.)
    • Authenticated denial of existence
      • NSEC or NSEC3, resalt, hash, etc.
    • Key data
      • Shared keys, TTL, etc.
      • KSK specifics (algorithm, lifetime, etc.)
      • ZSK specifics (algorithm, lifetime, etc.)
    • Zone data
      • Propagation delay, SOA parameters
    • Parent zone information
      • Propagation delay, SOA and DS parameters
zonelist.xml

Zone specifications:

    • Zone name
    • Policy
    • Adapters
addns.xml

Adapter specifications:

    • TSIG data (name, algorithm, secret)
    • Inbound
      • Transfer request configuration
      • Allow notify configuration
    • Outbound
      • Provide transfer configuration
      • Notify configuration

Zone files

Default locations:

  • /var/opendnssec/signed
  • /var/opendnssec/unsigned

Signed and unsigned files managed by OpenDNSSEC. These will be used in the case of File Adapters.

Working files

Default locations:

  • /var/opendnssec/signconf - temporary files used to exchange information between the enforcer and signer components. These files should not be edited by users but are useful for debugging

  • /var/opendnssec/tmp        - temporary working directory used to hold state information

If you use the DNS input adapter, the unsigned zone will not be stored in the /var/opendnssec/unsigned directory, but in the /var/opendnssec/tmp working directory. There are some files, for example if you have the zone example.com:

 

Generic:

example.com.backup2: contains the full backup of signer configuration, signed and unsigned zone data.

 

For DNS Input Adapters:

example.com.xfrd: contains the to be read zone transfers.

example.com.xfrd-state: contains the state of the zone transfer (last serial, last time transferred, which name server to query next, etc).

 

For DNS Output Adapters:

example.com.ixfr: contains a zone transfer journal for IXFR queries.

example.com.axfr: contains the full zone transfer for AXFR queries and fallback.

 

  • No labels

      

www.opendnssec.org

Report a bug

Mailing list