Skip to end of metadata
Go to start of metadata

This page describes the default setup of OpenDNSSEC.


OpenDNSSEC manages various information on disk which includes the following

  • Configuration files (blue): xml files that specify the settings for the system
  • Zone files (orange): unsigned and signed copies of the zones
  • Working files/directories (grey): temporary files used by the system to exchange infomation between components and track internal state information
  • Database (green): a database backend used by the enforcer to track key and zone status (assumes a SQLite database backend)

Configuration files

Default location: /etc/opendnssec

  • Repository list (i.e. HSM configuration)
  • Common (logging, file locations)
  • Enforcer (database location, wake interval, etc.)
  • Signer (working directory, worker threads, etc.)

Policy specifications:

    • Signature specifications (resign, validity, jitter, etc.)
    • Authenticated denial of existence
      • NSEC or NSEC3, resalt, hash, etc.
    • Key data
      • Shared keys, TTL, etc.
      • KSK specifics (algorithm, lifetime, etc.)
      • ZSK specifics (algorithm, lifetime, etc.)
    • Zone data
      • Propagation delay, SOA parameters
    • Parent zone information
      • Propagation delay, SOA and DS parameters

Zone specifications:

    • Zone name
    • Policy
    • Adapters

Adapter specifications:

    • TSIG data (name, algorithm, secret)
    • Inbound
      • Transfer request configuration
      • Allow notify configuration
    • Outbound
      • Provide transfer configuration
      • Notify configuration

Zone files

Default locations:

  • /var/opendnssec/signed
  • /var/opendnssec/unsigned

Signed and unsigned files managed by OpenDNSSEC. These will be used in the case of File Adapters.

Working files

Default locations:

  • /var/opendnssec/signconf - temporary files used to exchange information between the enforcer and signer components. These files should not be edited by users but are useful for debugging

  • /var/opendnssec/tmp        - temporary working directory used to hold state information

If you use the DNS input adapter, the unsigned zone will not be stored in the /var/opendnssec/unsigned directory, but in the /var/opendnssec/tmp working directory. There are some files, for example if you have the zone


Generic: contains the full backup of signer configuration, signed and unsigned zone data.


For DNS Input Adapters: contains the to be read zone transfers. contains the state of the zone transfer (last serial, last time transferred, which name server to query next, etc).


For DNS Output Adapters: contains a zone transfer journal for IXFR queries. contains the full zone transfer for AXFR queries and fallback.


  • No labels