Skip to end of metadata
Go to start of metadata

The list of zones that OpenDNSSEC will sign is held in the zone list file /etc/opendnssec/zonelist.xml. As well as listing the zones, it also specifies the policy used to sign the zones.

This section explains the parameters of the zone list by referring to the example zonelist.xml file supplied with the OpenDNSSEC distribution. 

Date/time durations are as specified here.

On this Page

Elements of the zonelist.xml file

Preamble
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: zonelist.xml.in 1147 2009-06-24 12:18:17Z jakob $ -->

Each XML file starts with a standard element "<?xml...". As with any XML file, comments are included between the delimiters "<!--"
and "-->".

Zone List
<ZoneList>

The enclosing element of the XML file is the element <ZoneList> which, with the closing element </ZoneList>, brackets the list of zones.

Zones

Each zone is defined by a <Zone> element:

...
	<Zone name="example.com">

The mandatory attribute "name" identifies the zone. Each zone within the zone list must have a unique name. Use "." when signing the root.

Policy

...
		<Policy>default</Policy>

The first element of the <Zone> tag is <Policy>, which identifies the policy used to sign the file. Policies are defined in the kasp.xml file, and the name in this element must be that of one of the defined policies.

Configuration

Information from the Enforcer to the Signer Engine is passed via a special signer configuration file, the name of which is given by the <SignerConfiguration> section of the zone definition:

...
		<SignerConfiguration>/var/opendnssec/signconf/example.com.xml</SignerConfiguration>

(Note that this file is a temporary file that passed between OpenDNSSEC components and is not intended to be edited by users.)

Adapters

The next part of the zone element specifies from where OpenDNSSEC gets the zone data and to where the signed data is put.

...
		<Adapters>
			<Input>
				<Adapter type="File">/var/opendnssec/unsigned/example.com</Adapter>
			</Input>
			<Output>
				<Adapter type="DNS">/etc/opendnssec/addns.xml</Adapter>
			</Output>
		</Adapters>

The <Adapters> element comprises an <Input> and <Output> element which (fairly obviously) identify the input source and output sink of the data.

Within each element is a tag defining the type of data source/sink and its parameters. There is type="File", which takes as its only data the name of the input unsigned file, or output signed zone file. And there is type="DNS", which takes a configuration file as its data. The DNS adapter configuration file is described in more detail here.

...
	</Zone>

The </Zone> tag closes the definition of the zone. As indicated above, one or more zones can be defined in this file.

</ZoneList>

The </ZoneList> element closes the file.

Zone List File Creation

For a small number of zones, the zone list file can be easily edited by hand. Where the number of zones is large - for example, ISPs serving thousands of customers - the intention is that the file be generated by the zone manager's systems using e.g. the ods-ksmutil zone add command.

File Names

As can be seen in the example above, a number of elements that specify file names (<SignerConfiguration>, <Adapter>/<Input> and <Adapter>/<Output>) include the zone name in the name of the file.

Where there are multiple zones, this is strongly recommended as a way of avoiding confusion.

  • No labels