This documentation relates to an earlier version of OpenDNSSEC.
The documentation for the latest release is available at the current documentation home.

Skip to end of metadata
Go to start of metadata

The default configuration installs good default values for anyone who just wants to sign their domains with DNSSEC. There are four configuration files for the basic OpenDNSSEC installation. You have 

  • conf.xml which is the overall configuration of the system, 
  • kasp.xml which contains the policy of signing, 
  • zonelist.xml where you list all the zones that you are going to sign, 
  • zonefetch.xml (which is optional) for zone transfers.

Click on the filenames below to see details of the file contents.

On this Page

Date/time durations

Please read this description of how date/time durations are used in the configuration files.

Files

conf.xml

The overall configuration of OpenDNSSEC is defined by the contents of the file /etc/opendnssec/conf.xml. In this configuration file you specify logging facilities (only syslog is supported now), system paths, key repositories, privileges, and the database where all key and zone information is stored.

kasp.xml

kasp.xml - found by default in /etc/opendnssec - is the file that defines policies used to sign zones. KASP stands for "Key and Signature Policy”, and each policy details

  • security parameters used for signing zones
  • timing parameters used for signing zones

You can have any number of policies and refer to the proper one by name in for example the zonelist.xml configuration file.

zonelist.xml

The zonelist.xml file is used when first setting up the system, but also used by the ods-signerd when signing zones. For each zone, it contains a Zone tag with information about

  • the zone's DNS name
  • the policy from kasp.xml used to sign the zone
  • how to obtain the zone
  • how to publish the zone

zonefetch.xml

OpenDNSSEC can sign zonefiles on disk, but can also sign zones received from transfer (AXFR). If you configure a zone fetcher configuration, the Signer Engine will kick off the zone fetcher that will listen to NOTIFY messages from the parent and store AXFR messages on disk.

Information in this file details

  • where to fetch zone data from
  • protection mechanisms to be used

Signer configuration

There are also xml files for each of the zones that the user wants to sign, but those are only used for communication between the Enforcer and the Signer Engine. And they are created automatically be the Enforcer. The location of these files can be found in zonelist.xml.

Read more details about Signer configuration

Checking your configuration files

The OpenDNSSEC XML configuration files (conf.xml and kasp.xml) offer the user many options to customise the OpenDNSSEC signing system. Not all possible configuration texts are meaningful however.

A tool (ods-kaspcheck) is provided to check that the configuration files (conf.xml and kasp.xml) are semantically sane and contain no inconsistencies.

It is advisable to use this tool to check your configuration before starting to use OpenDNSSEC.

  • No labels