This documentation relates to an earlier version of OpenDNSSEC.
The documentation for the latest release is available at the current documentation home.

Skip to end of metadata
Go to start of metadata

OpenDNSSEC can sign zonefiles on disk, but can also sign zones received from transfer (AXFR). If you configure a zone fetcher configuration (see XML /  RelaxNG compact), the Signer Engine will kick off the zone fetcher that will listen to NOTIFY messages from the parent and store AXFR messages on disk. The messages will be stored as the input file adapter plus an additional ".axfr" extension. If the transfer was succesful, the zone fetcher kicks the Signer Engine so that the incoming zone will be signed.

Date/time durations are as specified here.

On this Page


The zone fetcher configuration filename must be specified in conf.xml in the <ZoneFetchFile> element. An example zonefetch.xml file is available here. In the zonefetch.xml file the following elements may be specifed:

  • <NotifyListen>: This defines which interface and port the must bind to listen NOTIFY messages on. You can specify an IPv4/IPv6 address plus port number.
  • <Default>: This has the default values for master servers and tsig credentials.

    • <TSIG>: This configures your TSIG credentials. Name, Algorithm and Secret are required.
    • <RequestTransfer>: This configures your master servers to contact. You can specify multiple IPv4/IPv6 addresses. Unfortunately, only the first encountered port number will be used.


The zone fetcher can run a single time, but the Signer Engine will start it as a daemon. As a daemon, it will accept NOTIFY messages for which it has master servers configured (withRequestTransfer). NOTIFY also does not make use of the TSIG credentials.

You can specify the listening interface and port with <NotifyListen>. By default, the zone fetcher will listen on any interface, port 53.

To listen on a specific address, use:


Upon a valid NOTIFY, the zone fetcher sends a transfer request to one of the master servers. If configured, it adds the TSIG RR. A succesful AXFR response will be stored on disk.

The Signer Engine will know if it has to check for an AXFR on disk before signing a new unsigned zone. Thus, the Signer Engine needs to be kicked with 'update <zone>' if a AXFR was received. Luckily, the zone fetcher will do that for you.

  • No labels