OpenDNSSEC can sign zonefiles on disk, but can also sign zones received from transfer (AXFR). If you configure a zone fetcher configuration (see XML / RelaxNG compact), the Signer Engine will kick off the zone fetcher that will listen to NOTIFY messages from the parent and store AXFR messages on disk. The messages will be stored as the input file adapter plus an additional ".axfr" extension. If the transfer was succesful, the zone fetcher kicks the Signer Engine so that the incoming zone will be signed.
Date/time durations are as specified here.
The zone fetcher configuration filename must be specified in conf.xml in the <ZoneFetchFile> element. An example zonefetch.xml file is available here. In the zonefetch.xml file the following elements may be specifed:
The zone fetcher can run a single time, but the Signer Engine will start it as a daemon. As a daemon, it will accept NOTIFY messages for which it has master servers configured (withRequestTransfer). NOTIFY also does not make use of the TSIG credentials.
You can specify the listening interface and port with <NotifyListen>. By default, the zone fetcher will listen on any interface, port 53.
To listen on a specific address, use:
Upon a valid NOTIFY, the zone fetcher sends a transfer request to one of the master servers. If configured, it adds the TSIG RR. A succesful AXFR response will be stored on disk.
The Signer Engine will know if it has to check for an AXFR on disk before signing a new unsigned zone. Thus, the Signer Engine needs to be kicked with 'update <zone>' if a AXFR was received. Luckily, the zone fetcher will do that for you.