Per zone you can configure the zone transfer settings. One file can be used for multiple zones, just point to the same file in the zone list file /etc/opendnssec/zonelist.xml.
This section explains the parameters of the DNS adapter configuration by referring to the example addns.xml file supplied with the OpenDNSSEC distribution.
Elements of the addns.xml file
Preamble
<!-- $Id: addnsconf.xml.in 2735 2010-01-28 14:11:27Z matthijs $ -->
Each XML file starts with a standard element "<?xml...". As with any XML file, comments are included between the delimiters "<!--"
and "-->".
The enclosing element of the XML file is the element <Adapter> which, with the closing element </Adapter>, brackets the zone transfer configuration. Because we are configuring the DNS Adapter, the element <DNS> is used.
TSIG
...
<TSIG>
<Name>secret.example.com</Name>
<!-- http://www.iana.org/assignments/tsig-algorithm-names -->
<Algorithm>hmac-sha256</Algorithm>
<!-- base64 encoded secret -->
<Secret>sw0nMPCswVbes1tmQTm1pcMmpNRK+oGMYN+qKNR/BwQ=</Secret>
</TSIG>
The first element of the <DNS> tag is <TSIG>, which is the dedicated protection mechanism used. TSIG requires three elements:
- <Name> is the name of the TSIG.
- <Algorithm> specifies the algorithm used.
- <Secret> is the base64 encoded secret.
You can list zero or more TSIGs.
Inbound
The inbound DNS configuration is bracketed in the enclosing element <Inbound>, and the closing element </Inbound>.
Requesting Zone Transfers
...
<RequestTransfer>
<!-- EXAMPLE: send request to 1.2.3.4 on the default port 53 -->
<Remote>
<Address>1.2.3.4</Address>
</Remote>
<!-- EXAMPLE: send request to dead:beef::1 on port 5353, TSIG signed with secret.example.com -->
<Remote>
<Address>dead:beef::1</Address>
<Port>5353</Port>
<Key>secret.example.com</Key>
</Remote>
</RequestTransfer>
<RequestTransfer> is used to hold a list of master name servers where this zone can request zone transfers. The name servers are given by the <Remote> element:
- <Address> is a required element that stores the IPv4 or IPv6 address of the master name server.
- <Port> is an optional element that specifies the port to use. If not provided, the port is defaulted to 53.
- <Key> refers to a configured TSIG key name. The TSIG must be provided in the same file. If no key is given, TSIG will not be used for this name server.
You can list multiple master name servers. In the example above, the zone transfer can be requested at 1.2.3.4 port 53 with no TSIG, or at dead:beef::1 port 5353 with the secret.example.com TSIG.
Receiving Notifies
...
<!-- Allow NOTIFY messages from host -->
<AllowNotify>
<!-- EXAMPLE: allow notifies from 1.2.3.4 -->
<Peer>
<Prefix>1.2.3.4</Prefix>
</Peer>
</AllowNotify>
<AllowNotify> lists the name servers that may notify OpenDNSSEC that there is a new version of the zone. Usually, the master name server will also provide the NOTIFY messages. In that case, the address and TSIG key from <RequestTransfer> can be copied here. Separating this in the configuration file allows for more flexible environment setups. Here, you can list a number of <Peer> elements:
- <Prefix> is a required element that stores an address or address prefix.
- <Key> refers to a configured TSIG key name. The TSIG must be provided in the same file. If no key is given, TSIG will not be used for this server.
Outbound
Similar to <Inbound>, the outbound DNS configuration goes between <Outbound> and </Outbound>.
Providing Zone Transfers
...
<!-- Provide XFR to host -->
<ProvideTransfer>
<!-- EXAMPLE: provide XFR to 1.2.3.5 with key secret.example.com -->
<Peer>
<Prefix>1.2.3.5</Prefix>
<Key>secret.example.com</Key>
</Peer>
</ProvideTransfer>
<ProvideTransfer> allows you to configure a list of secondary name servers that can pick up the signed zone through a zone transfer. One or more <Peer> elements is used to do that. In this example, one secondary name server is configured: The server with address 1.2.3.5 may request a zone transfer if it is correctly signed with the secret.example.com TSIG key.
Sending Notifies
...
<!-- Send NOTIFY messages to host -->
<Notify>
<!-- EXAMPLE: send NOTIFY to 1.2.3.5 on the default port 53 -->
<Remote>
<Address>1.2.3.5</Address>
</Remote>
</Notify>
For the same reasons as with the inbound DNS configuration, sending notifies and zone transfers has been split up in the configuration to be more flexible. Here, OpenDNSSEC will send a NOTIFY to the server at 1.2.3.5 at port 53, not using TSIG. Again, more than one servers can be configured.
Postamble
The </DNS> element closes the DNS adapter configuration. The </Adapter> element closes the file.