Per zone you can configure the zone transfer settings. One file can be used for multiple zones, just point to the same file in the zone list file /etc/opendnssec/zonelist.xml.
This section explains the parameters of the DNS adapter configuration by referring to the example addns.xml file supplied with the OpenDNSSEC distribution.
Each XML file starts with a standard element "<?xml...". As with any XML file, comments are included between the delimiters "<!--"
The enclosing element of the XML file is the element <Adapter> which, with the closing element </Adapter>, brackets the zone transfer configuration. Because we are configuring the DNS Adapter, the element <DNS> is used.
The first element of the <DNS> tag is <TSIG>, which is the dedicated protection mechanism used. TSIG requires three elements:
You can list zero or more TSIGs.
The inbound DNS configuration is bracketed in the enclosing element <Inbound>, and the closing element </Inbound>.
Requesting Zone Transfers
<RequestTransfer> is used to hold a list of master name servers where this zone can request zone transfers. The name servers are given by the <Remote> element:
You can list multiple master name servers. In the example above, the zone transfer can be requested at 220.127.116.11 port 53 with no TSIG, or at dead:beef::1 port 5353 with the secret.example.com TSIG.
<AllowNotify> lists the name servers that may notify OpenDNSSEC that there is a new version of the zone. Usually, the master name server will also provide the NOTIFY messages. In that case, the address and TSIG key from <RequestTransfer> can be copied here. Separating this in the configuration file allows for more flexible environment setups. Here, you can list a number of <Peer> elements:
If no NOTIFY messages are being received, OpenDNSSEC will request a new zone transfer after the SOA REFRESH value has passed in time. If a zone transfer has failed, OpenDNSSEC will retry after the SOA RETRY value has passed in time.
Similar to <Inbound>, the outbound DNS configuration goes between <Outbound> and </Outbound>.
Providing Zone Transfers
<ProvideTransfer> allows you to configure a list of secondary name servers that can pick up the signed zone through a zone transfer. One or more <Peer> elements is used to do that. In this example, one secondary name server is configured: The server with address 18.104.22.168 may request a zone transfer if it is correctly signed with the secret.example.com TSIG key.
If OpenDNSSEC acts as a secondary for certain zones (e.g., it has Inbound DNS adapters configured), zones may expire if inbound zone transfers are failing. This happens if the SOA EXPIRE value has passed in time after the latest successful zone transfer. If a zone is expired, OpenDNSSEC will stop providing signed zone transfers, but it will still serve normal queries, for troubleshooting purposes.
For the same reasons as with the inbound DNS configuration, sending notifies and zone transfers has been split up in the configuration to be more flexible. Here, OpenDNSSEC will send a NOTIFY to the server at 22.214.171.124 at port 53, not using TSIG. Again, more than one servers can be configured.
The </DNS> element closes the DNS adapter configuration. The </Adapter> element closes the file.