|Table of Contents|
OpenDNSSEC is a system to manage zones. It takes in unsigned zones and policies and produces and maintains DNSSEC signed zones. OpenDNSSEC is responsible for signing, resigning, key generation, and fetching/distributing zones to and from nameservers.
The signer handles the actual data of a zone. It will obtain unsigned zones either through files or over the network via XFR. Then it will sign the zones and when necessary refresh signatures on a regular basis. Signed zones are then output as a file or via XFR to a nameserver.
OpenDNSSEC manages various information on disk which includes the following
- Configuration files, xml files that specify the settings for the system
- Zone files, unsigned and signed copies of the zones
- Working files, temporary files used by the system to exchange information between components and track internal state information
- Database, when using an SQLite database backend.
By default OpenDNSSECs configuration files are stored in
Daemon specific settings such as HSM configuration, logging, database location, and working directories. This file is read by both the Signer and the Enforcer.
Contains a list of user defined policies. These policies describe how often keys need to be rolled, which algorithms to use, what different timing parameters are etc. This file is read exclusively by the Enforcer.
Specifies the input and output adapters which describe to the Signer how to acquire unsigned zones and where to store signed zonefiles. This can either be the simple file adapters (read and write zones to a file) or the more complex DNS adapters that transfer zones to and from DNS servers.
In case the File input adapter is used OpenDNSSEC expects to find the unsigned zonefile in
/var/opendnssec/unsigned. Likewise for the File output adapter
/var/opendnssec/signed is the location where the Signer will write its signed zonefiles to. These locations are not used when the DNS adapters are selected.
/var/opendnssec/enforcer/zones.xml, list of zones configured in OpenDNSSEC. Produced by the Enforcer and consumed by the signer. This file links zones to the adapters for the signer.
/var/opendnssec/signconf/, for every zone the enforcer writes a signing configuration here. Instructing the signer which keys to publish and use for signing.
/var/opendnssec/signer/, this is where the signer keeps its state. Signatures are cached here and information about zone versions for IXFR.
/var/opendnssec/kasp.db, In case of SQLite as database backend this file contains the enforcer state. Which keys are in use and at what time records where published.