By default OpenDNSSEC expects its configuration files in /etc/opendnssec. This can be configured compiletime if another location is desired.
The OpenDNSSEC XML configuration files (conf.xml and kasp.xml) offer the user many options to customize the OpenDNSSEC signing system. Not all possible configuration texts are meaningful however. ods-kaspcheckTODO is a tool to check that the configuration files are syntactically and semantically sane, and contain no inconsistencies. It is advisable to use this tool to check your configuration before starting to use OpenDNSSEC.
This contains settings that apply to the entire OpenDNSSEC instance such as logging, file locations and HSM information. The conf.xml file is read by both the enforcer and the signer.
zonelist.xml can be used to bulk add or remove zones from OpenDNSSEC. Since OpenDNSSEC 2.0 this file is no longer needed for normal operation and operators are encouraged to use the command line client to add and remove zones instead.
OpenDNSSEC can sign zone files on disk, but can also receive and server zone transfers (both AXFR and IXFR). If you configure a listener in conf.xml, the Signer Engine will kick off a DNS handler that will listen to queries, NOTIFY messages from the master and zone transfer requests from secondaries. Information in this file details where to fetch zone data from and protection mechanisms to be used.
OpenDNSSEC can handle various formatting of the zone file, including different directives and Resource Records (RRs).
The zone file can be formatted in many ways including multi-lined RR, comments, etc.
As defined in RFC 1035 the following directives are supported by OpenDNSSEC:
What origin to use.
The default TTL to use. Treated as seconds, if no suffix is used: s, m, h, d, w, S, M, H, D, W
Include a file from a given path
OpenDNSSEC support all of the RR specified by IANA, with some exceptions:
ATMA, APL, EID, NIMLOC, HIP, SINK, NINFO, RKEY, TA
MD, MF, WKS, GPOS, SIG, KEY, NXT, A6, and NSAP-PTR
Not allowed in master
NULL, OPT, TKEY, TSIG, IXFR, AXFR, MAILB, MAILA, *
But OpenDNSSEC does handle unknown RR types in accordance with RFC3597 e.g: