kasp.xml (found by default in /etc/opendnssec) is the file that defines policies used to sign zones. Each policy comprises a series of parameters that define the way the zone is signed. This section explains the parameters by referring to the example kasp.xml file supplied with the OpenDNSSEC distribution.
Specification of Date/time durations.
<?xml version="1.0" encoding="UTF-8"?>
Each XML file starts with a standard element "<?xml...". As with any XML file, comments are included between the delimiters "<!–" and "-->".
The enclosing element of the XML file is the element <KASP> which, with the closing element </KASP>, brackets one or more policies.
<Policy name="default"> <Description>A default policy that will amaze you and your friends</Description>
Each policy is included in the <Policy>...</Policy> elements. Each policy has a "name" attribute giving the name of the policy. The name is used to link a policy and the zones signed using it; each policy must have a unique name. The policy named "default" is special, as it is associated with all zones that do not have a policy explicitly associated with them.
A policy can have a description associated with it. Unlike XML comments, the description can be understood by programs and may be used to document the policy, e.g. a future GUI may display a list of policies along with their description and ask you to select one for editing.
The next section of the file is the Signatures section, which lists the parameters for the signatures created using the policy.
<Signatures> <Resign>PT2H</Resign> <Refresh>P3D</Refresh> <Validity> <Default>P14D</Default> <Denial>P14D</Denial> </Validity> <Jitter>PT12H</Jitter> <InceptionOffset>PT300S</InceptionOffset> </Signatures>
The relationship between these elements is shown below.
Authenticated denial of existence - proving that domain names do not exist in the zone - is handled by the <Denial> section, as shown below:
<Denial> <NSEC3> <TTL>PT3600S</TTL> <OptOut/> <Resalt>P100D</Resalt> <Hash> <Algorithm>1</Algorithm> <Iterations>5</Iterations> <Salt length="8"/> </Hash> </NSEC3> </Denial>
<Denial> includes one element, either <NSEC3> (as shown above) or <NSEC>.
<NSEC3> tells the signer to implement NSEC3 scheme for authenticated denial of existence (described in RFC 5155). The elements are:
<TTL>, if present, this is the time-to-live value for the NSEC3PARAM resource records. If not present, PT0S (0) will be used as TTL. This will only affect the time-to-live value for the NSEC3PARAM resource records. The time-to-live value for NSEC3 records is set to the value of the SOA <Minimum>.
Should instead NSEC be used as the authenticated denial of existence scheme, the <Denial> element will contain the single element
<NSEC/>.There are no other parameters.
Parameters relating to keys can be found in the <Keys> section.
The section starts with a number of parameters relating to both zone-signing keys (ZSK) and key-signing keys (KSK):
<Keys> <TTL>PT3600S</TTL> <RetireSafety>PT3600S</RetireSafety> <PublishSafety>PT3600S</PublishSafety> <ShareKeys/> <Purge>P14D</Purge>
Parameters for key-signing keys are held in the <KSK> section:
<KSK> <Algorithm length="2048">8</Algorithm> <Lifetime>P1Y</Lifetime> <Repository>softHSM</Repository> <ManualRollover/> </KSK>
<Algorithm> determines the algorithm used for the key (the numbers reserved for each algorithm can be found in the appropriate IANA registry).
<ManualRollover/> is an optional tag. This tag indicate that the key rollover will only be initiated on the command by the operator. There is still a second step for the KSK, where the key needs to be published to the parent before the rollover is completed. Read more in the chapter "Running OpenDNSSEC". The ZSK rollover will although be fully automatic if this tag is not present.
Before version 2.0 the KSK section could have a <StandbyKeys> element. Key rollovers are a process that can be interrupted at any time in OpenDNSSEC 2.0 and therefore the notion of standby keys was dropped. The element is ignored but still accepted to ease migration.
Parameters for zone-signing keys are held in the <ZSK> section, and have the same meaning as for the KSK:
<ZSK> <Algorithm length="1024">8</Algorithm> <Lifetime>P90D</Lifetime> <Repository>softHSM</Repository> </ZSK>
The ZSK information completes the contents of the <Keys> section.
General information concerning the zones can be found in the <Zone> section:
<Zone> <PropagationDelay>PT9999S</PropagationDelay> <SOA> <TTL>PT3600S</TTL> <Minimum>PT3600S</Minimum> <Serial>unixtime</Serial> </SOA> </Zone>
|These values will override values set for the SOA record in the input zone file and the serial in signed and unsigned zone is likely to go out of sync.|
If a DNSSEC zone is in a chain of trust, digest information about the KSKs used in the zone will be stored in DS records in the parent zone. To properly roll keys, timing information about the parent zone must be configured in the <Parent> section:
<Parent> <PropagationDelay>PT9999S</PropagationDelay> <DS> <TTL>PT3600S</TTL> </DS> <SOA> <TTL>PT3600S</TTL> <Minimum>PT3600S</Minimum> </SOA> </Parent>
This is the last section of the policy specification, so the next element is the policy closing tag. If there are any additional policies, they could be entered here, starting with <Policy> and ending with </Policy>. However, in this case there are no additional policies, so the file is ended by closing the </KASP> tag.