The default configuration installs good default values for anyone who just wants to sign their domains with DNSSEC. There are four configuration files for the basic OpenDNSSEC installation. You have 

  • conf.xml which is the overall configuration of the system, 
  • kasp.xml which contains the policy of signing, 
  • zonelist.xml where you list all the zones that you are going to sign, 
  • zonefetch.xml (which is optional) for zone transfers.

Click on the filenames below to see details of the file contents.

On this Page

Date/time durations

Please read this description of how date/time durations are used in the configuration files.



The overall configuration of OpenDNSSEC is defined by the contents of the file /etc/opendnssec/conf.xml. In this configuration file you specify logging facilities (only syslog is supported now), system paths, key repositories, privileges, and the database where all key and zone information is stored.


kasp.xml - found by default in /etc/opendnssec - is the file that defines policies used to sign zones. KASP stands for "Key and Signature Policy”, and each policy details

You can have any number of policies and refer to the proper one by name in for example the zonelist.xml configuration file.


The zonelist.xml file is used when first setting up the system, but also used by the ods-signerd when signing zones. For each zone, it contains a Zone tag with information about


OpenDNSSEC can sign zonefiles on disk, but can also sign zones received from transfer (AXFR). If you configure a zone fetcher configuration, the Signer Engine will kick off the zone fetcher that will listen to NOTIFY messages from the parent and store AXFR messages on disk.

Information in this file details

Signer configuration

There are also xml files for each of the zones that the user wants to sign, but those are only used for communication between the Enforcer and the Signer Engine. And they are created automatically be the Enforcer. The location of these files can be found in zonelist.xml.

Read more details about Signer configuration

Checking your configuration files

The OpenDNSSEC XML configuration files (conf.xml and kasp.xml) offer the user many options to customise the OpenDNSSEC signing system. Not all possible configuration texts are meaningful however.

A tool (ods-kaspcheck) is provided to check that the configuration files (conf.xml and kasp.xml) are semantically sane and contain no inconsistencies.

It is advisable to use this tool to check your configuration before starting to use OpenDNSSEC.