The default configuration installs good default values for anyone who just wants to sign their domains with DNSSEC. There are four configuration files for the basic OpenDNSSEC installation. You have 

  • conf.xml which is the overall configuration of the system, 
  • kasp.xml which contains the policy of signing, 
  • zonelist.xml where you list all the zones that you are going to sign, 
  • addns.xml (per zone, optional) for zone transfers.

Click on the filenames below to see details of the file contents.

On this Page

Date/time durations

Please read this description of how date/time durations are used in the configuration files.

Files

conf.xml

The overall configuration of OpenDNSSEC is defined by the contents of the file /etc/opendnssec/conf.xml. In this configuration file you specify logging facilities (only syslog is supported now), system paths, key repositories, privileges, and the database where all key and zone information is stored.

kasp.xml

kasp.xml - found by default in /etc/opendnssec - is the file that defines policies used to sign zones. KASP stands for "Key and Signature Policy”, and each policy details

You can have any number of policies and refer to the proper one by name in for example the zonelist.xml configuration file.

zonelist.xml

The zonelist.xml file is used when first setting up the system, but also used by the ods-signerd when signing zones. For each zone, it contains a Zone tag with information about

addns.xml

OpenDNSSEC can sign zone files on disk, but can also receive and server zone transfers (both AXFR and IXFR). If you configure a listener in conf.xml, the Signer Engine will kick off a DNS handler that will listen to queries, NOTIFY messages from the master and zone transfer requests from secondaries.

Information in this file details

Signer configuration

There are also xml files for each of the zones that the user wants to sign, but those are only used for communication between the Enforcer and the Signer Engine. And they are created automatically be the Enforcer. The location of these files can be found in zonelist.xml.

Read more details about Signer configuration

Checking your configuration files

The OpenDNSSEC XML configuration files (conf.xml and kasp.xml) offer the user many options to customise the OpenDNSSEC signing system. Not all possible configuration texts are meaningful however.

A tool (ods-kaspcheck) is provided to check that the configuration files (conf.xml and kasp.xml) are semantically sane and contain no inconsistencies.

It is advisable to use this tool to check your configuration before starting to use OpenDNSSEC.