/usr/share/opendnssec/signconf.rnc is in opendnssec-common 1:2.1.3-0.2build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 | # Copyright (c) 2009 .SE (The Internet Infrastructure Foundation).
# Copyright (c) 2015-2016 NLnet Labs.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
start = element SignerConfiguration { zone }
zone = element Zone {
# zone name
attribute name { xsd:string }
# Do not touch contents of zonefile.
& element Passthrough { empty }?
# this section is taken directly from the corresponding KASP policy
& element Signatures {
element Resign { xsd:duration }
& element Refresh { xsd:duration }
& element Validity {
element Default { xsd:duration }
& element Denial { xsd:duration }
& element Keyset { xsd:duration }?
}
& element Jitter { xsd:duration }
& element InceptionOffset { xsd:duration }
& maxzonettl? # Maximum TTL that may be used in a zone.
}
# use NSEC or NSEC3?
& element Denial { (nsec | nsec3) }
& element Keys {
# TTL for all DNSKEYs
ttl
& element Key {
# DNSKEY flags
element Flags { xsd:nonNegativeInteger { maxInclusive = "65535" } }
# DNSKEY algorithm
& algorithm
# The key locator is matched against the
# PKCS#11 CKA_ID and is specified as a string
# of hex characters.
& element Locator { xsd:hexBinary }?
& element ResourceRecord { xsd:base64Binary }?
# sign all the DNSKEY RRsets with this key?
& element KSK { empty }?
# sign all non-DNSKEY RRsets with this key?
& element ZSK { empty }?
# include this key in the zonefile?
& element Publish { empty }?
# deactivate this key (i.e. do not recycle any signatures)
& element Deactivate { empty }?
}*
& element SignatureResourceRecord { xsd:base64Binary }*
}
# What parameters to use for the SOA record
& soa
}
algorithm = element Algorithm { xsd:nonNegativeInteger { maxInclusive = "255" } }
ttl = element TTL { xsd:duration }
soa = element SOA {
ttl
& element Minimum { xsd:duration }
& serial
}
# see kasp.rnc for description
serial = element Serial {
"counter" |
"datecounter" |
"unixtime" |
"keep"
}
# This section is taken directly from the corresponding KASP policy
nsec = element NSEC { empty }
# This section is taken directly from the corresponding KASP policy
# (except that the NSEC3 Salt is not optional)
nsec3 = element NSEC3 {
ttl?
& element OptOut { empty }?
& element Hash {
algorithm
& element Iterations { xsd:nonNegativeInteger { maxInclusive = "65535" } }
& element Salt { xsd:string }
}
}
maxzonettl = element MaxZoneTTL { xsd:duration }
|