/usr/share/opendnssec/signconf.rnc is in opendnssec-common 1:1.4.3-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 | # $Id: signconf.rnc 7358 2013-10-11 11:47:27Z matthijs $
#
# Copyright (c) 2009 .SE (The Internet Infrastructure Foundation).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
start = element SignerConfiguration { zone }
zone = element Zone {
# zone name
attribute name { xsd:string },
# this section is taken directly from the corresponding KASP policy
element Signatures {
element Resign { xsd:duration },
element Refresh { xsd:duration },
element Validity {
element Default { xsd:duration },
element Denial { xsd:duration }
},
element Jitter { xsd:duration },
element InceptionOffset { xsd:duration }
},
# use NSEC or NSEC3?
element Denial { (nsec | nsec3) },
element Keys {
# TTL for all DNSKEYs
ttl,
element Key {
# DNSKEY flags
element Flags { xsd:nonNegativeInteger { maxInclusive = "65535" } },
# DNSKEY algorithm
algorithm,
# The key locator is matched against the
# PKCS#11 CKA_ID and is specified as a string
# of hex characters.
element Locator { xsd:hexBinary },
# sign all the DNSKEY RRsets with this key?
element KSK { empty }?,
# sign all non-DNSKEY RRsets with this key?
element ZSK { empty }?,
# include this key in the zonefile?
element Publish { empty }?,
# deactivate this key (i.e. do not recycle any signatures)
element Deactivate { empty }?
}+
},
# What parameters to use for the SOA record
soa
}
algorithm = element Algorithm { xsd:nonNegativeInteger { maxInclusive = "255" } }
ttl = element TTL { xsd:duration }
soa = element SOA {
ttl,
element Minimum { xsd:duration },
serial
}
# see kasp.rnc for description
serial = element Serial {
"counter" |
"datecounter" |
"unixtime" |
"keep"
}
# This section is taken directly from the corresponding KASP policy
nsec = element NSEC { empty }
# This section is taken directly from the corresponding KASP policy
# (except that the NSEC3 Salt is not optional)
nsec3 = element NSEC3 {
ttl?,
element OptOut { empty }?,
element Hash {
algorithm,
element Iterations { xsd:nonNegativeInteger { maxInclusive = "65535" } },
element Salt { xsd:string }
}
}
|