This file is indexed.

/usr/share/opendnssec/conf.rnc is in opendnssec-common 1:1.4.9-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# Copyright (c) 2009 .SE (The Internet Infrastructure Foundation).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"

start = element Configuration {

	# List of all known Key Repositories (aka HSM:s)
	element RepositoryList {
		element Repository {
			# Symbolic name of repository
			attribute name { xsd:string },

			# PKCS#11 Module (aka shared library)
			element Module { xsd:string },

			# PKCS#11 Token Label,
			element TokenLabel { xsd:string },

			# PKCS#11 Login Credentials
			element PIN { xsd:string }?,

			# Maxmimum number of key pairs in the repository
			# DEFAULT: infinite
			element Capacity { xsd:positiveInteger }?,

			# Require backup of keys before use (optional)
			element RequireBackup { empty }?,

			# Do not maintain public keys in the repository (optional)
			element SkipPublicKey { empty }?,

			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
			element AllowExtraction { empty }?
		}*
	},

	# Common configuration options
	element Common {
		# Configuration parameters for logging
		element Logging {
			element Verbosity { xsd:nonNegativeInteger }?,
			 
			element Syslog {
				# syslog facility
				element Facility { syslogFacility }
			}?
		}?,

		# Location to find the KASP file
		element PolicyFile { xsd:string },

		# Location to store the zonelist XML file
		element ZoneListFile { xsd:string }
	},

	# Configuration parameters for the KASP Enforcer
	element Enforcer {
		# User & group to drop privs to
		privs?,

		# Location to store pidfile
		# DEFAULT: $(localstatedir)/run/opendnssec/enforcerd.pid
		element PidFile { xsd:string }?,

		# Number of Worker Threads
		# DEFAULT: 1
		element WorkerThreads { xsd:positiveInteger }?,
		
		# Where to store internal Enforcer state
		element Datastore { (mysql | sqlite) },

		# Interval between runs of the key rollover procedure
		element Interval { xsd:duration },

		# Use manual key generation?
		element ManualKeyGeneration { empty }?,

		# How long before a KSK Rollover should we start warning (optional)
		element RolloverNotification { xsd:duration }?,

		# Command to use for submitting new DS records to a parent -
		# the command should accept DNSKEY RRsets via STDIN
		element DelegationSignerSubmitCommand { xsd:string }?
	},

	# Configuration parameters for the Signer
	element Signer {
		# User & group to drop privs to
		privs?,

		# Location to store pidfile
		# DEFAULT: $(localstatedir)/run/opendnssec/signerd.pid
		element PidFile { xsd:string }?,

		# Location to store commandhandler socket
		# DEFAULT: $(localstatedir)/run/opendnssec/engine.sock
		element SocketFile { xsd:string }?,

		# Location to store intermediate zone information
		# DEFAULT: $(localstatedir)/opendnssec/tmp
		element WorkingDirectory { xsd:string }?,

		# Number of Worker Threads
		# DEFAULT: 4
		element WorkerThreads { xsd:positiveInteger }?,
		# Number of Signer Threads
		# DEFAULT: 4
		element SignerThreads { xsd:positiveInteger }?,

		# Listener
		element Listener {
			interface*
		}?,

		# System command to call after a zone has been (re)signed
		#
		# '%zone' in the string will be replaced by the zone name
		# '%zonefile' in the string will be replaced by the zone file
		element NotifyCommand { xsd:string }?
	}?
}

syslogFacility = (
	"kern" | "user" | "mail" | "daemon" | "auth" |
	"lpr" | "news" | "uucp" | "cron" |
	"local0" | "local1" | "local2" | "local3" |
	"local4" | "local5" | "local6" | "local7"
	)

privs = element Privileges {
	# DEFAULT: do not drop privs
	element User { xsd:string }?,

	# DEFAULT: do not drop privs
	element Group { xsd:string }?
}

mysql = element MySQL {
	element Host {
		# DEFAULT: 3306
		attribute port { xsd:positiveInteger { maxInclusive = "65535" } }?,

		# DEFAULT: 127.0.0.1
		xsd:string }?,

	# database to use for KASP tables
	element Database { xsd:string },

	# username and password used to connect to database
	element Username { xsd:string },
	element Password { xsd:string }
}

sqlite = element SQLite { xsd:string }

interface = element Interface {	address?, port? }

address = element Address { xsd:string } # e.g., 192.0.2.1 or 2001:DB8::1
port    = element Port { xsd:positiveInteger { maxInclusive = "65535" } }