This file is indexed.

/usr/share/opendnssec/kasp.rnc is in opendnssec-common 1:1.4.9-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# Copyright (c) 2009 .SE (The Internet Infrastructure Foundation).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"

start = element KASP {

	element Policy {
		# (short) symbolic name for Policy
		attribute name { xsd:string },

		# description of policy (free text)
		element Description { xsd:string },

		# <Signatures> hold parameters related to signatures
		# These will go in the signature category in the DB
		# Most of these will be passed to the signer without
		# processing.
		element Signatures {
			# how often should the zone be (re)signed?
			element Resign { xsd:duration },

			# the signatures are reused for a period of time
			# how long time before the expiration of the signature
			# should it be refreshed?
			element Refresh { xsd:duration },

			# for how long should a signature be valid?
			element Validity {
				element Default { xsd:duration },
				element Denial { xsd:duration }
			},

			# how much should we jitter the signature expiration time?
			# (e.g. increase the expiration time by X)
			element Jitter { xsd:duration },

			# how much should we predate the signature inception time?
			element InceptionOffset { xsd:duration }
		},

		# use NSEC or NSEC3?
		element Denial { (nsec | nsec3) },

		element Keys {
			# TTL for DNSKEYs
			ttl,

			# key retirement safety factor
			element RetireSafety { xsd:duration },

			# key publication safety factor
			element PublishSafety { xsd:duration },

			# do the zones share the same keys?
			element ShareKeys { empty }?,

			# enforcer may purge keys after this amount of time
			element Purge { xsd:duration }?,

			# Key Signing Keys (KSK) parameters
			element KSK {
				# generic key definition, see below
				anykey,

				# use RFC 5011 for key rollover?
				# Not implemented yet
				element RFC5011 { empty }?
			}*,

			# Zone Signing Keys (ZSK) parameters
			element ZSK {
				# generic key definition, see below
				anykey
			}*
		},

		element Zone {
			# Expected propagation delay in child publication
			propagationdelay,

			# Expected zone SOA parameters
			element SOA {
				anysoa,
				serial
			}
		},

		# Excepted paren parameters for key rollover usage.
		# These might be guess or obtained by querying the parent zone
		# NOTE: This assumes that all zones with the same policy have
		# the same parent or at least parents with the same parameters!
		element Parent {
			# Expected propagation delay in parent publication
			propagationdelay,

			# Expected TTL of DS in parent
			element DS { ttl },

			# Expected parent SOA parameters
			element SOA { anysoa }
		}
	}*
}

serial = element Serial {
	# use increasing counter (sync with unsigned zone if possible)
	"counter" |

	# use increasing counter in YYYYMMDDxx format
	"datecounter" |

	# use unix timestamp as an 32-bit unsigned integer
	"unixtime" |

	# keep the serial from unsigned zone (do not resign unless incremented)
	"keep"
}

nsec = element NSEC { empty }

nsec3 = element NSEC3 {
	# what value for NSEC3PARAM TTL to use? Default 0.
	ttl?,

	# use global NSEC3 opt-out?
	element OptOut { empty }?,

	# how often should we resalt? (e.g. create new NSEC3 chains)
	element Resalt { xsd:duration },

	# NSEC3 hash parameters
	element Hash {
		element Algorithm { xsd:nonNegativeInteger { maxInclusive = "255" } },
		element Iterations { xsd:nonNegativeInteger { maxInclusive = "65535" } },

		# Salt length in octets
		element Salt {
			attribute length { xsd:nonNegativeInteger { maxInclusive = "255" } },

			# The actual salt is generated by the Enforcer
			# Note: the enforcer may decide to store the
			# current salt in the DB and so it could be exported
			# here.
			xsd:string?
		}
	}
}

# Generic SOA definition
anysoa = ttl, element Minimum { xsd:duration }

# Generic key definition
anykey = element Algorithm {
		attribute length { xsd:positiveInteger }?,
		xsd:nonNegativeInteger { maxInclusive = "255" }
	},
	element Lifetime { xsd:duration },
	element Repository { xsd:string },

	# Number of Standby keys
	# Makes the rollover faster, since the key is
	# already pre-published and ready.
	element Standby { xsd:nonNegativeInteger }?,

	# Use manual key rollover?
	element ManualRollover { empty }?


ttl = element TTL { xsd:duration }

propagationdelay = element PropagationDelay { xsd:duration }

partial = element Partial { empty }