/usr/share/opendnssec/kasp.rnc is in opendnssec-common 1:1.4.9-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 | # Copyright (c) 2009 .SE (The Internet Infrastructure Foundation).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
start = element KASP {
element Policy {
# (short) symbolic name for Policy
attribute name { xsd:string },
# description of policy (free text)
element Description { xsd:string },
# <Signatures> hold parameters related to signatures
# These will go in the signature category in the DB
# Most of these will be passed to the signer without
# processing.
element Signatures {
# how often should the zone be (re)signed?
element Resign { xsd:duration },
# the signatures are reused for a period of time
# how long time before the expiration of the signature
# should it be refreshed?
element Refresh { xsd:duration },
# for how long should a signature be valid?
element Validity {
element Default { xsd:duration },
element Denial { xsd:duration }
},
# how much should we jitter the signature expiration time?
# (e.g. increase the expiration time by X)
element Jitter { xsd:duration },
# how much should we predate the signature inception time?
element InceptionOffset { xsd:duration }
},
# use NSEC or NSEC3?
element Denial { (nsec | nsec3) },
element Keys {
# TTL for DNSKEYs
ttl,
# key retirement safety factor
element RetireSafety { xsd:duration },
# key publication safety factor
element PublishSafety { xsd:duration },
# do the zones share the same keys?
element ShareKeys { empty }?,
# enforcer may purge keys after this amount of time
element Purge { xsd:duration }?,
# Key Signing Keys (KSK) parameters
element KSK {
# generic key definition, see below
anykey,
# use RFC 5011 for key rollover?
# Not implemented yet
element RFC5011 { empty }?
}*,
# Zone Signing Keys (ZSK) parameters
element ZSK {
# generic key definition, see below
anykey
}*
},
element Zone {
# Expected propagation delay in child publication
propagationdelay,
# Expected zone SOA parameters
element SOA {
anysoa,
serial
}
},
# Excepted paren parameters for key rollover usage.
# These might be guess or obtained by querying the parent zone
# NOTE: This assumes that all zones with the same policy have
# the same parent or at least parents with the same parameters!
element Parent {
# Expected propagation delay in parent publication
propagationdelay,
# Expected TTL of DS in parent
element DS { ttl },
# Expected parent SOA parameters
element SOA { anysoa }
}
}*
}
serial = element Serial {
# use increasing counter (sync with unsigned zone if possible)
"counter" |
# use increasing counter in YYYYMMDDxx format
"datecounter" |
# use unix timestamp as an 32-bit unsigned integer
"unixtime" |
# keep the serial from unsigned zone (do not resign unless incremented)
"keep"
}
nsec = element NSEC { empty }
nsec3 = element NSEC3 {
# what value for NSEC3PARAM TTL to use? Default 0.
ttl?,
# use global NSEC3 opt-out?
element OptOut { empty }?,
# how often should we resalt? (e.g. create new NSEC3 chains)
element Resalt { xsd:duration },
# NSEC3 hash parameters
element Hash {
element Algorithm { xsd:nonNegativeInteger { maxInclusive = "255" } },
element Iterations { xsd:nonNegativeInteger { maxInclusive = "65535" } },
# Salt length in octets
element Salt {
attribute length { xsd:nonNegativeInteger { maxInclusive = "255" } },
# The actual salt is generated by the Enforcer
# Note: the enforcer may decide to store the
# current salt in the DB and so it could be exported
# here.
xsd:string?
}
}
}
# Generic SOA definition
anysoa = ttl, element Minimum { xsd:duration }
# Generic key definition
anykey = element Algorithm {
attribute length { xsd:positiveInteger }?,
xsd:nonNegativeInteger { maxInclusive = "255" }
},
element Lifetime { xsd:duration },
element Repository { xsd:string },
# Number of Standby keys
# Makes the rollover faster, since the key is
# already pre-published and ready.
element Standby { xsd:nonNegativeInteger }?,
# Use manual key rollover?
element ManualRollover { empty }?
ttl = element TTL { xsd:duration }
propagationdelay = element PropagationDelay { xsd:duration }
partial = element Partial { empty }
|