This file is indexed.

/usr/share/opendnssec/signconf.rng is in opendnssec-common 1:1.4.9-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Copyright (c) 2009 .SE (The Internet Infrastructure Foundation).
  All rights reserved.
  
  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:
  1. Redistributions of source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the distribution.
  
  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
  DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
  GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
  IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
  IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  
-->
<grammar xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
  <start>
    <element name="SignerConfiguration">
      <ref name="zone"/>
    </element>
  </start>
  <define name="zone">
    <element name="Zone">
      <!-- zone name -->
      <attribute name="name">
        <data type="string"/>
      </attribute>
      <!-- this section is taken directly from the corresponding KASP policy -->
      <element name="Signatures">
        <element name="Resign">
          <data type="duration"/>
        </element>
        <element name="Refresh">
          <data type="duration"/>
        </element>
        <element name="Validity">
          <element name="Default">
            <data type="duration"/>
          </element>
          <element name="Denial">
            <data type="duration"/>
          </element>
        </element>
        <element name="Jitter">
          <data type="duration"/>
        </element>
        <element name="InceptionOffset">
          <data type="duration"/>
        </element>
      </element>
      <!-- use NSEC or NSEC3? -->
      <element name="Denial">
        <choice>
          <ref name="nsec"/>
          <ref name="nsec3"/>
        </choice>
      </element>
      <element name="Keys">
        <!-- TTL for all DNSKEYs -->
        <ref name="ttl"/>
        <oneOrMore>
          <element name="Key">
            <!-- DNSKEY flags -->
            <element name="Flags">
              <data type="nonNegativeInteger">
                <param name="maxInclusive">65535</param>
              </data>
            </element>
            <!-- DNSKEY algorithm -->
            <ref name="algorithm"/>
            <!--
              The key locator is matched against the
              PKCS#11 CKA_ID and is specified as a string
              of hex characters.
            -->
            <element name="Locator">
              <data type="hexBinary"/>
            </element>
            <optional>
              <!-- sign all the DNSKEY RRsets with this key? -->
              <element name="KSK">
                <empty/>
              </element>
            </optional>
            <optional>
              <!-- sign all non-DNSKEY RRsets with this key? -->
              <element name="ZSK">
                <empty/>
              </element>
            </optional>
            <optional>
              <!-- include this key in the zonefile? -->
              <element name="Publish">
                <empty/>
              </element>
            </optional>
            <optional>
              <!-- deactivate this key (i.e. do not recycle any signatures) -->
              <element name="Deactivate">
                <empty/>
              </element>
            </optional>
            <optional>
              <!-- Ignore DS and use RFC5011 to maintain chain of trust. -->
              <element name="RFC5011">
                <empty/>
              </element>
            </optional>
          </element>
        </oneOrMore>
      </element>
      <!-- What parameters to use for the SOA record -->
      <ref name="soa"/>
    </element>
  </define>
  <define name="algorithm">
    <element name="Algorithm">
      <data type="nonNegativeInteger">
        <param name="maxInclusive">255</param>
      </data>
    </element>
  </define>
  <define name="ttl">
    <element name="TTL">
      <data type="duration"/>
    </element>
  </define>
  <define name="soa">
    <element name="SOA">
      <ref name="ttl"/>
      <element name="Minimum">
        <data type="duration"/>
      </element>
      <ref name="serial"/>
    </element>
  </define>
  <!-- see kasp.rnc for description -->
  <define name="serial">
    <element name="Serial">
      <choice>
        <value>counter</value>
        <value>datecounter</value>
        <value>unixtime</value>
        <value>keep</value>
      </choice>
    </element>
  </define>
  <!-- This section is taken directly from the corresponding KASP policy -->
  <define name="nsec">
    <element name="NSEC">
      <empty/>
    </element>
  </define>
  <!--
    This section is taken directly from the corresponding KASP policy
    (except that the NSEC3 Salt is not optional)
  -->
  <define name="nsec3">
    <element name="NSEC3">
      <optional>
        <ref name="ttl"/>
      </optional>
      <optional>
        <element name="OptOut">
          <empty/>
        </element>
      </optional>
      <element name="Hash">
        <ref name="algorithm"/>
        <element name="Iterations">
          <data type="nonNegativeInteger">
            <param name="maxInclusive">65535</param>
          </data>
        </element>
        <element name="Salt">
          <data type="string"/>
        </element>
      </element>
    </element>
  </define>
</grammar>