/usr/share/opendnssec/signconf.rng is in opendnssec-common 1:1.4.9-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 | <?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2009 .SE (The Internet Infrastructure Foundation).
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<grammar xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
<start>
<element name="SignerConfiguration">
<ref name="zone"/>
</element>
</start>
<define name="zone">
<element name="Zone">
<!-- zone name -->
<attribute name="name">
<data type="string"/>
</attribute>
<!-- this section is taken directly from the corresponding KASP policy -->
<element name="Signatures">
<element name="Resign">
<data type="duration"/>
</element>
<element name="Refresh">
<data type="duration"/>
</element>
<element name="Validity">
<element name="Default">
<data type="duration"/>
</element>
<element name="Denial">
<data type="duration"/>
</element>
</element>
<element name="Jitter">
<data type="duration"/>
</element>
<element name="InceptionOffset">
<data type="duration"/>
</element>
</element>
<!-- use NSEC or NSEC3? -->
<element name="Denial">
<choice>
<ref name="nsec"/>
<ref name="nsec3"/>
</choice>
</element>
<element name="Keys">
<!-- TTL for all DNSKEYs -->
<ref name="ttl"/>
<oneOrMore>
<element name="Key">
<!-- DNSKEY flags -->
<element name="Flags">
<data type="nonNegativeInteger">
<param name="maxInclusive">65535</param>
</data>
</element>
<!-- DNSKEY algorithm -->
<ref name="algorithm"/>
<!--
The key locator is matched against the
PKCS#11 CKA_ID and is specified as a string
of hex characters.
-->
<element name="Locator">
<data type="hexBinary"/>
</element>
<optional>
<!-- sign all the DNSKEY RRsets with this key? -->
<element name="KSK">
<empty/>
</element>
</optional>
<optional>
<!-- sign all non-DNSKEY RRsets with this key? -->
<element name="ZSK">
<empty/>
</element>
</optional>
<optional>
<!-- include this key in the zonefile? -->
<element name="Publish">
<empty/>
</element>
</optional>
<optional>
<!-- deactivate this key (i.e. do not recycle any signatures) -->
<element name="Deactivate">
<empty/>
</element>
</optional>
<optional>
<!-- Ignore DS and use RFC5011 to maintain chain of trust. -->
<element name="RFC5011">
<empty/>
</element>
</optional>
</element>
</oneOrMore>
</element>
<!-- What parameters to use for the SOA record -->
<ref name="soa"/>
</element>
</define>
<define name="algorithm">
<element name="Algorithm">
<data type="nonNegativeInteger">
<param name="maxInclusive">255</param>
</data>
</element>
</define>
<define name="ttl">
<element name="TTL">
<data type="duration"/>
</element>
</define>
<define name="soa">
<element name="SOA">
<ref name="ttl"/>
<element name="Minimum">
<data type="duration"/>
</element>
<ref name="serial"/>
</element>
</define>
<!-- see kasp.rnc for description -->
<define name="serial">
<element name="Serial">
<choice>
<value>counter</value>
<value>datecounter</value>
<value>unixtime</value>
<value>keep</value>
</choice>
</element>
</define>
<!-- This section is taken directly from the corresponding KASP policy -->
<define name="nsec">
<element name="NSEC">
<empty/>
</element>
</define>
<!--
This section is taken directly from the corresponding KASP policy
(except that the NSEC3 Salt is not optional)
-->
<define name="nsec3">
<element name="NSEC3">
<optional>
<ref name="ttl"/>
</optional>
<optional>
<element name="OptOut">
<empty/>
</element>
</optional>
<element name="Hash">
<ref name="algorithm"/>
<element name="Iterations">
<data type="nonNegativeInteger">
<param name="maxInclusive">65535</param>
</data>
</element>
<element name="Salt">
<data type="string"/>
</element>
</element>
</element>
</define>
</grammar>
|