Dnsval.conf
From DNSSEC-Tools Wiki
Contents |
dnsval.conf
/usr/local/etc/dnssec-tools/dnsval.conf or /etc/dnssec-tools/dnsval.conf (location can vary by distribution)
The dnsval.conf file contains the configured validator policy. Application Developers that use libval library for issuing DNS queries allow the system administrator the ability to configure local DNSSEC policies through editing this file.
The dnssec.val file contents consists of a sequence of the following policy-fragments:
<label> <KEYWORD> <zone> <additional-data> [<zone> <additional-data> ];
Policies are identified by simple text strings called labels, which must be unique within the configuration system. For example, "browser" could be used as the label that defines the validator policy for all web-browsers in a system. A label value of ":" identifies the default policy. The default policy is used when a NULL context is specified as the ctx parameter for interfaces listed in libval(3), val_getaddrinfo(3), and val_gethostbyname(3). The default policy is unique within the configuration system.
KEYWORD is the specific policy component that is specified within the policy fragment. The format of additional-data depends on the keyword specified.
If multiple policy fragments are defined for the same label and keyword combination then the last definition in the file is used.
The following keywords are defined for dnsval.conf:
trust-anchor
Specifies the trust anchors for a sequence of zones. The additional data portion for this keyword is a quoted string containing the RDATA portion for the trust anchor's DNSKEY.
zone-security-expectation
Specifies the local security expectation for a zone. The additional data portion for this keyword is the zone's trust status - ignore, validate, trusted, or untrusted. The default zone security expectation is validate.
provably-unsecure-status
Specifies if the provably unsecure condition must be considered as trusted or not. The additional data portion for this keyword is the trust status for the provably unsecure condition for a given zone - trusted, or untrusted. The default provably unsecure status is trusted.
clock-skew
Specifies how many seconds of clock skew is acceptable when verifying signatures for data from a given zone. The additional data portion for this keyword is the number of seconds of clock skew that is acceptable. A value of -1 completely ignores inception and expiration times on signatures for data from a given zone. The default clock skew is 0.
if LIBVAL_NSEC3 is enabled
nsec3-max-iter
Specifies the maximum number of iterations allowable while computing the NSEC3 hash for a zone. A value of -1 does not place a maximum limit on the number of iterations. This is also the default setting for a zone.
if LIBVAL_DLV is enabled
dlv-trust-points
Specifies the DLV tree for the target zone.
EXAMPLE
The /etc/dnsval.conf configuration file might appear as follows:
: trust-anchor
dnssec-tools.org.
``257 3 5 AQO8XS4y9r77X9SHBmrxMoJf1Pf9AT9Mr/L5BBGtO9/e9f/zl4FFgM2l B6M2XEm6mp6mit4tzpB/sAEQw1McYz6bJdKkTiqtuWTCfDmgQhI6/Ha0 EfGPNSqnY 99FmbSeWNIRaa4fgSCVFhvbrYq1nXkNVyQPeEVHkoDNCAlr qOA3lw==''
netsec.tislabs.com.
``257 3 5 AQO8XS4y9r77X9SHBmrxMoJf1Pf9AT9Mr/L5BBGtO9/e9f/zl4FFgM2l B6M2XEm6mp6mit4tzpB/sAEQw1McYz6bJdKkTiqtuWTCfDmgQhI6/Ha0 EfGPNSqnY 99FmbSeWNIRaa4fgSCVFhvbrYq1nXkNVyQPeEVHkoDNCAlr qOA3lw==''
;
# sets the security expectation for the default (:) context
: zone-security-expectation
. ignore
dnssec-tools.org validate
netsec.tislabs.com validate
;
: provably-unsecure-status
. trusted
net untrusted
;
# sets the allowed clock skew for the 'mta' context
mta clock-skew
. 0
fruits.netsec.tislabs.com. -1
;
: nsec3-max-iter
. 5
mil 30
;
# sets a dlv tree only for the 'browser' context
browser dlv-trust-points
. dlv.isc.org
;
