[Opendnssec-develop] DNS adapters configuration
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Sep 8 10:31:30 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
- From the notes:
work has started on the DNS adapters (as opposed to file
adapters). some ideas on configuration, but work needs to be
done on zonefetcher to allow more flexibility.
The idea is to completely deprecate the zone fetcher. In the future,
people can use the DNS adapters. The zonefetch.xml currently does
inbound zone transfer and can handle only one master for all zones. In
order to provide more flexibility for per-zone configuration, I think
the files should be split up. One file is needed when setting up the
engine (which address do I listen to?), the other file lists the acl.
The proposed files can be found here:
branches/OpenDNSSEC-adapters/conf/addns.rnc
branches/OpenDNSSEC-adapters/conf/addns.xml.in
branches/OpenDNSSEC-adapters/conf/addnsconf.rnc
branches/OpenDNSSEC-adapters/conf/addnsconf.xml.in
In the conf.xml you have:
<Adapters>
<Adapter type="DNS">
<ConfigurationFile>addns.xml</ConfigurationFile>
</Adapter>
</Adapters>
This tells the signer engine that there will be DNS adapters that need
to be initialized. The configuration of the adapter is just a list of
one of more interfaces that are listening to incoming notifies and zone
transfer requests.
start = element Adapter {
# Type of adapter
attribute type { xsd:string },
# where to listen for notifies and zone transfer requests
element NotifyListen { localAddress }*
}
ipv4 = element IPv4 { xsd:string }
ipv6 = element IPv6 { xsd:string }
port = element Port { xsd:positiveInteger { maxInclusive = "65535" } }
localAddress = (ipv4 | ipv6)?, port?
In the zonelist.xml you can have something like:
<Adapters>
<Input>
<Adapter type="DNS">acl.xfr</Adapter>
</Input>
<Output>
<Adapter type="DNS">acl.xfr</Adapter>
</Output>
</Adapters>
The acl.xfr file contains tsig, master and slave address and such. The
syntax is as follows:
start = element Adapter {
# Type of adapter
attribute type { xsd:string },
# inbound zone transfer settings
element Inbound {
# what TSIG secret to use
tsig?,
element RequestTransfer { remoteAddress }*,
element AllowNotify { remoteAddress }*,
},
# outbound zone transfer settings
element Outbound {
# what TSIG secret to use
tsig?,
element ProvideTransfer { remoteAddress }*,
element Notify { remoteAddress }*,
}
I don't know if and how to fit in tunings for zone transfers like axfr
only, udp only. Do we need to have that? If so, is that on a per zone
basis or a per host basis?
Best regards,
Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOaJmCAAoJEA8yVCPsQCW5OPAH/RV/vNnZac+ljjer0RH0UFO4
pBWWay/45pRwfCqevdfME4D5vmqdj8UzvlmNJ3Iv+nJb6JRUP7tvvljlaRHu3FQo
M5/1XXYTKt5n7oOF/kaGWBGJectaAgnwdPQgdbhLVbKZ1NIg/ng/BSwgmQjnzQRm
gg27VfMV+xX/lzABnPJP8pbMklFePZx4OtaSAM0giJjW33ipOHMCyG3TifVMQ2xn
cuUF9ow0PjUgJhKmMhWK9a9yJ7Cu16kdT4AvRc64MYVOILRJyJ7kqIxZ8EAHkyzh
jG2CxqxwdpbZQbovgd78ZfIWg+sFcjP6ahIffXkljDR+RL/Dk3vgZr280aTnKuw=
=mnz4
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list