1DNSVAL.CONF(1) User Contributed Perl Documentation DNSVAL.CONF(1)
2
3
4
6 /etc/dnsval.conf, /etc/resolv.conf, /etc/root.hints - Configuration
7 policy for the DNSSEC validator library libval(3). val_add_valpolicy -
8 Dynamically add a new policy to the validator context
9 val_remove_valpolicy - Remove a dynamically added policy from the val‐
10 idator context
11
13 int val_add_valpolicy(val_context_t *context, const char *keyword,
14 char *zone, char *value, long ttl,
15 val_policy_entry_t **pol);
16
17 int val_remove_valpolicy(val_context_t *context,
18 val_policy_entry_t *pol);
19
21 Applications can use local policy to influence the validation outcome.
22 Examples of local policy elements include trust anchors for different
23 zones and untrusted algorithms for cryptographic keys and hashes.
24 Local policy may vary for different applications and operating scenar‐
25 ios.
26
27 The val_add_valpolicy() function can be used to dynamically add a new
28 policy for a given context. The keyword, zone and value arguments are
29 identical to KEYWORD, zone and additional-data defined below for
30 /etc/dnsval.conf. ttl specifies the duration in seconds for which the
31 policy is kept in effect. A value of -1 adds to policy to the context
32 indefinitely. A handle to the newly added policy is returned in *pol.
33 This structure is opaque to the applications; applications must not
34 modify the contents of the memory returned in *pol.
35
36 Applications may also revoke the effects of a newly added policy, pol,
37 before the expiry of its timeout interval using the val_remove_valpol‐
38 icy() policy.
39
40 The validator library reads configuration information from three sepa‐
41 rate files, /etc/resolv.conf, /etc/root.hints, and /etc/dnsval.conf.
42
43 /etc/resolv.conf
44 The nameserver and search options are supported in the resolv.conf
45 file.
46
47 This nameserver option is used to specify the IP address of the
48 name server to which queries must be sent by default. For example,
49
50 nameserver 10.0.0.1
51
52 This search option is used to specify the search path for issuing
53 queries. For example,
54
55 search test.dnssec-tools.org dnssec-tools.org
56
57 If the /etc/resolv.conf file contains no name servers, the valida‐
58 tor tries to recursively answer the query using information present
59 in /etc/root.hints.
60
61 /etc/root.hints
62 The /etc/root.hints file contains bootstrapping information for the
63 resolver while it attempts to recursively answer queries. The con‐
64 tents of this file may be generated by the following command:
65
66 dig @e.root-servers.net . ns > root.hints
67
68 /etc/dnsval.conf
69 The /etc/dnsval.conf file contains the validator policy. It con‐
70 sists of a sequence of the following "policy-fragments":
71
72 <label> <KEYWORD> <zone> <additional-data> [<zone> <additional-data> ];
73
74 Policies are identified by simple text strings called labels, which
75 must be unique within the configuration system. For example,
76 "browser" could be used as the label that defines the validator
77 policy for all web-browsers in a system. A label value of ":"
78 identifies the default policy, the policy that is used when a NULL
79 context is specified as the ctx parameter for interfaces listed in
80 libval(3), val_getaddrinfo(3), and val_gethostbyname(3). The
81 default policy is unique within the configuration system.
82
83 KEYWORD is the specific policy component that is specified within
84 the policy fragment. The format of additional-data depends on the
85 keyword specified.
86
87 If multiple policy fragments are defined for the same label and
88 keyword combination then the last definition in the file is used.
89
90 The following keywords are defined for dnsval.conf:
91
92 trust-anchor
93 Specifies the trust anchors for a sequence of zones. The addi‐
94 tional data portion for this keyword is a quoted string con‐
95 taining the RDATA portion for the trust anchor's DNSKEY.
96
97 zone-security-expectation
98 Specifies the local security expectation for a zone. The addi‐
99 tional data portion for this keyword is the zone's trust status
100 - ignore, validate, trusted, or untrusted. The default zone
101 security expectation is validate.
102
103 provably-unsecure-status
104 Specifies if the provably unsecure condition must be considered
105 as trusted or not. The additional data portion for this key‐
106 word is the trust status for the provably unsecure condition
107 for a given zone - trusted, or untrusted. The default provably
108 unsecure status is trusted.
109
110 clock-skew
111 Specifies how many seconds of clock skew is acceptable when
112 verifying signatures for data from a given zone. The addi‐
113 tional data portion for this keyword is the number of seconds
114 of clock skew that is acceptable. A value of -1 completely
115 ignores inception and expiration times on signatures for data
116 from a given zone. The default clock skew is 0.
117
118 nsec3-max-iter [only if LIBVAL_NSEC3 is enabled]
119 Specifies the maximum number of iterations allowable while com‐
120 puting the NSEC3 hash for a zone. A value of -1 does not place
121 a maximum limit on the number of iterations. This is also the
122 default setting for a zone.
123
124 dlv-trust-points [only if LIBVAL_DLV is enabled]
125 Specifies the DLV tree for the target zone.
126
128 The /etc/dnsval.conf configuration file might appear as follows:
129
130 : trust-anchor
131 dnssec-tools.org.
132 "257 3 5 AQO8XS4y9r77X9SHBmrx‐
133 MoJf1Pf9AT9Mr/L5BBGtO9/e9f/zl4FFgM2l
134 B6M2XEm6mp6mit4tzpB/sAEQw1McYz6bJdKkTiqtuWTCfDmgQhI6/Ha0 EfGPN‐
135 SqnY 99FmbSeWNIRaa4fgSCVFhvbrYq1nXkNVyQPeEVHkoDNCAlr qOA3lw=="
136 netsec.tislabs.com.
137 "257 3 5 AQO8XS4y9r77X9SHBmrx‐
138 MoJf1Pf9AT9Mr/L5BBGtO9/e9f/zl4FFgM2l
139 B6M2XEm6mp6mit4tzpB/sAEQw1McYz6bJdKkTiqtuWTCfDmgQhI6/Ha0 EfGPN‐
140 SqnY 99FmbSeWNIRaa4fgSCVFhvbrYq1nXkNVyQPeEVHkoDNCAlr qOA3lw=="
141 ;
142 browser zone-security-expectation
143 org ignore
144 net ignore
145 dnssec-tools.org validate
146 com ignore
147 ;
148 : provably-unsecure-status
149 . trusted
150 net untrusted
151 ;
152 mta clock-skew
153 . 0
154 fruits.netsec.tislabs.com. -1
155 ;
156 : nsec3-max-iter
157 . 30
158 ;
159 browser dlv-trust-points
160 . dlv.isc.org
161 ;
162
164 /etc/resolv.conf
165
166 /etc/root.hints
167
168 /etc/dnsval.conf The libval(3) configuration files.
169
171 Copyright 2004-2007 SPARTA, Inc. All rights reserved. See the COPYING
172 file included with the dnssec-tools package for details.
173
175 libval(3)
176
177 http://dnssec-tools.sourceforge.net
178
179
180
181perl v5.8.6 2007-09-10 DNSVAL.CONF(1)