1DNSVAL.CONF(1)        User Contributed Perl Documentation       DNSVAL.CONF(1)
2
3
4

NAME

6       /etc/dnsval.conf, /etc/resolv.conf, /etc/root.hints - Configuration
7       policy for the DNSSEC validator library libval(3).  val_add_valpolicy -
8       Dynamically add a new policy to the validator context
9       val_remove_valpolicy - Remove a dynamically added policy from the val‐
10       idator context
11

SYNOPSIS

13           int val_add_valpolicy(val_context_t *context, const char *keyword,
14                           char *zone, char *value, long ttl,
15                           val_policy_entry_t **pol);
16
17           int val_remove_valpolicy(val_context_t *context,
18                           val_policy_entry_t *pol);
19

DESCRIPTION

21       Applications can use local policy to influence the validation outcome.
22       Examples of local policy elements include trust anchors for different
23       zones and untrusted algorithms for cryptographic keys and hashes.
24       Local policy may vary for different applications and operating scenar‐
25       ios.
26
27       The val_add_valpolicy() function can be used to dynamically add a new
28       policy for a given context.  The keyword, zone and value arguments are
29       identical to KEYWORD, zone and additional-data defined below for
30       /etc/dnsval.conf.  ttl specifies the duration in seconds for which the
31       policy is kept in effect.  A value of -1 adds to policy to the context
32       indefinitely.  A handle to the newly added policy is returned in *pol.
33       This structure is opaque to the applications; applications must not
34       modify the contents of the memory returned in *pol.
35
36       Applications may also revoke the effects of a newly added policy, pol,
37       before the expiry of its timeout interval using the val_remove_valpol‐
38       icy() policy.
39
40       The validator library reads configuration information from three sepa‐
41       rate files, /etc/resolv.conf, /etc/root.hints, and /etc/dnsval.conf.
42
43       /etc/resolv.conf
44           The nameserver and search options are supported in the resolv.conf
45           file.
46
47           This nameserver option is used to specify the IP address of the
48           name server to which queries must be sent by default.  For example,
49
50               nameserver 10.0.0.1
51
52           This search option is used to specify the search path for issuing
53           queries.  For example,
54
55               search test.dnssec-tools.org dnssec-tools.org
56
57           If the /etc/resolv.conf file contains no name servers, the valida‐
58           tor tries to recursively answer the query using information present
59           in /etc/root.hints.
60
61       /etc/root.hints
62           The /etc/root.hints file contains bootstrapping information for the
63           resolver while it attempts to recursively answer queries.  The con‐
64           tents of this file may be generated by the following command:
65
66               dig @e.root-servers.net . ns > root.hints
67
68       /etc/dnsval.conf
69           The /etc/dnsval.conf file contains the validator policy.  It con‐
70           sists of a sequence of the following "policy-fragments":
71
72               <label> <KEYWORD> <zone> <additional-data> [<zone> <additional-data> ];
73
74           Policies are identified by simple text strings called labels, which
75           must be unique within the configuration system.  For example,
76           "browser" could be used as the label that defines the validator
77           policy for all web-browsers in a system.  A label value of ":"
78           identifies the default policy, the policy that is used when a NULL
79           context is specified as the ctx parameter for interfaces listed in
80           libval(3), val_getaddrinfo(3), and val_gethostbyname(3).  The
81           default policy is unique within the configuration system.
82
83           KEYWORD is the specific policy component that is specified within
84           the policy fragment.  The format of additional-data depends on the
85           keyword specified.
86
87           If multiple policy fragments are defined for the same label and
88           keyword combination then the last definition in the file is used.
89
90           The following keywords are defined for dnsval.conf:
91
92           trust-anchor
93               Specifies the trust anchors for a sequence of zones.  The addi‐
94               tional data portion for this keyword is a quoted string con‐
95               taining the RDATA portion for the trust anchor's DNSKEY.
96
97           zone-security-expectation
98               Specifies the local security expectation for a zone.  The addi‐
99               tional data portion for this keyword is the zone's trust status
100               - ignore, validate, trusted, or untrusted.  The default zone
101               security expectation is validate.
102
103           provably-unsecure-status
104               Specifies if the provably unsecure condition must be considered
105               as trusted or not.  The additional data portion for this key‐
106               word is the trust status for the provably unsecure condition
107               for a given zone - trusted, or untrusted.  The default provably
108               unsecure status is trusted.
109
110           clock-skew
111               Specifies how many seconds of clock skew is acceptable when
112               verifying signatures for data from a given zone.  The addi‐
113               tional data portion for this keyword is the number of seconds
114               of clock skew that is acceptable.  A value of -1 completely
115               ignores inception and expiration times on signatures for data
116               from a given zone.  The default clock skew is 0.
117
118           nsec3-max-iter [only if LIBVAL_NSEC3 is enabled]
119               Specifies the maximum number of iterations allowable while com‐
120               puting the NSEC3 hash for a zone.  A value of -1 does not place
121               a maximum limit on the number of iterations.  This is also the
122               default setting for a zone.
123
124           dlv-trust-points [only if LIBVAL_DLV is enabled]
125               Specifies the DLV tree for the target zone.
126

EXAMPLE

128       The /etc/dnsval.conf configuration file might appear as follows:
129
130       : trust-anchor
131           dnssec-tools.org.
132               "257 3 5 AQO8XS4y9r77X9SHBmrx‐
133               MoJf1Pf9AT9Mr/L5BBGtO9/e9f/zl4FFgM2l
134               B6M2XEm6mp6mit4tzpB/sAEQw1McYz6bJdKkTiqtuWTCfDmgQhI6/Ha0 EfGPN‐
135               SqnY 99FmbSeWNIRaa4fgSCVFhvbrYq1nXkNVyQPeEVHkoDNCAlr qOA3lw=="
136           netsec.tislabs.com.
137               "257 3 5 AQO8XS4y9r77X9SHBmrx‐
138               MoJf1Pf9AT9Mr/L5BBGtO9/e9f/zl4FFgM2l
139               B6M2XEm6mp6mit4tzpB/sAEQw1McYz6bJdKkTiqtuWTCfDmgQhI6/Ha0 EfGPN‐
140               SqnY 99FmbSeWNIRaa4fgSCVFhvbrYq1nXkNVyQPeEVHkoDNCAlr qOA3lw=="
141           ;
142       browser zone-security-expectation
143           org ignore
144           net ignore
145           dnssec-tools.org validate
146           com ignore
147           ;
148       : provably-unsecure-status
149           . trusted
150           net untrusted
151           ;
152       mta clock-skew
153           . 0
154           fruits.netsec.tislabs.com. -1
155           ;
156       : nsec3-max-iter
157           . 30
158           ;
159       browser dlv-trust-points
160           . dlv.isc.org
161           ;
162

FILES

164       /etc/resolv.conf
165
166       /etc/root.hints
167
168       /etc/dnsval.conf    The libval(3) configuration files.
169

COPYRIGHT

171       Copyright 2004-2007 SPARTA, Inc.  All rights reserved.  See the COPYING
172       file included with the dnssec-tools package for details.
173

SEE ALSO

175       libval(3)
176
177       http://dnssec-tools.sourceforge.net
178
179
180
181perl v5.8.6                       2007-09-10                    DNSVAL.CONF(1)