Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ods-kasp(5)			OpenDNSSEC KASP			   ods-kasp(5)

NAME
       ods-kasp	- OpenDNSSEC kasp specification

SYNOPSIS
       /usr/local/etc/opendnssec/kasp.xml

DESCRIPTION
       The  kasp  file	describes the parameters of the	DNSSEC Key and Signing
       Policy (KASP), the policy used to sign zones. Each policy  comprises  a
       series of parameters that define	the way	the zone is signed.

       KASP Parameters
	      A	policy has a set of common parameters to identify the policy.

       Policy Name
	      The  name	 is  used  to link a policy to a zone that needs to be
	      signed. Each policy must have a unique name.  The	 policy	 named
	      "default"	is special, as it is associated	with all zones that do
	      not have a policy	explicitly associated with them.

       Policy Description
	      A	policy can have	a description associated with it.

       Signatures Parameters
	      This section lists the parameters	for the	signatures created us-
	      ing the policy.

       Signature Resign	Interval
	      This  is the interval between runs of the	signer.	For example, a
	      zone that	has a Re-sign Interval of PT2H (2 hours) is handled by
	      the signer every 2 hours.

       Signature Refresh Interval
	      The Refresh Interval is describing when a	 signature  should  be
	      refreshed.   As  signatures  are typically valid for much	longer
	      than the interval	between	runs of	the signer, there is  no  need
	      to  regenerate  the  signatures each time	the signer is running.
	      This means that the Re-sign Interval must	be  smaller  than  the
	      Refresh Interval.	 In order to make refreshing signatures	possi-
	      ble, the Re-sign Interval	should be at least half	of the Refresh
	      Interval.	In the case a signer runs and detects that there is no
	      change to	the data being signed, signatures may be refreshed.  A
	      signature	 will  be  refreshed when the time until the signature
	      expiration is closer than	the Refresh Interval.

       Signature Validity
	      The Signature Validity describes how  long  the  signatures  are
	      valid  for.   This parameter groups two elements of information.
	      The Default Signature Validity is	the validity interval for  all
	      RRSIG records except those related to NSEC or NSEC3 records. For
	      these  records, the validity period is given by the value	of the
	      Denial Signature Validity.

       Signature Jitter
	      The Signature Jitter (j) is the value  added  to	or  subtracted
	      from  the	 expiration  time of signatures	to ensure that not all
	      signatures expire	at the same time.  The	actual	value  of  the
	      jitter is	a random value,	uniformly ranging between Minus	Signa-
	      ture  Jitter  and	Signature Jitter [-j...j]. This	value is added
	      to Signature Validity  to	 determine  the	 signature  expiration
	      time.

       Signature Inception Offset
	      This is a	duration subtracted from the time at which a record is
	      signed  to  give the inception time of the RRSIG record. This is
	      required to allow	for clock skew between the signing system  and
	      the  system  on  which the signature is checked. Without it, the
	      possibility exists that the checking  system  could  retrieve  a
	      signature	 whose	start time is later than the current time. The
	      relationship between these elements is shown below in Figure 1.

	       Inception	     Signing				 Expi-
	      ration
		  time							  time
	      time
		  |			 |			     |	     |
	      |
		  |---------------------|---------------------------|.......|.......|
		  |			|			    |	     |
	      |
								    [	   +/-
	      Jitter   ]

		  |  Inception offset	|				    |
		  |<------------------->|	 Validity Interval	    |
		  |			|<--------------------------------->|

	       Inception	     Signing reuse   reuse   new	 Expi-
	      ration
		  time			  time			     signature
	      time
		  |			|	|	|	|	    |
		  |---------------------|-----------------------------------|
		  |			|	|	|	|	    |
					 <-----> <-----> <----->
					   Re-sign Interval

							   |Refresh Interval|
							   |<-------------->|
							   |		    |

				 Figure	1: Signature Timing Parameters

       Authenticated Denial of Existence Parameters
	      Authenticated denial of existence	- proving that domain names do
	      not  exist  in  the zone - is discussed in this section.	Below,
	      the list of the parameters is given for creating NSEC  or	 NSEC3
	      records using the	policy.

       NSEC or NSEC3
	      If  the NSEC scheme is used to implement authenticated denial of
	      existence, there are no record elements we can  tune.  If	 NSEC3
	      [RFC5155]	is used, there are some	more options.

       NSEC3 Opt-Out
	      Whether  to enable or disable "opt-out". This is an optimisation
	      that means that NSEC3 records are	only created for authoritative
	      data or for secure delegations;  insecure	 delegations  have  no
	      NSEC3  records.  For  zones  where a majority of the entries are
	      delegations that are not signed  -  typically  TLDs  during  the
	      take-up  phase  of  DNSSEC  -  this reduces the number of	DNSSEC
	      records in the zone.

       NSEC3 Re-salt Interval
	      The is the interval between generating new salt values  for  the
	      hashing algorithm.

       NSEC3 Hash Parameters
	      The NSEC3	Hash Parameters	tells parameters related to NSEC3.

       NSEC3 Hash Algorithm
	      The  NSEC3 Hash Algorithm	tells what hashing algorithm should be
	      used to create the NSEC3 records.

       NSEC3 Hash Iterations
	      The NSEC3	Hash Iterations	shows how many iterations of the  hash
	      function should be performed over	the original owner name.

       NSEC3 Hash Salt Length
	      The NSEC3	Hash Salt Length provides the length of	the salt value
	      to be generated.

       Key Parameters
	      This  section  covers  parameters	 related to keys.  There are a
	      number of	parameters relating to both  zone-signing  keys	 (ZSK)
	      and key-signing keys (KSK).

       DNSKEY TTL
	      This is the time-to-live value for the DNSKEY resource records.

       Key Retire Safety
	      The  Key Retire Safety is	the retire safety margin for the keys.
	      This interval is a safety	margin added to	calculated timing val-
	      ues to ensure that keys are retired without there	being a	chance
	      of signatures created with the keys being	considered invalid.

       Key Publish Safety
	      The Key Publish is the publish safety margins for	the keys. This
	      interval is the safety margin added to calculated	timing	values
	      to  ensure  that	keys  are  published and without there being a
	      chance of	signatures created with	the keys being considered  in-
	      valid.

       Key Sharing
	      If  multiple  zones  are	associated with	a policy, a key	may be
	      shared between zones. For	example, if you	have  100  zones  then
	      you  will	 only  use  one	set of keys instead of 100 sets.  This
	      will safe	space in your HSM.

       Key Purging Interval
	      Key Purging is the event where keys marked as dead  (as  defined
	      by draft-ietf-dnsop-dnssec- key-timing [key-timing]) will	be au-
	      tomatically purged from the key database.	The Key	Purging	Inter-
	      val is the interval of when Key Purging is done.

       KSK Parameters
	      There are	parameters specific for	the KSK.

       KSK Algorithm
	      The KSK Algorithm	determines the algorithm used for KSKs.

       KSK Lifetime
	      The  KSK Lifetime	determines how long the	KSK is used for	before
	      it is must be rolled.

       KSK Repository
	      The KSK Repository determines the	location of the	KSKs.

       Manual KSK Rollover
	      It may be	desirable to force that	a key rollover	will  only  be
	      initiated	 on  the  command  by  the  operator. Note that	if KSK
	      rollover is done automatically, there is currently still a  step
	      for  the	KSK  that  needs manual	intervention, where the	corre-
	      sponding DS record for the key needs to be published to the par-
	      ent before the rollover is completed.

       ZSK Parameters
	      The same parameters for the KSK are available for	the  ZSK.  The
	      split  between  the  series of parameters	is that	with a ZSK/KSK
	      Split Signing Scheme, the	values for the parameters may be  dif-
	      ferent.

       ZSK Algorithm
	      The ZSK Algorithm	determines the algorithm used for ZSKs.

       ZSK Lifetime
	      The  ZSK Lifetime	determines how long the	ZSK is used for	before
	      it is must be rolled.

       ZSK Repository
	      The ZSK Repository determines the	location of the	ZSKs.

       Manual ZSK Rollover
	      The ZSK rollover will be fully automatic if Manual ZSK  Rollover
	      is disabled.

       Zone Parameters
	      General information concerning the zones is described here.

       Propagation Delay
	      The  Propagation Delay is	the amount of time needed for informa-
	      tion changes at the master server	for the	zone to	work  its  way
	      through to all the secondary nameservers.

       SOA Parameters
	      These parameters are necessary for maintaining the SOA record in
	      the  signed zone.	 These values will override values set for the
	      SOA record in the	input zone.

       SOA TTL
	      This is the time-to-live of the SOA record.

       SOA MINIUM
	      This is value for	the MINIMUM RDATA element in the SOA record.

       SOA Serial
	      This represents the format of the	serial number  in  the	signed
	      zone.  This is one of the	following:
		counter:    Use	an increasing counter (but use the serial from
	      the  unsigned zone
			 if possible).

		datecounter:   Use increasing counter in YYYYMMDDxx format (xx
	      is the number of
			       increments within each day, starting at 00).

		unixtime:   The	serial number is set to	the "Unix time"	 (sec-
	      onds since 00:00 on
			    1 January 1970 (UTC)) at which the signer is run.

		keep:	Keep the serial	from the unsigned zone (do not re-sign
	      unless it	has been
			incremented).  This way, no signed zone	is created un-
	      less the zone operator
			explicitly initiated a zone update.

       Parent Zone Parameters
	      If  a  DNSSEC  zone  is  in a chain of trust, digest information
	      about the	KSKs used in the zone will be stored in	DS records  in
	      the parent zone. To properly roll	keys, timing information about
	      the parent zone must be configured.

       Propagation Delay
	      The  Propagation	Delay  parameter related to the	parent zone is
	      the interval between the time a new KSK is published in the zone
	      and the time that	the DS record appears in the parent  zone.  In
	      reality, this is a variable value. The value for the Propagation
	      Delay in the policy should be a estimate.

       DS TTL This represents the DS time-to-live. The DS TTL should be	set to
	      the TTL of the DS	record in the parent zone.

       SOA Parameters
	      The  SOA Parameters related to the parent	zone gives information
	      about the	parent's SOA record.  These are	necessary to calculate
	      the timings in particular	rollover scenarios.

       SOA TTL
	      This should be set to the	time-to-live of	the  parent  zone  SOA
	      record.

       SOA MINIUM
	      This  should be set to the value of the MINIMUM RDATA element in
	      the parent zone SOA record.

SEE ALSO
       ods-control(8),	ods-enforcerd(8),   ods-enforcer(8),   ods-signerd(8),
       pds-signer(8),	 ods-ksmutil(1),    ods-kaspcheck(1),	ods-timing(5),
       ods-hsmutil(1),	  ods-hsmspeed(1),    opendnssec(7),	 ISO	 8601,
       http://www.opendnssec.org/

AUTHORS
       OpenDNSSEC was written by NLnet Labs as part of the OpenDNSSEC project.
       http://www.opendnssec.org/

OpenDNSSEC			  April	2016			   ods-kasp(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ods-kasp&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>

home | help