dnsval.conf(3) - Linux man page

Name

/etc/dnsval.conf, /etc/resolv.conf, /etc/root.hints - Configuration policy for the DNSSEC validator library libval(3). val_add_valpolicy - Dynamically add a new policy to the validator context val_remove_valpolicy - Remove a dynamically added policy from the validator context

Synopsis

int val_add_valpolicy(val_context_t *context, const char *keyword,
                char *zone, char *value, long ttl,
                val_policy_entry_t **pol);

int val_remove_valpolicy(val_context_t *context,
                val_policy_entry_t *pol);

Description

Applications can use local policy to influence the validation outcome. Examples of local policy elements include trust anchors for different zones and untrusted algorithms for cryptographic keys and hashes. Local policy may vary for different applications and operating scenarios.

The val_add_valpolicy() function can be used to dynamically add a new policy for a given context. The keyword, zone and value arguments are identical to KEYWORD , zone and additional-data defined below for /etc/dnsval.conf. ttl specifies the duration in seconds for which the policy is kept in effect. A value of -1 adds to policy to the context indefinitely. A handle to the newly added policy is returned in *pol. This structure is opaque to the applications; applications must not modify the contents of the memory returned in *pol.

Applications may also revoke the effects of a newly added policy, pol, before the expiry of its timeout interval using the val_remove_valpolicy() policy.

The validator library reads configuration information from three separate files, /etc/resolv.conf, /etc/root.hints, and /etc/dnsval.conf.

/etc/resolv.conf

The nameserver and search options are supported in the resolv.conf file.

This nameserver option is used to specify the IP address of the name server to which queries must be sent by default. For example,

nameserver 10.0.0.1

This search option is used to specify the search path for issuing queries. For example,

search test.dnssec-tools.org dnssec-tools.org

If the /etc/resolv.conf file contains no name servers, the validator tries to recursively answer the query using information present in /etc/root.hints.

/etc/root.hints

The /etc/root.hints file contains bootstrapping information for the resolver while it attempts to recursively answer queries. The contents of this file may be generated by the following command:

dig @e.root-servers.net . ns > root.hints

/etc/dnsval.conf

The /etc/dnsval.conf file contains the validator policy. It consists of a sequence of the following "policy-fragments":

<label> <KEYWORD> <zone> <additional-data> [<zone> <additional-data> ];

Policies are identified by simple text strings called labels, which must be unique within the configuration system. For example, "browser" could be used as the label that defines the validator policy for all web-browsers in a system. A label value of ":" identifies the default policy, the policy that is used when a NULL context is specified as the ctx parameter for interfaces listed in libval(3), val_getaddrinfo(3), and val_gethostbyname(3). The default policy is unique within the configuration system.

KEYWORD is the specific policy component that is specified within the policy fragment. The format of additional-data depends on the keyword specified.

If multiple policy fragments are defined for the same label and keyword combination then the last definition in the file is used.

The following keywords are defined for dnsval.conf:

trust-anchor

Specifies the trust anchors for a sequence of zones. The additional data portion for this keyword is a quoted string containing the RDATA portion for the trust anchor's DNSKEY .

zone-security-expectation

Specifies the local security expectation for a zone. The additional data portion for this keyword is the zone's trust status - ignore, validate, trusted, or untrusted. The default zone security expectation is validate.

provably-unsecure-status

Specifies if the provably unsecure condition must be considered as trusted or not. The additional data portion for this keyword is the trust status for the provably unsecure condition for a given zone - trusted, or untrusted. The default provably unsecure status is trusted.

clock-skew

Specifies how many seconds of clock skew is acceptable when verifying signatures for data from a given zone. The additional data portion for this keyword is the number of seconds of clock skew that is acceptable. A value of -1 completely ignores inception and expiration times on signatures for data from a given zone. The default clock skew is 0.

nsec3-max-iter [only if LIBVAL_NSEC3 is enabled]

Specifies the maximum number of iterations allowable while computing the NSEC3 hash for a zone. A value of -1 does not place a maximum limit on the number of iterations. This is also the default setting for a zone.

dlv-trust-points [only if LIBVAL_DLV is enabled]

Specifies the DLV tree for the target zone.

Example

The /etc/dnsval.conf configuration file might appear as follows:

: trust-anchor: dnssec-tools.org.; "257 3 5 AQO8XS4y9r77X9SHBmrxMoJf1Pf9AT9Mr/L5BBGtO9/e9f/zl4FFgM2l B6M2XEm6mp6mit4tzpB/sAEQw1McYz6bJdKkTiqtuWTCfDmgQhI6/Ha0 EfGPNSqnY 99FmbSeWNIRaa4fgSCVFhvbrYq1nXkNVyQPeEVHkoDNCAlr qOA3lw=="; netsec.tislabs.com.; "257 3 5 AQO8XS4y9r77X9SHBmrxMoJf1Pf9AT9Mr/L5BBGtO9/e9f/zl4FFgM2l B6M2XEm6mp6mit4tzpB/sAEQw1McYz6bJdKkTiqtuWTCfDmgQhI6/Ha0 EfGPNSqnY 99FmbSeWNIRaa4fgSCVFhvbrYq1nXkNVyQPeEVHkoDNCAlr qOA3lw=="; ;
browser zone-security-expectation: org ignore; net ignore; dnssec-tools.org validate; com ignore; ;
: provably-unsecure-status: . trusted; net untrusted; ;
mta clock-skew: . 0; fruits.netsec.tislabs.com. -1; ;
: nsec3-max-iter: . 30; ;
browser dlv-trust-points: . dlv.isc.org; ;

Files

/etc/resolv.conf

/etc/root.hints

/etc/dnsval.conf
The libval(3) configuration files.

Copyright

Referenced By

libval_check_conf(1)