<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<RepositoryList>
<Repository name="SoftHSM">
<Module>/usr/lib64/pkcs11/libsofthsm2.so</Module>
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>1234</PIN>
<!--
# Disabled so it stores the public key in the HSM too,
# so bind's dnssec-signzone can be used as well
<SkipPublicKey/>
-->
</Repository>
<!--
<Repository name="sca6000">
<Module>/usr/lib64/opencryptoki/PKCS11_API.so</Module>
<TokenLabel>Sun Metaslot</TokenLabel>
<PIN>test:1234</PIN>
<Capacity>255</Capacity>
<RequireBackup/>
<SkipPublicKey/>
</Repository>
-->
</RepositoryList>
<Common>
<Logging>
<Syslog><Facility>local0</Facility></Syslog>
</Logging>
<PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
<ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
<!--
<ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
-->
</Common>
<Enforcer>
<Privileges>
<User>ods</User>
<Group>ods</Group>
</Privileges>
<Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
<Interval>PT3600S</Interval>
<!-- <ManualKeyGeneration/> -->
<!-- <RolloverNotification>P14D</RolloverNotification> -->
<!-- the <DelegationSignerSubmitCommand> will get all current
DNSKEYs (as a RRset) on standard input
-->
<!-- <DelegationSignerSubmitCommand>/usr/sbin/eppclient</DelegationSignerSubmitCommand> -->
</Enforcer>
<Signer>
<Privileges>
<User>ods</User>
<Group>ods</Group>
</Privileges>
<WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
<WorkerThreads>4</WorkerThreads>
<!--
<SignerThreads>4</SignerThreads>
-->
<!-- the <NotifyCommmand> will expand the following variables:
%zone the name of the zone that was signed
%zonefile the filename of the signed zone
<NotifyCommand>sudo systemctl reload nsd.service</NotifyCommand>
-->
<!--
<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
-->
</Signer>
</Configuration>