<?xml version="1.0" encoding="UTF-8"?>

<Configuration>

	<RepositoryList>

		<Repository name="SoftHSM">
			<Module>/usr/lib64/softhsm/libsofthsm.so</Module>
			<TokenLabel>OpenDNSSEC</TokenLabel>
			<PIN>1234</PIN>
<!--
			# Disabled so it stores the public key in the HSM too,
			# so bind's dnssec-signzone can be used as well
			<SkipPublicKey/>
-->
		</Repository>

<!--
		<Repository name="sca6000">
			<Module>/usr/lib64/opencryptoki/PKCS11_API.so</Module>
			<TokenLabel>Sun Metaslot</TokenLabel>
			<PIN>test:1234</PIN>
			<Capacity>255</Capacity>
			<RequireBackup/>
			<SkipPublicKey/>
		</Repository>
-->

	</RepositoryList>

	<Common>
		<Logging>
			<Syslog><Facility>local0</Facility></Syslog>
		</Logging>
		
		<PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
		<ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>

	<!--
		<ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
	-->
	</Common>

	<Enforcer>
		<Privileges>
			<User>ods</User>
			<Group>ods</Group>
		</Privileges>

		<Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
		<Interval>PT3600S</Interval>
		<!-- <ManualKeyGeneration/> -->
		<!-- <RolloverNotification>P14D</RolloverNotification> -->
		
		<!-- the <DelegationSignerSubmitCommand> will get all current
		     DNSKEYs (as a RRset) on standard input
		-->
		<!-- <DelegationSignerSubmitCommand>/usr/sbin/eppclient</DelegationSignerSubmitCommand> -->
	</Enforcer>

	<Signer>
		<Privileges>
			<User>ods</User>
			<Group>ods</Group>
		</Privileges>

		<WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
		<WorkerThreads>4</WorkerThreads>
<!--
		<SignerThreads>4</SignerThreads>
-->

		<!-- the <NotifyCommmand> will expand the following variables:

		     %zone      the name of the zone that was signed
		     %zonefile  the filename of the signed zone
		<NotifyCommand>sudo systemctl reload nsd.service</NotifyCommand>
		-->
<!--
		<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
-->
	</Signer>

</Configuration>