Man Linux: Main Page and Category List

NAME

           dnssec-tools.conf - Configuration file for the DNSSEC-Tools programs.

DESCRIPTION

       This file contains configuration information for the DNSSEC-Tools
       programs.  These configuration data are used if nothing else has been
       specified for a particular program.  The conf.pm module is used to
       parse this configuration file.

       The recognized configuration fields are described in the Configuration
       Records section below.  Some configuration entries are optional and a
       configuration file need not contain a complete list of entries.

       A line in the configuration file contains either a comment or a
       configuration entry.  Comment lines start with either a '#' character
       or a ';' character.  Comment lines and blank lines are ignored by the
       DNSSEC-Tools programs.

       Configuration entries are in a keyword/value format.  The keyword is a
       character string that contains no whitespace.  The value is a tokenized
       list of the remaining character groups, with each token separated by a
       single space.

       True/false flags must be given a 1 (true) or 0 (false) value.

Configuration Records

       The following records are recognized by the DNSSEC-Tools programs.  Not
       every DNSSEC-Tools program requires each of these records.

       admin-email
           The email address for the DNSSEC-Tools administrator.

       algorithm
           The default encryption algorithm to be passed to dnssec-keygen.

       archivedir
           The pathname to the archived-key directory.

       default_keyrec
           The default keyrec filename to be used by the keyrec.pm module.

       endtime
           The zone default expiration time to be passed to dnssec-signzone.

       entropy_msg
           A true/false flag indicating if the zonesigner command should
           display a message about entropy generation.  This is primarily
           dependent on the implementation of a system's random number
           generation.

       keyarch
           The path to the DNSSEC-Tools keyarch command.

       keygen
           The path to the dnssec-keygen command.

       keygen-opts
           Options to pass to the dnssec-keygen command.

       kskcount
           The default number of KSK keys that will be generated for each
           zone.

       ksklength
           The default KSK key length to be passed to dnssec-keygen.

       ksklife
           The default length of time between KSK roll-overs.  This is
           measured in seconds.

           This value is only used for key roll-over.  Keys do not have a
           life-time in any other sense.

       lifespan-max
           The maximum length of time a key should be in use before it is
           rolled over.  This is measured in seconds.

       lifespan-min
           The minimum length of time a key should be in use before it is
           rolled over.  This is measured in seconds.

       random
           The random device generator to be passed to dnssec-keygen.

       rndc
           The path to the rndc command.

       roll_loadzone
           A flag indicating if rollerd should have the DNS daemon reload
           zones.

       roll_logfile
           The log file used by rollerd.

       roll_loglevel
           The default logging level used by rollerd.  The valid levels are
           defined and described in rollmgr.pm.

       roll_sleeptime
           The number of seconds rollerd must wait at the end of each zone-
           checking cycle.

       roll_username
           The username that rollerd will be run by.  The name will be
           converted to its associated uid, and the effective uid of the
           rollerd process will be set to that uid.  This may be given as a
           user name or a uid.

       savekeys
           A true/false flag indicating if old keys should be moved to the
           archive directory.

       usegui
           Flag to allow/disallow usage of the GUI for specifying command
           options.

       zonecheck
           The path to the named-checkzone command.

       zonecheck-opts
           Options to pass to the named-checkzone command.

       zonesign
           The path to the dnssec-signzone command.

       zonesign-opts
           Options to pass to the dnssec-signzone command.

       zonesigner
           The path to the DNSSEC-Tools zonesigner command.

       zskcount
           The default number of ZSK keys that will be generated for each
           zone.

       zsklength
           The default ZSK key length to be passed to dnssec-keygen.

       zsklife
           The default length of time between ZSK roll-overs.  This is
           measured in seconds.

           This value is only used for key roll-over.  Keys do not have a
           life-time in any other sense.

Sample Times

       Several configuration fields measure various times.  This section is a
       convenient reference for several common times, as measured in seconds.

           3600        - hour
           86400       - day
           604800      - week
           2592000     - 30-day month
           15768000    - half-year
           31536000    - year

Example File

       The following is an example dnssec-tools.conf configuration file.

           #
           # Settings for DNSSEC-Tools administration.
           #
           admin-email     tewok@squirrelking.net

           #
           # Paths to required programs.  These may need adjusting for
           # individual hosts.
           #
           keygen          /usr/local/sbin/dnssec-keygen
           rndc            /usr/local/sbin/rndc
           zonecheck       /usr/local/sbin/named-checkzone
           zonecheck-opts  -k ignore
           zonesign        /usr/local/sbin/dnssec-signzone

           keyarch         /usr/bin/keyarch
           rollchk         /usr/bin/rollchk
           zonesigner      /usr/bin/zonesigner

           #
           # Settings for dnssec-keygen.
           #
           algorithm   rsasha1
           ksklength   2048
           zsklength   1024
           random      /dev/urandom

           #
           # Settings for dnssec-signzone.
           #
           endtime             +2592000        # RRSIGs good for 30 days.

           #
           # Life-times for keys.  These defaults indicate how long a key has
           # between roll-overs.  The values are measured in seconds.
           #
           ksklife         15768000            # Half-year.
           zsklife         604800              # One week.
           lifespan-max    94608000            # Two years.
           lifespan-min    3600                # One hour.

           #
           # Settings that will be noticed by zonesigner.
           #
           archivedir          /usr/local/etc/dnssec-tools/KEY-SAFE
           default_keyrec      default.krf
           entropy_msg         0
           savekeys            1
           zskcount            1

           #
           # Settings for rollover-manager.
           #
           roll_logfile    /usr/local/etc/dnssec-tools/log-rollerd
           roll_loglevel   info
           roll_sleeptime  60

           #
           # GUI-usage flag.
           #
           usegui              0

COPYRIGHT

       Copyright 2005-2010 SPARTA, Inc.  All rights reserved.  See the COPYING
       file included with the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@users.sourceforge.net

SEE ALSO

       dtinitconf(8), dtconfchk(8), keyarch(8), rollerd(8), zonesigner(8)

       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3)
       Net::DNS::SEC::Tools::rollmgr.pm(3)