.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "DNSSEC-TOOLS.CONF 5" .TH DNSSEC-TOOLS.CONF 5 "2012-06-18" "perl v5.14.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" .Vb 1 \& dnssec\-tools.conf \- Configuration file for the DNSSEC\-Tools programs. .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" This file contains configuration information for the DNSSEC-Tools programs. These configuration data are used if nothing else has been specified for a particular program. The \fBconf.pm\fR module is used to parse this configuration file. .PP The recognized configuration fields are described in the Configuration Records section below. Some configuration entries are optional and a configuration file need not contain a complete list of entries. .PP A line in the configuration file contains either a comment or a configuration entry. Comment lines start with either a '#' character or a ';' character. Comment lines and blank lines are ignored by the DNSSEC-Tools programs. .PP Configuration entries are in a \fIkeyword/value\fR format. The keyword is a character string that contains no whitespace. The value is a tokenized list of the remaining character groups, with each token separated by a single space. .PP True/false flags must be given a \fB1\fR (true) or \fB0\fR (false) value. .SH "Configuration Records" .IX Header "Configuration Records" The following records are recognized by the DNSSEC-Tools programs. Not every DNSSEC-Tools program requires each of these records. .IP "admin-email" 4 .IX Item "admin-email" The email address for the DNSSEC-Tools administrator. .IP "algorithm" 4 .IX Item "algorithm" The default encryption algorithm to be passed to \fBdnssec-keygen\fR. .IP "archivedir" 4 .IX Item "archivedir" The pathname to the archived-key directory. .IP "autosign" 4 .IX Item "autosign" A true/false flag indicating if \fBrollerd\fR should automatically sign zonefiles that have been modified more recently than their signed versions. .IP "default_keyrec" 4 .IX Item "default_keyrec" The default \fIkeyrec\fR filename to be used by the \fBkeyrec.pm\fR module. .IP "endtime" 4 .IX Item "endtime" The zone default expiration time to be passed to \fBdnssec-signzone\fR. .IP "entropy_msg" 4 .IX Item "entropy_msg" A true/false flag indicating if the \fBzonesigner\fR command should display a message about entropy generation. This is primarily dependent on the implementation of a system's random number generation. .IP "genkrf" 4 .IX Item "genkrf" The path to the DNSSEC-Tools \fBgenkrf\fR command. .IP "keyarch" 4 .IX Item "keyarch" The path to the DNSSEC-Tools \fBkeyarch\fR command. .IP "keygen" 4 .IX Item "keygen" The path to the \fBdnssec-keygen\fR command. .IP "keygen-opts" 4 .IX Item "keygen-opts" Options to pass to the \fBdnssec-keygen\fR command. .IP "kskcount" 4 .IX Item "kskcount" The default number of \s-1KSK\s0 keys that will be generated for each zone. .IP "ksklength" 4 .IX Item "ksklength" The default \s-1KSK\s0 key length to be passed to \fBdnssec-keygen\fR. .IP "ksklife" 4 .IX Item "ksklife" The default length of time between \s-1KSK\s0 roll-overs. This is measured in seconds. .Sp This value is \fBonly\fR used for key roll-over. Keys do not have a life-time in any other sense. .IP "lifespan-max" 4 .IX Item "lifespan-max" The maximum length of time a key should be in use before it is rolled over. This is measured in seconds. .IP "lifespan-min" 4 .IX Item "lifespan-min" The minimum length of time a key should be in use before it is rolled over. This is measured in seconds. .IP "log_tz" 4 .IX Item "log_tz" The timezone to be used in log messages. The value may be either 'gmt' (for Greenwich Mean Time) or 'local' (for the host's local time.) .IP "mailer-server" 4 .IX Item "mailer-server" The mail server that will be contacted by \fI\fIdt_adminmail()\fI\fR. This is passed to \fIMail::Send\fR. The default value is \fBlocalhost\fR. .IP "mailer-type" 4 .IX Item "mailer-type" The type of mailer that will be contacted by \fI\fIdt_adminmail()\fI\fR. This is passed to \fIMail::Mailer\fR (by way of \fIMail::Send\fR.) Any values recognized by \fIMail::Mailer\fR may be used here. The default value is \fBstmp\fR. .IP "prog\-ksk1 ... prog\-ksk7" 4 .IX Item "prog-ksk1 ... prog-ksk7" A bang-separated list commands to run when a zone enters a particular \s-1KSK\s0 rollover phase. The programs can replace default rollover actions or be executed in addition to the default actions. The \fIdefault\fR keyword must be included if the default action should be taken. Options and arguments may be passed to non-default commands. .Sp The default rollover action and requirements for user-written phase commands are described in the documentation for \fBrollerd\fR. .IP "prog-normal" 4 .IX Item "prog-normal" A bang-separated list commands to run when a zone enters the normal, non-rollover phase. The programs can replace default actions or be executed in addition to the default actions. The \fIdefault\fR keyword must be included if the default action should be taken. Options and arguments may be passed to non-default commands. .Sp The default rollover action and requirements for user-written phase commands are described in the documentation for \fBrollerd\fR. .IP "prog\-zsk1 ... prog\-zsk7" 4 .IX Item "prog-zsk1 ... prog-zsk7" A bang-separated list commands to run when a zone enters a particular \s-1ZSK\s0 rollover phase. The programs can replace default rollover actions or be executed in addition to the default actions. The \fIdefault\fR keyword must be included if the default action should be taken. Options and arguments may be passed to non-default commands. .Sp The default rollover action and requirements for user-written phase commands are described in the documentation for \fBrollerd\fR. .IP "random" 4 .IX Item "random" The random device generator to be passed to \fBdnssec-keygen\fR. .IP "rndc" 4 .IX Item "rndc" The path to the \fBrndc\fR command. .IP "roll_loadzone" 4 .IX Item "roll_loadzone" A flag indicating if \fBrollerd\fR should have the \s-1DNS\s0 daemon reload zones. .IP "roll_logfile" 4 .IX Item "roll_logfile" The log file used by \fBrollerd\fR. .IP "roll_loglevel" 4 .IX Item "roll_loglevel" The default logging level used by \fBrollerd\fR. The valid levels are defined and described in \fIrollmgr.pm\fR. .IP "roll_phasemsg" 4 .IX Item "roll_phasemsg" The default length of phase-related log messages used by \fBrollerd\fR. The valid levels are \*(L"long\*(R" and \*(L"short\*(R", with \*(L"long\*(R" being the default value. .Sp The long message length means that a phase description will be included with some log messages. For example, the long form of a message about \s-1ZSK\s0 rollover phase 3 will look like this: \*(L"\s-1ZSK\s0 phase 3 (Waiting for old zone data to expire from caches)\*(R". .Sp The short message length means that a phase description will not be included with some log messages. For example, the short form of a message about \s-1ZSK\s0 rollover phase 3 will look like this: \*(L"\s-1ZSK\s0 phase 3\*(R". .IP "roll_sleeptime" 4 .IX Item "roll_sleeptime" The number of seconds \fBrollerd\fR must wait at the end of each zone-checking cycle. .IP "roll_username" 4 .IX Item "roll_username" The username that \fBrollerd\fR will be run by. The name will be converted to its associated uid, and the effective uid of the \fBrollerd\fR process will be set to that uid. This may be given as a user name or a uid. .IP "rollctl" 4 .IX Item "rollctl" The path to the DNSSEC-Tools \fBrollctl\fR command. .IP "savekeys" 4 .IX Item "savekeys" A true/false flag indicating if old keys should be moved to the archive directory. .IP "usegui" 4 .IX Item "usegui" Flag to allow/disallow usage of the \s-1GUI\s0 for specifying command options. .IP "zonecheck" 4 .IX Item "zonecheck" The path to the \fBnamed-checkzone\fR command. .IP "zonecheck-opts" 4 .IX Item "zonecheck-opts" Options to pass to the \fBnamed-checkzone\fR command. .IP "zone_errors" 4 .IX Item "zone_errors" The maximum number of consecutive errors a zone may have. When This is exceeded, \fBrollerd\fR will mark the zone as a \fIskip\fR zone. If this value is zero, or isn't included in the file, then error conditions will not affect a zone's \fIroll/skip\fR status. This may be overridden by the \fImaxerrors\fR field in a zone's entry in a \fIrollrec\fR file. .IP "zonesign" 4 .IX Item "zonesign" The path to the \fBdnssec-signzone\fR command. .IP "zonesign-opts" 4 .IX Item "zonesign-opts" Options to pass to the \fBdnssec-signzone\fR command. .IP "zonesigner" 4 .IX Item "zonesigner" The path to the DNSSEC-Tools \fBzonesigner\fR command. .IP "zskcount" 4 .IX Item "zskcount" The default number of \s-1ZSK\s0 keys that will be generated for each zone. .IP "zsklength" 4 .IX Item "zsklength" The default \s-1ZSK\s0 key length to be passed to \fBdnssec-keygen\fR. .IP "zsklife" 4 .IX Item "zsklife" The default length of time between \s-1ZSK\s0 roll-overs. This is measured in seconds. .Sp This value is \fBonly\fR used for key roll-over. Keys do not have a life-time in any other sense. .SH "Sample Times" .IX Header "Sample Times" Several configuration fields measure various times. This section is a convenient reference for several common times, as measured in seconds. .PP .Vb 6 \& 3600 \- hour \& 86400 \- day \& 604800 \- week \& 2592000 \- 30\-day month \& 15768000 \- half\-year \& 31536000 \- year .Ve .SH "Example File" .IX Header "Example File" The following is an example \fBdnssec\-tools.conf\fR configuration file. .PP .Vb 4 \& # \& # Settings for DNSSEC\-Tools administration. \& # \& admin\-email tewok@squirrelking.net \& \& # \& # Paths to required programs. These may need adjusting for \& # individual hosts. \& # \& keygen /usr/local/sbin/dnssec\-keygen \& rndc /usr/local/sbin/rndc \& zonecheck /usr/local/sbin/named\-checkzone \& zonecheck\-opts \-i local \-k ignore \& zonesign /usr/local/sbin/dnssec\-signzone \& \& genkrf /usr/bin/genkrf \& keyarch /usr/bin/keyarch \& rollchk /usr/bin/rollchk \& rollctl /usr/bin/rollctl \& zonesigner /usr/bin/zonesigner \& \& # \& # Special processing for a couple of zone phases. \& # \& prog\-ksk5 xfer\-ds\-epp !default ! adminmail mary bob \& prog\-ksk6 check\-for\-ds \& \& # \& # Settings for dnssec\-keygen. \& # \& algorithm rsasha1 \& ksklength 2048 \& zsklength 1024 \& random /dev/urandom \& \& # \& # Settings for dnssec\-signzone. \& # \& endtime +2592000 # RRSIGs good for 30 days. \& \& # \& # Life\-times for keys. These defaults indicate how long a key has \& # between roll\-overs. The values are measured in seconds. \& # \& ksklife 15768000 # Half\-year. \& zsklife 604800 # One week. \& lifespan\-max 94608000 # Two years. \& lifespan\-min 3600 # One hour. \& \& \& # \& # Settings that will be noticed by zonesigner. \& # \& archivedir /usr/local/etc/dnssec\-tools/KEY\-SAFE \& default_keyrec default.krf \& entropy_msg 0 \& savekeys 1 \& zskcount 1 \& \& # \& # Settings for rollover\-manager. \& # \& roll_logfile /usr/local/etc/dnssec\-tools/log\-rollerd \& roll_loglevel info \& roll_sleeptime 60 \& autosign 1 \& zone_errors 3 \& \& log_tz local \& \& # \& # GUI\-usage flag. \& # \& usegui 0 .Ve .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2005\-2012 \s-1SPARTA\s0, Inc. All rights reserved. See the \s-1COPYING\s0 file included with the DNSSEC-Tools package for details. .SH "AUTHOR" .IX Header "AUTHOR" Wayne Morrison, tewok@tislabs.com .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fB\f(BIdtinitconf\fB\|(8)\fR, \&\fB\f(BIdtconfchk\fB\|(8)\fR, \&\fB\f(BIkeyarch\fB\|(8)\fR, \&\fB\f(BIrollerd\fB\|(8)\fR, \&\fB\f(BIzonesigner\fB\|(8)\fR .PP \&\fB\f(BINet::DNS::SEC::Tools::conf.pm\fB\|(3)\fR, \&\fB\f(BINet::DNS::SEC::Tools::keyrec.pm\fB\|(3)\fR \&\fB\f(BINet::DNS::SEC::Tools::rollmgr.pm\fB\|(3)\fR