NAME¶
dnssec-tools.conf - Configuration file for the DNSSEC-Tools programs.
DESCRIPTION¶
This file contains configuration information for the DNSSEC-Tools programs.
These configuration data are used if nothing else has been specified for a
particular program. The
conf.pm module is used to parse this
configuration file.
The recognized configuration fields are described in the Configuration Records
section below. Some configuration entries are optional and a configuration
file need not contain a complete list of entries.
A line in the configuration file contains either a comment or a configuration
entry. Comment lines start with either a '#' character or a ';' character.
Comment lines and blank lines are ignored by the DNSSEC-Tools programs.
Configuration entries are in a
keyword/value format. The keyword is a
character string that contains no whitespace. The value is a tokenized list of
the remaining character groups, with each token separated by a single space.
True/false flags must be given a
1 (true) or
0 (false) value.
Configuration Records¶
The following records are recognized by the DNSSEC-Tools programs. Not every
DNSSEC-Tools program requires each of these records.
- admin-email
- The email address for the DNSSEC-Tools administrator.
- algorithm
- The default encryption algorithm to be passed to
dnssec-keygen.
- archivedir
- The pathname to the archived-key directory.
- autosign
- A true/false flag indicating if rollerd should
automatically sign zonefiles that have been modified more recently than
their signed versions.
- default_keyrec
- The default keyrec filename to be used by the
keyrec.pm module.
- endtime
- The zone default expiration time to be passed to
dnssec-signzone.
- entropy_msg
- A true/false flag indicating if the zonesigner
command should display a message about entropy generation. This is
primarily dependent on the implementation of a system's random number
generation.
- genkrf
- The path to the DNSSEC-Tools genkrf command.
- keyarch
- The path to the DNSSEC-Tools keyarch command.
- keygen
- The path to the dnssec-keygen command.
- keygen-opts
- Options to pass to the dnssec-keygen command.
- kskcount
- The default number of KSK keys that will be generated for
each zone.
- ksklength
- The default KSK key length to be passed to
dnssec-keygen.
- ksklife
- The default length of time between KSK roll-overs. This is
measured in seconds.
This value is only used for key roll-over. Keys do not have a
life-time in any other sense.
- lifespan-max
- The maximum length of time a key should be in use before it
is rolled over. This is measured in seconds.
- lifespan-min
- The minimum length of time a key should be in use before it
is rolled over. This is measured in seconds.
- log_tz
- The timezone to be used in log messages. The value may be
either 'gmt' (for Greenwich Mean Time) or 'local' (for the host's local
time.)
- mailer-server
- The mail server that will be contacted by
dt_adminmail() . This is passed to Mail::Send.
The default value is localhost.
- mailer-type
- The type of mailer that will be contacted by
dt_adminmail() . This is passed to
Mail::Mailer (by way of Mail::Send.) Any values recognized
by Mail::Mailer may be used here. The default value is
stmp.
- prog-ksk1 ... prog-ksk7
- A bang-separated list commands to run when a zone enters a
particular KSK rollover phase. The programs can replace default rollover
actions or be executed in addition to the default actions. The
default keyword must be included if the default action should be
taken. Options and arguments may be passed to non-default commands.
The default rollover action and requirements for user-written phase commands
are described in the documentation for rollerd.
- prog-normal
- A bang-separated list commands to run when a zone enters
the normal, non-rollover phase. The programs can replace default actions
or be executed in addition to the default actions. The default
keyword must be included if the default action should be taken. Options
and arguments may be passed to non-default commands.
The default rollover action and requirements for user-written phase commands
are described in the documentation for rollerd.
- prog-zsk1 ... prog-zsk7
- A bang-separated list commands to run when a zone enters a
particular ZSK rollover phase. The programs can replace default rollover
actions or be executed in addition to the default actions. The
default keyword must be included if the default action should be
taken. Options and arguments may be passed to non-default commands.
The default rollover action and requirements for user-written phase commands
are described in the documentation for rollerd.
- random
- The random device generator to be passed to
dnssec-keygen.
- rndc
- The path to the rndc command.
- roll_loadzone
- A flag indicating if rollerd should have the DNS
daemon reload zones.
- roll_logfile
- The log file used by rollerd.
- roll_loglevel
- The default logging level used by rollerd. The valid
levels are defined and described in rollmgr.pm.
- roll_phasemsg
- The default length of phase-related log messages used by
rollerd. The valid levels are "long" and
"short", with "long" being the default value.
The long message length means that a phase description will be included with
some log messages. For example, the long form of a message about ZSK
rollover phase 3 will look like this: "ZSK phase 3 (Waiting for old
zone data to expire from caches)".
The short message length means that a phase description will not be included
with some log messages. For example, the short form of a message about ZSK
rollover phase 3 will look like this: "ZSK phase 3".
- roll_sleeptime
- The number of seconds rollerd must wait at the end
of each zone-checking cycle.
- roll_username
- The username that rollerd will be run by. The name
will be converted to its associated uid, and the effective uid of the
rollerd process will be set to that uid. This may be given as a
user name or a uid.
- rollctl
- The path to the DNSSEC-Tools rollctl command.
- savekeys
- A true/false flag indicating if old keys should be moved to
the archive directory.
- usegui
- Flag to allow/disallow usage of the GUI for specifying
command options.
- zonecheck
- The path to the named-checkzone command.
- zonecheck-opts
- Options to pass to the named-checkzone command.
- zone_errors
- The maximum number of consecutive errors a zone may have.
When This is exceeded, rollerd will mark the zone as a skip
zone. If this value is zero, or isn't included in the file, then error
conditions will not affect a zone's roll/skip status. This may be
overridden by the maxerrors field in a zone's entry in a
rollrec file.
- zonesign
- The path to the dnssec-signzone command.
- zonesign-opts
- Options to pass to the dnssec-signzone command.
- zonesigner
- The path to the DNSSEC-Tools zonesigner
command.
- zskcount
- The default number of ZSK keys that will be generated for
each zone.
- zsklength
- The default ZSK key length to be passed to
dnssec-keygen.
- zsklife
- The default length of time between ZSK roll-overs. This is
measured in seconds.
This value is only used for key roll-over. Keys do not have a
life-time in any other sense.
Sample Times¶
Several configuration fields measure various times. This section is a convenient
reference for several common times, as measured in seconds.
3600 - hour
86400 - day
604800 - week
2592000 - 30-day month
15768000 - half-year
31536000 - year
Example File¶
The following is an example
dnssec-tools.conf configuration file.
#
# Settings for DNSSEC-Tools administration.
#
admin-email tewok@squirrelking.net
#
# Paths to required programs. These may need adjusting for
# individual hosts.
#
keygen /usr/local/sbin/dnssec-keygen
rndc /usr/local/sbin/rndc
zonecheck /usr/local/sbin/named-checkzone
zonecheck-opts -i local -k ignore
zonesign /usr/local/sbin/dnssec-signzone
genkrf /usr/bin/genkrf
keyarch /usr/bin/keyarch
rollchk /usr/bin/rollchk
rollctl /usr/bin/rollctl
zonesigner /usr/bin/zonesigner
#
# Special processing for a couple of zone phases.
#
prog-ksk5 xfer-ds-epp !default ! adminmail mary bob
prog-ksk6 check-for-ds
#
# Settings for dnssec-keygen.
#
algorithm rsasha1
ksklength 2048
zsklength 1024
random /dev/urandom
#
# Settings for dnssec-signzone.
#
endtime +2592000 # RRSIGs good for 30 days.
#
# Life-times for keys. These defaults indicate how long a key has
# between roll-overs. The values are measured in seconds.
#
ksklife 15768000 # Half-year.
zsklife 604800 # One week.
lifespan-max 94608000 # Two years.
lifespan-min 3600 # One hour.
#
# Settings that will be noticed by zonesigner.
#
archivedir /usr/local/etc/dnssec-tools/KEY-SAFE
default_keyrec default.krf
entropy_msg 0
savekeys 1
zskcount 1
#
# Settings for rollover-manager.
#
roll_logfile /usr/local/etc/dnssec-tools/log-rollerd
roll_loglevel info
roll_sleeptime 60
autosign 1
zone_errors 3
log_tz local
#
# GUI-usage flag.
#
usegui 0
COPYRIGHT¶
Copyright 2005-2012 SPARTA, Inc. All rights reserved. See the COPYING file
included with the DNSSEC-Tools package for details.
AUTHOR¶
Wayne Morrison, tewok@tislabs.com
SEE ALSO¶
dtinitconf(8),
dtconfchk(8),
keyarch(8),
rollerd(8),
zonesigner(8)
Net::DNS::SEC::Tools::conf.pm(3),
Net::DNS::SEC::Tools::keyrec.pm (3)
Net::DNS::SEC::Tools::rollmgr.pm (3)