NAME¶
dtinitconf - Creates a DNSSEC-Tools configuration file
SYNOPSIS¶
dtinitconf [options]
DESCRIPTION¶
The
dtinitconf program initializes the DNSSEC-Tools configuration file.
By default, the actual configuration file will be created, though the created
file can be specified by the user. Existing files, whether the default or one
specified by the user, will not be overwritten unless specifically directed by
the user.
Each configuration field can be individually specified on the command line. The
user will also be prompted for the fields, with default values taken from the
DNSSEC-Tools
defaults.pm module. If the
-noprompt option is
given, then a default configuration file (modulo command-line arguments) will
be created.
Configuration entries are created for several BIND programs. Several locations
on the system are searched to find the locations of these programs. First, the
directories in the path environment variable are checked; the names of any
directories that contain the BIND programs are saved. Next, several common
locations for BIND programs are checked; again, the names of directories that
contain the BIND programs are saved. After collecting these directories, the
user is presented with this list and may choose to use whichever set is
desired. If no directories are found that contain the BIND programs, the user
is prompted for the proper location.
If the configuration file's parent directory does not exist, then an attempt is
made to create the directory. The new directory's ownership will be set to
root for the owner and
dnssec for the group, assuming the
dnssec group exists. Writability checks for the directory will not be
performed if the
-outfile option is given.
OPTIONS¶
dtinitconf takes options that control the contents of the newly generated
DNSSEC-Tools configuration file. Each configuration file entry has a
corresponding command-line option. The options, described below, are ordered
in logical groups.
These options deal with different aspects of creating and managing encryption
keys.
- -algorithm algorithm
- Selects the cryptographic algorithm. The value of algorithm
must be one that is recognized by the installed version of
dnssec-keygen.
- -kskcount KSK-count
- The default number of KSK keys that will be created for a
zone.
- -ksklength keylen
- The default KSK key length to be passed to
dnssec-keygen.
- -ksklife lifespan
- The default length of time between KSK rollovers. This is
measured in seconds. This value must be within the range of the
minlife and maxlife values.
This value is only used for key rollover. Keys do not have a
life-time in any other sense.
- -maxlife maxlifespan
- The maximum length of time between key rollovers. This is
measured in seconds. The ksklife and zsklife values must be
not greater than this value.
This value is only used for key rollover. Keys do not have a
life-time in any other sense.
- -minlife minlifespan
- The minimum length of time between key rollovers. This is
measured in seconds. The ksklife and zsklife values must be
not less than this value.
This value is only used for key rollover. Keys do not have a
life-time in any other sense.
- -zskcount ZSK-count
- The default number of ZSK keys that will be created for a
zone.
- -zsklength keylen
- The default ZSK key length to be passed to
dnssec-keygen.
- -zsklife lifespan
- The default length of time between ZSK rollovers. This is
measured in seconds. This value must be within the range of the
minlife and maxlife values.
This value is only used for key rollover. Keys do not have a
life-time in any other sense.
- -random randomdev
- The random device generator to be passed to
dnssec-keygen.
These options deal with different aspects of zone signing.
- -endtime endtime
- The zone default expiration time to be passed to
dnssec-signzone.
These options deal with different aspects of executing
trustman.
- -genroothints roothints
- A new root.hints file will be created at the
specified location. dtinitconf requires that the file not already
exist.
The root.hints file is retrieved from
http://www.internic.net/zones/named.root. It is not considered a
fatal error if dtinitconf is unable to fetch the file. Rather, a
warning message will be given and creation of the configuration file will
continue.
- -ta-contact email
- The email address of the trustman
administrator.
- -ta-resolvconf resolvconffile
- The location of the resolv.conf file.
- -ta-smtpserver hostname
- The SMTP server for the trustman command.
- -ta-tmpdir hostname
- The temporary directory for the trustman
command.
BIND Options¶
These options deal specifically with functionality provided by BIND.
- -rndc rndc-path
- rndc is the path to BIND's rndc command.
These options deal specifically with functionality provided by DNSSEC-Tools.
- -admin email-address
- admin is the email address of the DNSSEC-Tools
administrator. This is the default address used by the
dt_adminmail() routine.
- -archivedir directory
- directory is the archived-key directory. Old
encryption keys are moved to this directory, but only if they are to be
saved and not deleted.
- -autosign
- A flag indicating that rollerd should automatically
sign zonefiles that are found to be newer than their signed zonefile. If
-noautosign is specified, this will be set to false.
- -binddir directory
- directory is the directory holding the BIND
programs. If the reserved word "path" is specified, then
existence of the BIND programs is not verified when dtinitconf is
executed. Rather, the user's PATH directories will be searched for the
BIND programs when the DNSSEC-Tools are executed.
- -dtdir directory
- directory is the directory holding the DNSSEC-Tools
programs. If the reserved word "path" is specified, then
existence of the DNSSEC-Tools programs is not verified when
dtinitconf is executed. Rather, the user's PATH directories will be
searched for the DNSSEC-Tools programs when those tools are executed.
- -entropy_msg
- A flag indicating that zonesigner should display a
message about entropy generation. This is primarily dependent on the
implementation of a system's random number generation.
- -mailer-server host
- The mail server that will be contacted by
dt_adminmail() . This is passed to
Mail::Send.
- -mailer-server mailtype
- The mail type that will be contacted by
dt_adminmail() . This is passed to
Mail::Mailer (by way of Mail::Send.) Any values recognized
by Mail::Mailer may be used here.
- -noentropy_msg
- A flag indicating that zonesigner should not display
a message about entropy generation. This is primarily dependent on the
implementation of a system's random number generation.
- -roll-loadzone
- -no-roll-loadzone
- Flags indicating whether or not rollerd should have
the DNS daemon load zones.
- -roll-logfile logfile
- logfile is the logfile for the rollerd
daemon.
- -roll-loglevel loglevel
- loglevel is the logging level for the rollerd
daemon.
- -roll-phasemsg length
- length is the default length of phase-related log
messages used by rollerd. The valid levels are "long" and
"short", with "long" being the default value.
The long message length means that a phase description will be included with
some log messages. For example, the long form of a message about ZSK
rollover phase 3 will look like this: "ZSK phase 3 (Waiting for old
zone data to expire from caches)".
The short message length means that a phase description will not be included
with some log messages. For example, the short form of a message about ZSK
rollover phase 3 will look like this: "ZSK phase 3".
- -roll-sleeptime sleep-time
- sleep-time is the sleep-time for the rollerd
daemon.
- -roll-username username
- username is the user for which the rollerd
daemon will be executed. If this is a username, it must correspond to a
valid uid; if it is a uid, it must correspond to a valid username.
- -roll-logtz logtz
- loglevel is the timezone of the message timestamp
for rollerd's logfile.
- -zoneerrs error-count
- error-count is the maximum error count for zones
used by the rollerd daemon.
- -savekeys
- A flag indicating that old keys should be moved to the
archive directory.
- -nosavekeys
- A flag indicating that old keys should not be moved to the
archive directory but will instead be left in place.
- -usegui
- A flag indicating that the GUI for specifying command
options may be used.
- -nousegui
- A flag indicating that the GUI for specifying command
options should not be used.
dtinitconf Options¶
These options deal specifically with
dtinitconf.
- -outfile conffile
- The configuration file will be written to conffile.
If this is not given, then the default configuration file (as returned by
Net::DNS::SEC::Tools::conf::getconffile()) will be
used.
If conffile is given as -, then the new configuration file
will be written to the standard output.
conffile must be writable.
- -overwrite
- If -overwrite is specified, existing output files
may be overwritten. Without -overwrite, if the output file is found
to exist then dtinitconf will give an error message and exit.
- -noprompt
- If -noprompt is specified, the user will not be
prompted for any input. The configuration file will be created from
command-line options and DNSSEC-Tools defaults. Guesses will be made for
the BIND paths, based on the PATH environment variable.
WARNING: After using the -noprompt option, the configuration
file must be checked to ensure that the defaults are appropriate
and acceptable for the installation.
- -template
- If -template is specified, a default configuration
file is created. However, all entries are commented out.
The only command line options that may be used in conjunction with
-template are -outfile and -overwrite.
- -edit
- If -edit is specified, the output file will be
edited after it has been created. The EDITOR environment variable is
consulted for the editor to use. If the EDITOR environment variable isn't
defined, then the vi editor will be used.
- -verbose
- Provide verbose output.
- -Version
- Displays the version information for dtinitconf and
the DNSSEC-Tools package.
- -help
- Display a usage message and exit.
COPYRIGHT¶
Copyright 2006-2012 SPARTA, Inc. All rights reserved. See the COPYING file
included with the DNSSEC-Tools package for details.
AUTHOR¶
Wayne Morrison, tewok@tislabs.com
SEE ALSO¶
dnssec-keygen(8),
dnssec-signzone (8),
named-checkzone (8),
keyarch(8),
rollckk(8),
rollerd(8),
zonesigner(8)
Net::DNS::SEC::Tools::conf.pm(3),
Net::DNS::SEC::Tools::defaults.pm (3),
Net::DNS::SEC::Tools::dnssectools.pm(3),
Net::DNS::SEC::Tools::tooloptions.pm(3),
QWizard.pm(3)
dnssec-tools.conf(5)