Linux Certif

Toute la documentation sur la certification Linux LPI

dtconfchk

NAME

dtconfchk - Check a DNSSEC-Tools configuration file for sanity.

SYNOPSIS

   dtconfchk [options] [config_file]
 
 

DESCRIPTION

dtconfchk checks a DNSSEC-Tools configuration file to determine if the entries are valid. If a configuration file isn't specified, the system configuration file will be verified.

Without any display options, dtconfchk displays error messages for problems found, followed by a summary line. Display options will increase or decrease the amount of detail about the configuration file's sanity. In all cases, the exit code is the count of errors found in the file.

The tests are divided into five groups: key-related checks, zone-related checks, path checks, rollover checks, and miscellaneous checks. The checks in each of these self-explanatory groups are described below.

The default_keyrec configuration entry is not checked. This entry specifies the default keyrec file name and isn't necessarily expected to exist in any particular place.

Key-related Checks

The following key-related checks are performed:

algorithm

Ensure the algorithm field is valid. The acceptable values may be found in the dnssec-keygen man page.

ksklength

Ensure the ksklength field is valid. The acceptable values may be found in the dnssec-keygen man page.

ksklife

Ensure the ksklife field is valid. The acceptable values may be found in the defaults.pm(3) man page.

zskcount

Ensure the zskcount field is valid. The ZSK count must be positive.

zsklength

Ensure the zsklength field is valid. The acceptable values may be found in the dnssec-keygen man page.

zsklife

Ensure the zsklife field is valid. The acceptable values may be found in the defaults.pm(3) man page.

random

Ensure the random field is valid. This file must be a character device file.

Zone-related Checks

The following zone-related checks are performed:

endtime

Ensure the endtime field is valid. This value is assumed to be in the ``+NNNNNN'' format. There is a lower limit of two hours. (This is an artificial limit under which it may not make sense to have an end-time.)

Path Checks

The following path checks are performed:

keygen

Ensure the keygen field is valid. If the filename starts with a '/', the file must be a regular executable file.

viewimage

Ensure the viewimage field is valid. If the filename starts with a '/', the file must be a regular executable file.

zonecheck

Ensure the zonecheck field is valid. If the filename starts with a '/', the file must be a regular executable file.

zonesign

Ensure the zonesign field is valid. If the filename starts with a '/', the file must be a regular executable file.

Rollover Daemon Checks

The following checks are performed for rollerd values:

roll_logfile

Ensure that the log file for the rollerd is valid. If the file exists, it must be a regular file.

roll_loglevel

Ensure that the logging level for the rollerd is reasonable. The log level must be one of the following text or numeric values:

     tmi        1       (Overly verbose informational messages.)
     info       3       (Informational messages.)
     phase      6       (Current state of zone.)
     err        7       (Error messages.)
     fatal      9       (Fatal errors.)
 
 

Specifying a particular log level will causes messages of a higher numeric value to also be displayed.

roll_sleeptime

Ensure that the rollerd's sleep-time is reasonable. rollerd's sleep-time must be at least one minute.

Miscellaneous Checks

The following miscellaneous checks are performed:

admin-email

Ensure that the admin-email field is defined and has a value. dtconfchk does not try to validate the email address itself.

archivedir

Ensure that the archivedir directory is actually a directory. This check is only performed if the savekeys flag is set on.

entropy_msg

Ensure that the entropy_msg flag is either 0 or 1.

savekeys

Ensure that the savekeys flag is either 0 or 1. If this flag is set to 1, then the archivedir field will also be checked.

usegui

Ensure that the usegui flag is either 0 or 1.

OPTIONS

-expert

This option will bypass the following checks:

     - KSK has a longer lifespan than the configuration
       file's default minimum lifespan
 
     - KSK has a shorter lifespan than the configuration
       file's default maximum lifespan
 
     - ZSKs have a longer lifespan than the configuration
       file's default minimum lifespan
 
     - ZSKs have a shorter lifespan than the configuration
       file's default maximum lifespan
 
 

-quiet

No output will be given. The number of errors will be used as the exit code.

-summary

A final summary of success or failure will be printed. The number of errors will be used as the exit code.

-verbose

Success or failure status of each check will be given. A + or - prefix will be given for each valid and invalid entry. The number of errors will be used as the exit code.

-help

Display a usage message.

COPYRIGHT

Copyright 2004-2007 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.

AUTHOR

Wayne Morrison, tewok@users.sourceforge.net

SEE ALSO

dtdefs(8), dtinitconf(8), rollerd(8), zonesigner(8)

Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3)

dnssec-tools.conf(5)