Rechercher une page de manuel
dnssec-tools.conf.5p
Langue: en
Version: 2008-05-26 (debian - 07/07/09)
Section: 5 (Format de fichier)
NAME
dnssec-tools.conf - Configuration file for the DNSSEC-Tools programs.
DESCRIPTION
This file contains configuration information for the DNSSEC-Tools programs. These configuration data are used if nothing else has been specified for a particular program. The conf.pm module is used to parse this configuration file.The recognized configuration fields are described in the Configuration Records section below. Some configuration entries are optional and a configuration file need not contain a complete list of entries.
A line in the configuration file contains either a comment or a configuration entry. Comment lines start with either a '#' character or a ';' character. Comment lines and blank lines are ignored by the DNSSEC-Tools programs.
Configuration entries are in a keyword/value format. The keyword is a character string that contains no whitespace. The value is a tokenized list of the remaining character groups, with each token separated by a single space.
True/false flags must be given a 1 (true) or 0 (false) value.
Configuration Records
The following records are recognized by the DNSSEC-Tools programs. Not every DNSSEC-Tools program requires each of these records.- admin-email
- The email address for the DNSSEC-Tools administrator.
- algorithm
- The default encryption algorithm to be passed to dnssec-keygen.
- archivedir
- The pathname to the archived-key directory.
- default_keyrec
- The default keyrec filename to be used by the keyrec.pm module.
- endtime
- The zone default expiration time to be passed to dnssec-signzone.
- entropy_msg
- A true/false flag indicating if the zonesigner command should display a message about entropy generation. This is primarily dependent on the implementation of a system's random number generation.
- keyarch
- The path to the DNSSEC-Tools keyarch command.
- keygen
- The path to the dnssec-keygen command.
- keygen-opts
- Options to pass to the dnssec-keygen command.
- kskcount
- The default number of KSK keys that will be generated for each zone.
- ksklength
- The default KSK key length to be passed to dnssec-keygen.
- ksklife
- The default length of time between KSK roll-overs. This is measured in seconds.
This value is only used for key roll-over. Keys do not have a life-time in any other sense.
- lifespan-max
- The maximum length of time a key should be in use before it is rolled over. This is measured in seconds.
- lifespan-min
- The minimum length of time a key should be in use before it is rolled over. This is measured in seconds.
- random
- The random device generator to be passed to dnssec-keygen.
- roll_logfile
- The log file used by rollerd.
- roll_loglevel
- The default logging level used by rollerd. The valid levels are defined and described in rollmgr.pm.
- roll_sleeptime
- The number of seconds rollerd must wait at the end of each zone-checking cycle.
- savekeys
- A true/false flag indicating if old keys should be moved to the archive directory.
- usegui
- Flag to allow/disallow usage of the GUI for specifying command options.
- zonecheck
- The path to the named-checkzone command.
- zonecheck-opts
- Options to pass to the named-checkzone command.
- zonesign
- The path to the dnssec-signzone command.
- zonesign-opts
- Options to pass to the dnssec-signzone command.
- zonesigner
- The path to the DNSSEC-Tools zonesigner command.
- zskcount
- The default number of ZSK keys that will be generated for each zone.
- zsklength
- The default ZSK key length to be passed to dnssec-keygen.
- zsklife
- The default length of time between ZSK roll-overs. This is measured in seconds.
This value is only used for key roll-over. Keys do not have a life-time in any other sense.
Sample Times
Several configuration fields measure various times. This section is a convenient reference for several common times, as measured in seconds.3600 - hour 86400 - day 604800 - week 2592000 - 30-day month 15768000 - half-year 31536000 - year
Example File
The following is an example dnssec-tools.conf configuration file.# # Settings for DNSSEC-Tools administration. # admin-email tewok@squirrelking.net # # Paths to required programs. These may need adjusting for # individual hosts. # keygen /usr/local/sbin/dnssec-keygen rndc /usr/local/sbin/rndc viewimage /usr/X11R6/bin/xview zonecheck /usr/local/sbin/named-checkzone zonecheck-opts -k ignore zonesign /usr/local/sbin/dnssec-signzone keyarch /usr/bin/keyarch rollrec-chk /usr/bin/rollrec-check zonesigner /usr/bin/zonesigner # # Settings for dnssec-keygen. # algorithm rsasha1 ksklength 2048 zsklength 1024 random /dev/urandom # # Settings for dnssec-signzone. # endtime +2592000 # RRSIGs good for 30 days. # # Life-times for keys. These defaults indicate how long a key has # between roll-overs. The values are measured in seconds. # ksklife 15768000 # Half-year. zsklife 604800 # One week. lifespan-max 94608000 # Two years. lifespan-min 3600 # One hour. # # Settings that will be noticed by zonesigner. # archivedir /usr/local/etc/dnssec-tools/KEY-SAFE default_keyrec default.krf entropy_msg 0 savekeys 1 zskcount 1 # # Settings for rollover-manager. # roll_logfile /usr/local/etc/dnssec-tools/log-rollerd roll_loglevel info roll_sleeptime 60 # # GUI-usage flag. # usegui 0
COPYRIGHT
Copyright 2005-2008 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.AUTHOR
Wayne Morrison, tewok@users.sourceforge.netSEE ALSO
dtinitconf(8), dtconfchk(8), keyarch(8), rollerd(8), zonesigner(8)Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3) Net::DNS::SEC::Tools::rollmgr.pm(3)
Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre