dnssec-tools.conf.5p

Langue: en

Version: 2008-05-26 (debian - 07/07/09)

Section: 5 (Format de fichier)

NAME

     dnssec-tools.conf - Configuration file for the DNSSEC-Tools programs.
 
 

DESCRIPTION

This file contains configuration information for the DNSSEC-Tools programs. These configuration data are used if nothing else has been specified for a particular program. The conf.pm module is used to parse this configuration file.

The recognized configuration fields are described in the Configuration Records section below. Some configuration entries are optional and a configuration file need not contain a complete list of entries.

A line in the configuration file contains either a comment or a configuration entry. Comment lines start with either a '#' character or a ';' character. Comment lines and blank lines are ignored by the DNSSEC-Tools programs.

Configuration entries are in a keyword/value format. The keyword is a character string that contains no whitespace. The value is a tokenized list of the remaining character groups, with each token separated by a single space.

True/false flags must be given a 1 (true) or 0 (false) value.

Configuration Records

The following records are recognized by the DNSSEC-Tools programs. Not every DNSSEC-Tools program requires each of these records.
admin-email
The email address for the DNSSEC-Tools administrator.
algorithm
The default encryption algorithm to be passed to dnssec-keygen.
archivedir
The pathname to the archived-key directory.
default_keyrec
The default keyrec filename to be used by the keyrec.pm module.
endtime
The zone default expiration time to be passed to dnssec-signzone.
entropy_msg
A true/false flag indicating if the zonesigner command should display a message about entropy generation. This is primarily dependent on the implementation of a system's random number generation.
keyarch
The path to the DNSSEC-Tools keyarch command.
keygen
The path to the dnssec-keygen command.
keygen-opts
Options to pass to the dnssec-keygen command.
kskcount
The default number of KSK keys that will be generated for each zone.
ksklength
The default KSK key length to be passed to dnssec-keygen.
ksklife
The default length of time between KSK roll-overs. This is measured in seconds.

This value is only used for key roll-over. Keys do not have a life-time in any other sense.

lifespan-max
The maximum length of time a key should be in use before it is rolled over. This is measured in seconds.
lifespan-min
The minimum length of time a key should be in use before it is rolled over. This is measured in seconds.
random
The random device generator to be passed to dnssec-keygen.
roll_logfile
The log file used by rollerd.
roll_loglevel
The default logging level used by rollerd. The valid levels are defined and described in rollmgr.pm.
roll_sleeptime
The number of seconds rollerd must wait at the end of each zone-checking cycle.
savekeys
A true/false flag indicating if old keys should be moved to the archive directory.
usegui
Flag to allow/disallow usage of the GUI for specifying command options.
zonecheck
The path to the named-checkzone command.
zonecheck-opts
Options to pass to the named-checkzone command.
zonesign
The path to the dnssec-signzone command.
zonesign-opts
Options to pass to the dnssec-signzone command.
zonesigner
The path to the DNSSEC-Tools zonesigner command.
zskcount
The default number of ZSK keys that will be generated for each zone.
zsklength
The default ZSK key length to be passed to dnssec-keygen.
zsklife
The default length of time between ZSK roll-overs. This is measured in seconds.

This value is only used for key roll-over. Keys do not have a life-time in any other sense.

Sample Times

Several configuration fields measure various times. This section is a convenient reference for several common times, as measured in seconds.
     3600        - hour
     86400       - day
     604800      - week
     2592000     - 30-day month
     15768000    - half-year
     31536000    - year
 
 

Example File

The following is an example dnssec-tools.conf configuration file.
     #
     # Settings for DNSSEC-Tools administration.
     #
     admin-email     tewok@squirrelking.net
 
     #
     # Paths to required programs.  These may need adjusting for
     # individual hosts.
     #
     keygen          /usr/local/sbin/dnssec-keygen
     rndc            /usr/local/sbin/rndc
     viewimage       /usr/X11R6/bin/xview
     zonecheck       /usr/local/sbin/named-checkzone
     zonecheck-opts  -k ignore
     zonesign        /usr/local/sbin/dnssec-signzone
 
     keyarch         /usr/bin/keyarch
     rollrec-chk     /usr/bin/rollrec-check
     zonesigner      /usr/bin/zonesigner
 
     #
     # Settings for dnssec-keygen.
     #
     algorithm   rsasha1
     ksklength   2048
     zsklength   1024
     random      /dev/urandom
     
     #
     # Settings for dnssec-signzone.
     #
     endtime             +2592000        # RRSIGs good for 30 days.
 
     #
     # Life-times for keys.  These defaults indicate how long a key has
     # between roll-overs.  The values are measured in seconds.
     # 
     ksklife         15768000            # Half-year.
     zsklife         604800              # One week.
     lifespan-max    94608000            # Two years.
     lifespan-min    3600                # One hour.
 
     
     #
     # Settings that will be noticed by zonesigner.
     #
     archivedir          /usr/local/etc/dnssec-tools/KEY-SAFE
     default_keyrec      default.krf
     entropy_msg         0
     savekeys            1
     zskcount            1
 
     #
     # Settings for rollover-manager.
     #
     roll_logfile    /usr/local/etc/dnssec-tools/log-rollerd
     roll_loglevel   info
     roll_sleeptime  60
 
     #
     # GUI-usage flag.
     #
     usegui              0
 
 
Copyright 2005-2008 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.

AUTHOR

Wayne Morrison, tewok@users.sourceforge.net

SEE ALSO

dtinitconf(8), dtconfchk(8), keyarch(8), rollerd(8), zonesigner(8)

Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3) Net::DNS::SEC::Tools::rollmgr.pm(3)