NAMEdnssec-tools.conf - Configuration file for the DNSSEC-Tools programs.
DESCRIPTIONThis file contains configuration information for the DNSSEC-Tools programs. These configuration data are used if nothing else has been specified for a particular program. The conf.pm module is used to parse this configuration file. The recognized configuration fields are described in the Configuration Records section below. Some configuration entries are optional and a configuration file need not contain a complete list of entries. A line in the configuration file contains either a comment or a configuration entry. Comment lines start with either a '#' character or a ';' character. Comment lines and blank lines are ignored by the DNSSEC-Tools programs. Configuration entries are in a keyword/value format. The keyword is a character string that contains no whitespace. The value is a tokenized list of the remaining character groups, with each token separated by a single space. True/false flags must be given a 1 (true) or 0 (false) value.
CONFIGURATION RECORDSThe following records are recognized by the DNSSEC-Tools programs. Not every DNSSEC-Tools program requires each of these records. admin-email The email address for the DNSSEC-Tools administrator. algorithm The default encryption algorithm to be passed to dnssec-keygen. archivedir The pathname to the archived-key directory. default_keyrec The default keyrec filename to be used by the keyrec.pm module. endtime The zone default expiration time to be passed to dnssec-signzone. entropy_msg A true/false flag indicating if the zonesigner command should display a message about entropy generation. This is primarily dependent on the implementation of a system's random number generation. keyarch The path to the DNSSEC-Tools keyarch command. keygen The path to the dnssec-keygen command. keygen-opts Options to pass to the dnssec-keygen command. kskcount The default number of KSK keys that will be generated for each zone. ksklength The default KSK key length to be passed to dnssec-keygen. ksklife The default length of time between KSK roll-overs. This is measured in seconds. This value is only used for key roll-over. Keys do not have a life-time in any other sense. lifespan-max The maximum length of time a key should be in use before it is rolled over. This is measured in seconds. lifespan-min The minimum length of time a key should be in use before it is rolled over. This is measured in seconds. log_tz The timezone to be used in log messages. The value may be either 'gmt' (for Greenwich Mean Time) or 'local' (for the host's local time.) random The random device generator to be passed to dnssec-keygen. rndc The path to the rndc command. roll_loadzone A flag indicating if rollerd should have the DNS daemon reload zones. roll_logfile The log file used by rollerd. roll_loglevel The default logging level used by rollerd. The valid levels are defined and described in rollmgr.pm. roll_phasemsg long The default length of phase-related log messages used by rollerd. The valid levels are "long" and "short", with "long" being the default value. The long message length means that a phase description will be included with some log messages. For example, the long form of a message about ZSK rollover phase 3 will look like this: "ZSK phase 3 (Waiting for old zone data to expire from caches)". The short message length means that a phase description will not be included with some log messages. For example, the short form of a message about ZSK rollover phase 3 will look like this: "ZSK phase 3". roll_sleeptime The number of seconds rollerd must wait at the end of each zone- checking cycle. roll_username The username that rollerd will be run by. The name will be converted to its associated uid, and the effective uid of the rollerd process will be set to that uid. This may be given as a user name or a uid. savekeys A true/false flag indicating if old keys should be moved to the archive directory. usegui Flag to allow/disallow usage of the GUI for specifying command options. zonecheck The path to the named-checkzone command. zonecheck-opts Options to pass to the named-checkzone command. zone_errors The maximum number of consecutive errors a zone may have. When This is exceeded, rollerd will mark the zone as a skip zone. If this value is zero, or isn't included in the file, then error conditions will not affect a zone's roll/skip status. This may be overridden by the maxerrors field in a zone's entry in a rollrec file. zonesign The path to the dnssec-signzone command. zonesign-opts Options to pass to the dnssec-signzone command. zonesigner The path to the DNSSEC-Tools zonesigner command. zskcount The default number of ZSK keys that will be generated for each zone. zsklength The default ZSK key length to be passed to dnssec-keygen. zsklife The default length of time between ZSK roll-overs. This is measured in seconds. This value is only used for key roll-over. Keys do not have a life-time in any other sense.
SAMPLE TIMESSeveral configuration fields measure various times. This section is a convenient reference for several common times, as measured in seconds. 3600 - hour 86400 - day 604800 - week 2592000 - 30-day month 15768000 - half-year 31536000 - year
EXAMPLE FILEThe following is an example dnssec-tools.conf configuration file. # # Settings for DNSSEC-Tools administration. # admin-email firstname.lastname@example.org # # Paths to required programs. These may need adjusting for # individual hosts. # keygen /usr/local/sbin/dnssec-keygen rndc /usr/local/sbin/rndc zonecheck /usr/local/sbin/named-checkzone zonecheck-opts -k ignore zonesign /usr/local/sbin/dnssec-signzone keyarch /usr/bin/keyarch rollchk /usr/bin/rollchk zonesigner /usr/bin/zonesigner # # Settings for dnssec-keygen. # algorithm rsasha1 ksklength 2048 zsklength 1024 random /dev/urandom # # Settings for dnssec-signzone. # endtime +2592000 # RRSIGs good for 30 days. # # Life-times for keys. These defaults indicate how long a key has # between roll-overs. The values are measured in seconds. # ksklife 15768000 # Half-year. zsklife 604800 # One week. lifespan-max 94608000 # Two years. lifespan-min 3600 # One hour. # # Settings that will be noticed by zonesigner. # archivedir /usr/local/etc/dnssec-tools/KEY-SAFE default_keyrec default.krf entropy_msg 0 savekeys 1 zskcount 1 # # Settings for rollover-manager. # roll_logfile /usr/local/etc/dnssec-tools/log-rollerd roll_loglevel info roll_sleeptime 60 zone_errors 3 log_tz local # # GUI-usage flag. # usegui 0
COPYRIGHTCopyright 2005-2011 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
AUTHORWayne Morrison, email@example.com
SEE ALSOdtinitconf(8), dtconfchk(8), keyarch(8), rollerd(8), zonesigner(8) Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3) DNSSEC-TOOLS.CONF(5)