Provided by:
dnssec-tools_1.4.1-2_all 
NAME
dnssec-tools.conf - Configuration file for the DNSSEC-Tools programs.
DESCRIPTION
This file contains configuration information for the DNSSEC-Tools
programs. These configuration data are used if nothing else has been
specified for a particular program. The conf.pm module is used to
parse this configuration file.
The recognized configuration fields are described in the Configuration
Records section below. Some configuration entries are optional and a
configuration file need not contain a complete list of entries.
A line in the configuration file contains either a comment or a
configuration entry. Comment lines start with either a ’#’ character
or a ’;’ character. Comment lines and blank lines are ignored by the
DNSSEC-Tools programs.
Configuration entries are in a keyword/value format. The keyword is a
character string that contains no whitespace. The value is a tokenized
list of the remaining character groups, with each token separated by a
single space.
True/false flags must be given a 1 (true) or 0 (false) value.
Configuration Records
The following records are recognized by the DNSSEC-Tools programs. Not
every DNSSEC-Tools program requires each of these records.
admin-email
The email address for the DNSSEC-Tools administrator.
algorithm
The default encryption algorithm to be passed to dnssec-keygen.
archivedir
The pathname to the archived-key directory.
default_keyrec
The default keyrec filename to be used by the keyrec.pm module.
endtime
The zone default expiration time to be passed to dnssec-signzone.
entropy_msg
A true/false flag indicating if the zonesigner command should
display a message about entropy generation. This is primarily
dependent on the implementation of a system’s random number
generation.
keyarch
The path to the DNSSEC-Tools keyarch command.
keygen
The path to the dnssec-keygen command.
keygen-opts
Options to pass to the dnssec-keygen command.
kskcount
The default number of KSK keys that will be generated for each
zone.
ksklength
The default KSK key length to be passed to dnssec-keygen.
ksklife
The default length of time between KSK roll-overs. This is
measured in seconds.
This value is only used for key roll-over. Keys do not have a
life-time in any other sense.
lifespan-max
The maximum length of time a key should be in use before it is
rolled over. This is measured in seconds.
lifespan-min
The minimum length of time a key should be in use before it is
rolled over. This is measured in seconds.
random
The random device generator to be passed to dnssec-keygen.
roll_logfile
The log file used by rollerd.
roll_loglevel
The default logging level used by rollerd. The valid levels are
defined and described in rollmgr.pm.
roll_sleeptime
The number of seconds rollerd must wait at the end of each zone-
checking cycle.
savekeys
A true/false flag indicating if old keys should be moved to the
archive directory.
usegui
Flag to allow/disallow usage of the GUI for specifying command
options.
zonecheck
The path to the named-checkzone command.
zonecheck-opts
Options to pass to the named-checkzone command.
zonesign
The path to the dnssec-signzone command.
zonesign-opts
Options to pass to the dnssec-signzone command.
zonesigner
The path to the DNSSEC-Tools zonesigner command.
zskcount
The default number of ZSK keys that will be generated for each
zone.
zsklength
The default ZSK key length to be passed to dnssec-keygen.
zsklife
The default length of time between ZSK roll-overs. This is
measured in seconds.
This value is only used for key roll-over. Keys do not have a
life-time in any other sense.
Sample Times
Several configuration fields measure various times. This section is a
convenient reference for several common times, as measured in seconds.
3600 - hour
86400 - day
604800 - week
2592000 - 30-day month
15768000 - half-year
31536000 - year
Example File
The following is an example dnssec-tools.conf configuration file.
#
# Settings for DNSSEC-Tools administration.
#
admin-email tewok@squirrelking.net
#
# Paths to required programs. These may need adjusting for
# individual hosts.
#
keygen /usr/local/sbin/dnssec-keygen
rndc /usr/local/sbin/rndc
viewimage /usr/X11R6/bin/xview
zonecheck /usr/local/sbin/named-checkzone
zonecheck-opts -k ignore
zonesign /usr/local/sbin/dnssec-signzone
keyarch /usr/bin/keyarch
rollrec-chk /usr/bin/rollrec-check
zonesigner /usr/bin/zonesigner
#
# Settings for dnssec-keygen.
#
algorithm rsasha1
ksklength 2048
zsklength 1024
random /dev/urandom
#
# Settings for dnssec-signzone.
#
endtime +2592000 # RRSIGs good for 30 days.
#
# Life-times for keys. These defaults indicate how long a key has
# between roll-overs. The values are measured in seconds.
#
ksklife 15768000 # Half-year.
zsklife 604800 # One week.
lifespan-max 94608000 # Two years.
lifespan-min 3600 # One hour.
#
# Settings that will be noticed by zonesigner.
#
archivedir /usr/local/etc/dnssec-tools/KEY-SAFE
default_keyrec default.krf
entropy_msg 0
savekeys 1
zskcount 1
#
# Settings for rollover-manager.
#
roll_logfile /usr/local/etc/dnssec-tools/log-rollerd
roll_loglevel info
roll_sleeptime 60
#
# GUI-usage flag.
#
usegui 0
COPYRIGHT
Copyright 2005-2008 SPARTA, Inc. All rights reserved. See the COPYING
file included with the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@users.sourceforge.net
SEE ALSO
dtinitconf(8), dtconfchk(8), keyarch(8), rollerd(8), zonesigner(8)
Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3)
Net::DNS::SEC::Tools::rollmgr.pm(3)