Provided by: dnssec-tools_1.5-1_all bug

NAME

           dnssec-tools.conf - Configuration file for the DNSSEC-Tools programs.

DESCRIPTION

       This file contains configuration information for the DNSSEC-Tools
       programs.  These configuration data are used if nothing else has been
       specified for a particular program.  The conf.pm module is used to
       parse this configuration file.

       The recognized configuration fields are described in the Configuration
       Records section below.  Some configuration entries are optional and a
       configuration file need not contain a complete list of entries.

       A line in the configuration file contains either a comment or a
       configuration entry.  Comment lines start with either a ’#’ character
       or a ’;’ character.  Comment lines and blank lines are ignored by the
       DNSSEC-Tools programs.

       Configuration entries are in a keyword/value format.  The keyword is a
       character string that contains no whitespace.  The value is a tokenized
       list of the remaining character groups, with each token separated by a
       single space.

       True/false flags must be given a 1 (true) or 0 (false) value.

Configuration Records

       The following records are recognized by the DNSSEC-Tools programs.  Not
       every DNSSEC-Tools program requires each of these records.

       admin-email
           The email address for the DNSSEC-Tools administrator.

       algorithm
           The default encryption algorithm to be passed to dnssec-keygen.

       archivedir
           The pathname to the archived-key directory.

       default_keyrec
           The default keyrec filename to be used by the keyrec.pm module.

       endtime
           The zone default expiration time to be passed to dnssec-signzone.

       entropy_msg
           A true/false flag indicating if the zonesigner command should
           display a message about entropy generation.  This is primarily
           dependent on the implementation of a system’s random number
           generation.

       keyarch
           The path to the DNSSEC-Tools keyarch command.

       keygen
           The path to the dnssec-keygen command.

       keygen-opts
           Options to pass to the dnssec-keygen command.

       kskcount
           The default number of KSK keys that will be generated for each
           zone.

       ksklength
           The default KSK key length to be passed to dnssec-keygen.

       ksklife
           The default length of time between KSK roll-overs.  This is
           measured in seconds.

           This value is only used for key roll-over.  Keys do not have a
           life-time in any other sense.

       lifespan-max
           The maximum length of time a key should be in use before it is
           rolled over.  This is measured in seconds.

       lifespan-min
           The minimum length of time a key should be in use before it is
           rolled over.  This is measured in seconds.

       random
           The random device generator to be passed to dnssec-keygen.

       roll_logfile
           The log file used by rollerd.

       roll_loglevel
           The default logging level used by rollerd.  The valid levels are
           defined and described in rollmgr.pm.

       roll_sleeptime
           The number of seconds rollerd must wait at the end of each zone-
           checking cycle.

       savekeys
           A true/false flag indicating if old keys should be moved to the
           archive directory.

       usegui
           Flag to allow/disallow usage of the GUI for specifying command
           options.

       zonecheck
           The path to the named-checkzone command.

       zonecheck-opts
           Options to pass to the named-checkzone command.

       zonesign
           The path to the dnssec-signzone command.

       zonesign-opts
           Options to pass to the dnssec-signzone command.

       zonesigner
           The path to the DNSSEC-Tools zonesigner command.

       zskcount
           The default number of ZSK keys that will be generated for each
           zone.

       zsklength
           The default ZSK key length to be passed to dnssec-keygen.

       zsklife
           The default length of time between ZSK roll-overs.  This is
           measured in seconds.

           This value is only used for key roll-over.  Keys do not have a
           life-time in any other sense.

Sample Times

       Several configuration fields measure various times.  This section is a
       convenient reference for several common times, as measured in seconds.

           3600        - hour
           86400       - day
           604800      - week
           2592000     - 30-day month
           15768000    - half-year
           31536000    - year

Example File

       The following is an example dnssec-tools.conf configuration file.

           #
           # Settings for DNSSEC-Tools administration.
           #
           admin-email     tewok@squirrelking.net

           #
           # Paths to required programs.  These may need adjusting for
           # individual hosts.
           #
           keygen          /usr/local/sbin/dnssec-keygen
           rndc            /usr/local/sbin/rndc
           viewimage       /usr/X11R6/bin/xview
           zonecheck       /usr/local/sbin/named-checkzone
           zonecheck-opts  -k ignore
           zonesign        /usr/local/sbin/dnssec-signzone

           keyarch         /usr/bin/keyarch
           rollrec-chk     /usr/bin/rollrec-check
           zonesigner      /usr/bin/zonesigner

           #
           # Settings for dnssec-keygen.
           #
           algorithm   rsasha1
           ksklength   2048
           zsklength   1024
           random      /dev/urandom

           #
           # Settings for dnssec-signzone.
           #
           endtime             +2592000        # RRSIGs good for 30 days.

           #
           # Life-times for keys.  These defaults indicate how long a key has
           # between roll-overs.  The values are measured in seconds.
           #
           ksklife         15768000            # Half-year.
           zsklife         604800              # One week.
           lifespan-max    94608000            # Two years.
           lifespan-min    3600                # One hour.

           #
           # Settings that will be noticed by zonesigner.
           #
           archivedir          /usr/local/etc/dnssec-tools/KEY-SAFE
           default_keyrec      default.krf
           entropy_msg         0
           savekeys            1
           zskcount            1

           #
           # Settings for rollover-manager.
           #
           roll_logfile    /usr/local/etc/dnssec-tools/log-rollerd
           roll_loglevel   info
           roll_sleeptime  60

           #
           # GUI-usage flag.
           #
           usegui              0

COPYRIGHT

       Copyright 2005-2008 SPARTA, Inc.  All rights reserved.  See the COPYING
       file included with the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@users.sourceforge.net

SEE ALSO

       dtinitconf(8), dtconfchk(8), keyarch(8), rollerd(8), zonesigner(8)

       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3)
       Net::DNS::SEC::Tools::rollmgr.pm(3)