Provided by: dnssec-tools_2.0-1_all bug

NAME

       dtinitconf - Creates a DNSSEC-Tools configuration file

SYNOPSIS

         dtinitconf [options]

DESCRIPTION

       The dtinitconf program initializes the DNSSEC-Tools configuration file.  By default, the
       actual configuration file will be created, though the created file can be specified by the
       user.  Existing files, whether the default or one specified by the user, will not be
       overwritten unless specifically directed by the user.

       Each configuration field can be individually specified on the command line.  The user will
       also be prompted for the fields, with default values taken from the DNSSEC-Tools
       defaults.pm module.  If the -noprompt option is given, then a default configuration file
       (modulo command-line arguments) will be created.

       Configuration entries are created for several BIND programs.  Several locations on the
       system are searched to find the locations of these programs.  First, the directories in
       the path environment variable are checked; the names of any directories that contain the
       BIND programs are saved.  Next, several common locations for BIND programs are checked;
       again, the names of directories that contain the BIND programs are saved.  After
       collecting these directories, the user is presented with this list and may choose to use
       whichever set is desired.  If no directories are found that contain the BIND programs, the
       user is prompted for the proper location.

       If the configuration file's parent directory does not exist, then an attempt is made to
       create the directory.  The new directory's ownership will be set to root for the owner and
       dnssec for the group, assuming the dnssec group exists.  Writability checks for the
       directory will not be performed if the -outfile option is given.

OPTIONS

       dtinitconf takes options that control the contents of the newly generated DNSSEC-Tools
       configuration file.  Each configuration file entry has a corresponding command-line
       option.  The options, described below, are ordered in logical groups.

   Key-related Options
       These options deal with different aspects of creating and managing encryption keys.

       -algorithm algorithm
           Selects the cryptographic algorithm. The value of algorithm must be one that is
           recognized by the installed version of dnssec-keygen.

       -kskcount KSK-count
           The default number of KSK keys that will be created for a zone.

       -ksklength keylen
           The default KSK key length to be passed to dnssec-keygen.

       -ksklife lifespan
           The default length of time between KSK rollovers.  This is measured in seconds.  This
           value must be within the range of the minlife and maxlife values.

           This value is only used for key rollover.  Keys do not have a life-time in any other
           sense.

       -maxlife maxlifespan
           The maximum length of time between key rollovers.  This is measured in seconds.  The
           ksklife and zsklife values must be not greater than this value.

           This value is only used for key rollover.  Keys do not have a life-time in any other
           sense.

       -minlife minlifespan
           The minimum length of time between key rollovers.  This is measured in seconds.  The
           ksklife and zsklife values must be not less than this value.

           This value is only used for key rollover.  Keys do not have a life-time in any other
           sense.

       -zskcount ZSK-count
           The default number of ZSK keys that will be created for a zone.

       -zsklength keylen
           The default ZSK key length to be passed to dnssec-keygen.

       -zsklife lifespan
           The default length of time between ZSK rollovers.  This is measured in seconds.  This
           value must be within the range of the minlife and maxlife values.

           This value is only used for key rollover.  Keys do not have a life-time in any other
           sense.

       -random randomdev
           The random device generator to be passed to dnssec-keygen.

   Zone-related Options
       These options deal with different aspects of zone signing.

       -endtime endtime
           The zone default expiration time to be passed to dnssec-signzone.

   trustman-related Options
       These options deal with different aspects of executing trustman.

       -genroothints roothints
           A new root.hints file will be created at the specified location.  dtinitconf requires
           that the file not already exist.

           The root.hints file is retrieved from http://www.internic.net/zones/named.root.  It is
           not considered a fatal error if dtinitconf is unable to fetch the file.  Rather, a
           warning message will be given and creation of the configuration file will continue.

       -ta-contact email
           The email address of the trustman administrator.

       -ta-resolvconf resolvconffile
           The location of the resolv.conf file.

       -ta-smtpserver hostname
           The SMTP server for the trustman command.

       -ta-tmpdir hostname
           The temporary directory for the trustman command.

   BIND Options
       These options deal specifically with functionality provided by BIND.

       -rndc rndc-path
           rndc is the path to BIND's rndc command.

   DNSSEC-Tools Options
       These options deal specifically with functionality provided by DNSSEC-Tools.

       -admin email-address
           admin is the email address of the DNSSEC-Tools administrator.  This is the default
           address used by the dt_adminmail() routine.

       -archivedir directory
           directory is the archived-key directory.  Old encryption keys are moved to this
           directory, but only if they are to be saved and not deleted.

       -autosign
           A flag indicating that rollerd should automatically sign zonefiles that are found to
           be newer than their signed zonefile.  If -noautosign is specified, this will be set to
           false.

       -binddir directory
           directory is the directory holding the BIND programs.  If the reserved word "path" is
           specified, then existence of the BIND programs is not verified when dtinitconf is
           executed.  Rather, the user's PATH directories will be searched for the BIND programs
           when the DNSSEC-Tools are executed.

       -dtdir directory
           directory is the directory holding the DNSSEC-Tools programs.  If the reserved word
           "path" is specified, then existence of the DNSSEC-Tools programs is not verified when
           dtinitconf is executed.  Rather, the user's PATH directories will be searched for the
           DNSSEC-Tools programs when those tools are executed.

       -entropy_msg
           A flag indicating that zonesigner should display a message about entropy generation.
           This is primarily dependent on the implementation of a system's random number
           generation.

       -mailer-server host
           The mail server that will be contacted by dt_adminmail().  This is passed to
           Mail::Send.

       -mailer-server mailtype
           The mail type that will be contacted by dt_adminmail().  This is passed to
           Mail::Mailer (by way of Mail::Send.)  Any values recognized by Mail::Mailer may be
           used here.

       -noentropy_msg
           A flag indicating that zonesigner should not display a message about entropy
           generation.  This is primarily dependent on the implementation of a system's random
           number generation.

       -roll-loadzone
       -no-roll-loadzone
           Flags indicating whether or not rollerd should have the DNS daemon load zones.

       -roll-logfile logfile
           logfile is the logfile for the rollerd daemon.

       -roll-loglevel loglevel
           loglevel is the logging level for the rollerd daemon.

       -roll-phasemsg length
           length is the default length of phase-related log messages used by rollerd.  The valid
           levels are "long" and "short", with "long" being the default value.

           The long message length means that a phase description will be included with some log
           messages.  For example, the long form of a message about ZSK rollover phase 3 will
           look like this:  "ZSK phase 3 (Waiting for old zone data to expire from caches)".

           The short message length means that a phase description will not be included with some
           log messages.  For example, the short form of a message about ZSK rollover phase 3
           will look like this:  "ZSK phase 3".

       -roll-sleeptime sleep-time
           sleep-time is the sleep-time for the rollerd daemon.

       -roll-username username
           username is the user for which the rollerd daemon will be executed.  If this is a
           username, it must correspond to a valid uid; if it is a uid, it must correspond to a
           valid username.

       -roll-logtz logtz
           loglevel is the timezone of the message timestamp for rollerd's logfile.

       -zoneerrs error-count
           error-count is the maximum error count for zones used by the rollerd daemon.

       -savekeys
           A flag indicating that old keys should be moved to the archive directory.

       -nosavekeys
           A flag indicating that old keys should not be moved to the archive directory but will
           instead be left in place.

       -usegui
           A flag indicating that the GUI for specifying command options may be used.

       -nousegui
           A flag indicating that the GUI for specifying command options should not be used.

       -zoneparser parser-module
           parser-module is the name of the Perl module that will be used to parse zone files.
           The default is specified in dnssec_tools_default().

   dtinitconf Options
       These options deal specifically with dtinitconf.

       -outfile conffile
           The configuration file will be written to conffile.  If this is not given, then the
           default configuration file (as returned by Net::DNS::SEC::Tools::conf::getconffile())
           will be used.

           If conffile is given as -, then the new configuration file will be written to the
           standard output.

           conffile must be writable.

       -overwrite
           If -overwrite is specified, existing output files may be overwritten.  Without
           -overwrite, if the output file is found to exist then dtinitconf will give an error
           message and exit.

       -noprompt
           If -noprompt is specified, the user will not be prompted for any input.  The
           configuration file will be created from command-line options and DNSSEC-Tools
           defaults.  Guesses will be made for the BIND paths, based on the PATH environment
           variable.

           WARNING:  After using the -noprompt option, the configuration file must be checked to
           ensure that the defaults are appropriate and acceptable for the installation.

       -template
           If -template is specified, a default configuration file is created.  However, all
           entries are commented out.

           The only command line options that may be used in conjunction with -template are
           -outfile and -overwrite.

       -edit
           If -edit is specified, the output file will be edited after it has been created.  The
           EDITOR environment variable is consulted for the editor to use.  If the EDITOR
           environment variable isn't defined, then the vi editor will be used.

       -verbose
           Provide verbose output.

       -Version
           Displays the version information for dtinitconf and the DNSSEC-Tools package.

       -help
           Display a usage message and exit.

COPYRIGHT

       Copyright 2006-2013 SPARTA, Inc.  All rights reserved.  See the COPYING file included with
       the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@tislabs.com

SEE ALSO

       dnssec-keygen(8), dnssec-signzone(8), named-checkzone(8), keyarch(8), rollckk(8),
       rollerd(8), zonesigner(8)

       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
       Net::DNS::SEC::Tools::dnssectools.pm(3), Net::DNS::SEC::Tools::tooloptions.pm(3),
       QWizard.pm(3)

       dnssec-tools.conf(5)