Provided by: dnssec-tools_2.2-2_all 
NAME
dnssec-tools.conf - Configuration file for the DNSSEC-Tools programs.
DESCRIPTION
This file contains configuration information for the DNSSEC-Tools programs. These
configuration data are used if nothing else has been specified for a particular program.
The conf.pm module is used to parse this configuration file.
The recognized configuration fields are described in the Configuration Records section
below. Some configuration entries are optional and a configuration file need not contain
a complete list of entries.
A line in the configuration file contains either a comment or a configuration entry.
Comment lines start with either a '#' character or a ';' character. Comment lines and
blank lines are ignored by the DNSSEC-Tools programs.
Configuration entries are in a keyword/value format. The keyword is a character string
that contains no whitespace. The value is a tokenized list of the remaining character
groups, with each token separated by a single space.
True/false flags must be given a 1 (true) or 0 (false) value.
Configuration Records
The following records are recognized by the DNSSEC-Tools programs. Not every DNSSEC-Tools
program requires each of these records.
admin-email
The email address for the DNSSEC-Tools administrator.
algorithm
The default encryption algorithm to be passed to dnssec-keygen.
archivedir
The pathname to the archived-key directory.
autosign
A true/false flag indicating if rollerd should automatically sign zonefiles that have
been modified more recently than their signed versions.
default_keyrec
The default keyrec filename to be used by the keyrec.pm module.
endtime
The zone default expiration time to be passed to dnssec-signzone.
entropy_msg
A true/false flag indicating if the zonesigner command should display a message about
entropy generation. This is primarily dependent on the implementation of a system's
random number generation.
genkrf
The path to the DNSSEC-Tools genkrf command.
keyarch
The path to the DNSSEC-Tools keyarch command.
keygen
The path to the dnssec-keygen command.
keygen-opts
Options to pass to the dnssec-keygen command.
kskcount
The default number of KSK keys that will be generated for each zone.
ksklength
The default KSK key length to be passed to dnssec-keygen.
ksklife
The default length of time between KSK roll-overs. This is measured in seconds.
This value is only used for key roll-over. Keys do not have a life-time in any other
sense.
lifespan-max
The maximum length of time a key should be in use before it is rolled over. This is
measured in seconds.
lifespan-min
The minimum length of time a key should be in use before it is rolled over. This is
measured in seconds.
log_tz
The timezone to be used in log messages. The value may be either 'gmt' (for Greenwich
Mean Time) or 'local' (for the host's local time.)
mailer-server
The mail server that will be contacted by dt_adminmail(). This is passed to
Mail::Send. The default value is localhost.
mailer-type
The type of mailer that will be contacted by dt_adminmail(). This is passed to
Mail::Mailer (by way of Mail::Send.) Any values recognized by Mail::Mailer may be
used here. The default value is stmp.
prog-ksk1 ... prog-ksk7
A bang-separated list commands to run when a zone enters a particular KSK rollover
phase. The programs can replace default rollover actions or be executed in addition
to the default actions. The default keyword must be included if the default action
should be taken. Options and arguments may be passed to non-default commands.
The default rollover action and requirements for user-written phase commands are
described in the documentation for rollerd.
prog-normal
A bang-separated list commands to run when a zone enters the normal, non-rollover
phase. The programs can replace default actions or be executed in addition to the
default actions. The default keyword must be included if the default action should be
taken. Options and arguments may be passed to non-default commands.
The default rollover action and requirements for user-written phase commands are
described in the documentation for rollerd.
prog-zsk1 ... prog-zsk7
A bang-separated list commands to run when a zone enters a particular ZSK rollover
phase. The programs can replace default rollover actions or be executed in addition
to the default actions. The default keyword must be included if the default action
should be taken. Options and arguments may be passed to non-default commands.
The default rollover action and requirements for user-written phase commands are
described in the documentation for rollerd.
random
The random device generator to be passed to dnssec-keygen.
rndc
The path to the rndc command.
rndc-opts
Options to pass to the rndc command.
roll_loadzone
A flag indicating if rollerd should have the DNS daemon reload zones.
roll_logfile
The log file used by rollerd.
roll_loglevel
The default logging level used by rollerd. The valid levels are defined and described
in rollmgr.pm.
roll_phasemsg
The default length of phase-related log messages used by rollerd. The valid levels
are "long" and "short", with "long" being the default value.
The long message length means that a phase description will be included with some log
messages. For example, the long form of a message about ZSK rollover phase 3 will
look like this: "ZSK phase 3 (Waiting for old zone data to expire from caches)".
The short message length means that a phase description will not be included with some
log messages. For example, the short form of a message about ZSK rollover phase 3
will look like this: "ZSK phase 3".
roll_sleeptime
The number of seconds rollerd must wait at the end of each zone-checking cycle.
roll_username
The username that rollerd will be run by. The name will be converted to its
associated uid, and the effective uid of the rollerd process will be set to that uid.
This may be given as a user name or a uid.
rollctl
The path to the DNSSEC-Tools rollctl command.
savekeys
A true/false flag indicating if old keys should be moved to the archive directory.
usegui
Flag to allow/disallow usage of the GUI for specifying command options.
zonecheck
The path to the named-checkzone command.
zonecheck-opts
Options to pass to the named-checkzone command.
zone_errors
The maximum number of consecutive errors a zone may have. When This is exceeded,
rollerd will mark the zone as a skip zone. If this value is zero, or isn't included
in the file, then error conditions will not affect a zone's roll/skip status. This
may be overridden by the maxerrors field in a zone's entry in a rollrec file.
zonefile-parser
The name of the Perl module that will be used to parse zone files. This should be set
without the .pm suffix. The default parser is Net::DNS::ZoneFile.pm.
Older versions of Net::DNS::ZoneFile::Fast.pm may be used, but more recent versions
have problems with DNSSEC records.
zonesign
The path to the dnssec-signzone command.
zonesign-opts
Options to pass to the dnssec-signzone command.
zonesigner
The path to the DNSSEC-Tools zonesigner command.
zskcount
The default number of ZSK keys that will be generated for each zone.
zsklength
The default ZSK key length to be passed to dnssec-keygen.
zsklife
The default length of time between ZSK roll-overs. This is measured in seconds.
This value is only used for key roll-over. Keys do not have a life-time in any other
sense.
Sample Times
Several configuration fields measure various times. This section is a convenient
reference for several common times, as measured in seconds.
3600 - hour
86400 - day
604800 - week
2592000 - 30-day month
15768000 - half-year
31536000 - year
Example File
The following is an example dnssec-tools.conf configuration file.
#
# Settings for DNSSEC-Tools administration.
#
admin-email tewok@squirrelking.net
#
# Paths to required programs. These may need adjusting for
# individual hosts.
#
keygen /usr/local/sbin/dnssec-keygen
rndc /usr/local/sbin/rndc
rndc-opts -p 2288
zonecheck /usr/local/sbin/named-checkzone
zonecheck-opts -i local -k ignore
zonesign /usr/local/sbin/dnssec-signzone
genkrf /usr/bin/genkrf
keyarch /usr/bin/keyarch
rollchk /usr/bin/rollchk
rollctl /usr/bin/rollctl
zonesigner /usr/bin/zonesigner
#
# The name of the Perl module that will be used to parse zone files.
#
zonefile-parser Bobs::Wonderful::DNS::Zone-Parse-Thingum
#
# Special processing for a couple of zone phases.
#
prog-ksk5 xfer-ds-epp !default ! adminmail mary bob
prog-ksk6 check-for-ds
#
# Settings for dnssec-keygen.
#
algorithm rsasha1
ksklength 2048
zsklength 1024
random /dev/urandom
#
# Settings for dnssec-signzone.
#
endtime +2592000 # RRSIGs good for 30 days.
#
# Life-times for keys. These defaults indicate how long a key has
# between roll-overs. The values are measured in seconds.
#
ksklife 15768000 # Half-year.
zsklife 604800 # One week.
lifespan-max 94608000 # Two years.
lifespan-min 3600 # One hour.
#
# Settings that will be noticed by zonesigner.
#
archivedir /usr/local/etc/dnssec-tools/KEY-SAFE
default_keyrec default.krf
entropy_msg 0
savekeys 1
zskcount 1
#
# Settings for rollover-manager.
#
roll_logfile /usr/local/etc/dnssec-tools/log-rollerd
roll_loglevel info
roll_sleeptime 60
autosign 1
zone_errors 3
log_tz local
#
# GUI-usage flag.
#
usegui 0
COPYRIGHT
Copyright 2005-2013 SPARTA, Inc. All rights reserved. See the COPYING file included with
the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO
dtinitconf(8), dtconfchk(8), keyarch(8), rollerd(8), zonesigner(8)
Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3)
Net::DNS::SEC::Tools::rollmgr.pm(3)