xenial (1) dtconfchk.1p.gz

Provided by: dnssec-tools_2.2-2_all bug

NAME

       dtconfchk - Check a DNSSEC-Tools configuration file for sanity

SYNOPSIS

         dtconfchk [options] [config_file]

DESCRIPTION

       dtconfchk checks a DNSSEC-Tools configuration file to determine if the entries are valid.  If a
       configuration file isn't specified, the system configuration file will be verified.

       Without any display options, dtconfchk displays error messages for problems found, followed by a summary
       line.  Display options will increase or decrease the amount of detail about the configuration file's
       sanity.  In all cases, the exit code is the count of errors found in the file.

       The tests are divided into five groups:  key-related checks, zone-related checks, path checks, rollover
       checks, and miscellaneous checks.  The checks in each of these self-explanatory groups are described
       below.

       The default_keyrec configuration entry is not checked.  This entry specifies the default keyrec file name
       and isn't necessarily expected to exist in any particular place.

   Boolean Values
       The DNSSEC-Tools configuration file has a number of fields that are expected to hold boolean values.  The
       recognized values for booleans are as follows:

           true values  - 1, true,  t, yes, y
           false values - 0, false, f, no,  n

       Positive values greater than 1 are recognized as true values, but it probably would be best to use 1.

       Text values that aren't in the set above are not valid and will translate to false values.

   Key-related Checks
       The following key-related checks are performed:

       algorithm
               Ensure the algorithm field is valid.  The acceptable values may be found in the dnssec-keygen man
               page.

       ksklength
               Ensure the ksklength field is valid.  The acceptable values may be found in the dnssec-keygen man
               page.  This may also be specified as ksklen.

       ksklife Ensure the ksklife field is valid.  The acceptable values may be found in the defaults.pm man
               page.

       zskcount
               Ensure the zskcount field is valid.  The ZSK count must be positive.

       zsklength
               Ensure the zsklength field is valid.  The acceptable values may be found in the dnssec-keygen man
               page.  This may also be specified as zsklen.

       zsklife Ensure the zsklife field is valid.  The acceptable values may be found in the defaults.pm man
               page.

       random  Ensure the random field is valid.  This file must be a character device file.

   Zone-related Checks
       The following zone-related checks are performed:

       endtime Ensure the endtime field is valid.  This value is assumed to be in the "+NNNNNN" format.  There
               is a lower limit of two hours.  (This is an artificial limit under which it may not make sense to
               have an end-time.)

   Path Checks
       Path checks are performed for several DNSSEC-Tools commands, several BIND commands, and a few
       miscellaneous files.

       The following path checks are performed for DNSSEC-Tools commands:

       genkrf  Ensure the genkrf field is valid.  If the filename starts with a '/', the file must be a regular
               executable file.

       keyarch Ensure the keyarch field is valid.  If the filename starts with a '/', the file must be a regular
               executable file.

       rollchk Ensure the rollchk field is valid.  If the filename starts with a '/', the file must be a regular
               executable file.

       rollctl Ensure the rollctl field is valid.  If the filename starts with a '/', the file must be a regular
               executable file.

       zonesigner
               Ensure the zonesigner field is valid.  If the filename starts with a '/', the file must be a
               regular executable file.

       The following path checks are performed for BIND tools:

       keygen  Ensure the keygen field is valid.  If the filename starts with a '/', the file must be a regular
               executable file.

       rndc    Ensure the rndc field is valid.  If the filename starts with a '/', the file must be a regular
               executable file.

       zonecheck
               Ensure the zonecheck field is valid.  If the filename starts with a '/', the file must be a
               regular executable file.

       zonesign
               Ensure the zonesign field is valid.  If the filename starts with a '/', the file must be a
               regular executable file.

       The following path checks are performed for miscellaneous files and directories:

       random  Ensure the random field is valid.  The file must be a character device file.

       roll_logfile
               Ensure the roll_logfile field is a regular file.

       taresolvconf
               Ensure the taresolvconf field is a regular file.

       tatmpdir
               Ensure the tatmpdir field is a directory.

   Rollover Daemon Checks
       The following checks are performed for rollerd values:

       autosign
               Ensure that the autosign flag is a valid boolean.

       log_tz  Ensure the log_tz field is either 'gmt' or 'local'.

       prog_normal
       prog_ksk1 ... prog_ksk7
       prog_zsk1 ... prog_zsk4
               Ensure that the rollover phase commands are valid paths.   Each of these fields is a semicolon-
               separated command list.  The file checks are run on the commands to ensure the commands exist and
               are executable.  Options and arguments to the commands are ignored, as is the default keyword.

       roll_loadzone
               Ensure that the roll_loadzone flag is a valid boolean.

       roll_logfile
               Ensure that the log file for the rollerd is valid.  If the file exists, it must be a regular
               file.

       roll_loglevel
               Ensure that the logging level for the rollerd is reasonable.  The log level must be one of the
               following text or numeric values:

                   tmi        1       Overly verbose informational messages.
                   expire     3       A verbose countdown of zone expiration is given.
                   info       4       Informational messages.
                   phase      6       Current state of zone.
                   err        8       Error messages.
                   fatal      9       Fatal errors.

               Specifying a particular log level will causes messages of a higher numeric value to also be
               displayed.

       roll_sleeptime
               Ensure that the rollerd's sleep-time is reasonable.  rollerd's sleep-time must be at least one
               minute.

       roll_username
               Ensure that the username for rollerd is valid.  If it's a username, it must be translatable to a
               uid; if it's a uid, it must translate to a known username.

       zone_errors
               Ensure that the zone error count is numeric and 0 or greater.

   NSEC3 Checks
       The following checks are performed for NSEC3-related values:

       nsec3iter
               Ensure that the nsec3iter iteration count falls within the range used by dnssec-signzone.  The
               current values are from 1 - 65535.

       nsec3optout
               Ensure that the nsec3optout flag is a valid boolean.

       usensec3
               Ensure that the usensec3 flag is a valid boolean.

   Miscellaneous Checks
       The following miscellaneous checks are performed:

       admin-email
               Ensure that the admin-email field is defined and has a value.  dtconfchk does not try to validate
               the email address itself.

       archivedir
               Ensure that the archivedir directory is actually a directory.  This check is only performed if
               the savekeys flag is set on.

       entropy_msg
               Ensure that the entropy_msg flag is a valid boolean.

       savekeys
               Ensure that the savekeys flag is a valid boolean.  If this flag is set to 1, then the archivedir
               field will also be checked.

       usegui  Ensure that the usegui flag is a valid boolean.

       zonefile-parser
               Ensure that the zonefile-parser flag is a valid Perl module.  This is checked by using the Perl
               "require" facility to load the specified module.

OPTIONS

       -expert
           This option will bypass the following checks:

               - KSK has a longer lifespan than the configuration
                 file's default minimum lifespan

               - KSK has a shorter lifespan than the configuration
                 file's default maximum lifespan

               - ZSKs have a longer lifespan than the configuration
                 file's default minimum lifespan

               - ZSKs have a shorter lifespan than the configuration
                 file's default maximum lifespan

       -quiet
           No output will be given.  The number of errors will be used as the exit code.

       -summary
           A final summary of success or failure will be printed.  The number of errors will be used as the exit
           code.

       -verbose
           Success or failure status of each check will be given.  A + or - prefix will be given for each valid
           and invalid entry.  The number of errors will be used as the exit code.

       -Version
           Displays the version information for dtconfchk and the DNSSEC-Tools package.

       -help
           Display a usage message.

       Copyright 2004-2014 SPARTA, Inc.  All rights reserved.  See the COPYING file included with the DNSSEC-
       Tools package for details.

AUTHOR

       Wayne Morrison, tewok@tislabs.com

SEE ALSO

       dtdefs(8), dtinitconf(8), rollerd(8), zonesigner(8)

       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3)

       dnssec-tools.conf(5)