NAME

    dnssec-tools.conf - Configuration file for the DNSSEC-Tools programs.


DESCRIPTION

This file contains configuration information for the DNSSEC-Tools programs. These configuration data are used if nothing else has been specified for a particular program. The conf.pm module is used to parse this configuration file.

The recognized configuration fields are described in the Configuration Records section below. Some configuration entries are optional and a configuration file need not contain a complete list of entries.

A line in the configuration file contains either a comment or a configuration entry. Comment lines start with either a '#' character or a ';' character. Comment lines and blank lines are ignored by the DNSSEC-Tools programs.

Configuration entries are in a keyword/value format. The keyword is a character string that contains no whitespace. The value is a tokenized list of the remaining character groups, with each token separated by a single space.

True/false flags must be given a 1 (true) or 0 (false) value.


Configuration Records

The following records are recognized by the DNSSEC-Tools programs. Not every DNSSEC-Tools program requires each of these records.

admin-email

The email address for the DNSSEC-Tools administrator.

algorithm

The default encryption algorithm to be passed to dnssec-keygen.

archivedir

The pathname to the archived-key directory.

default_keyrec

The default keyrec filename to be used by the keyrec.pm module.

endtime

The zone default expiration time to be passed to dnssec-signzone.

entropy_msg

A true/false flag indicating if the zonesigner command should display a message about entropy generation. This is primarily dependent on the implementation of a system's random number generation.

keyarch

The path to the DNSSEC-Tools keyarch command.

keygen

The path to the dnssec-keygen command.

keygen-opts

Options to pass to the dnssec-keygen command.

kskcount

The default number of KSK keys that will be generated for each zone.

ksklength

The default KSK key length to be passed to dnssec-keygen.

ksklife

The default length of time between KSK roll-overs. This is measured in seconds.

This value is only used for key roll-over. Keys do not have a life-time in any other sense.

lifespan-max

The maximum length of time a key should be in use before it is rolled over. This is measured in seconds.

lifespan-min

The minimum length of time a key should be in use before it is rolled over. This is measured in seconds.

random

The random device generator to be passed to dnssec-keygen.

roll_logfile

The log file used by rollerd.

roll_loglevel

The default logging level used by rollerd. The valid levels are defined and described in rollmgr.pm.

roll_sleeptime

The number of seconds rollerd must wait at the end of each zone-checking cycle.

savekeys

A true/false flag indicating if old keys should be moved to the archive directory.

usegui

Flag to allow/disallow usage of the GUI for specifying command options.

zonecheck

The path to the named-checkzone command.

zonecheck-opts

Options to pass to the named-checkzone command.

zonesign

The path to the dnssec-signzone command.

zonesign-opts

Options to pass to the dnssec-signzone command.

zonesigner

The path to the DNSSEC-Tools zonesigner command.

zskcount

The default number of ZSK keys that will be generated for each zone.

zsklength

The default ZSK key length to be passed to dnssec-keygen.

zsklife

The default length of time between ZSK roll-overs. This is measured in seconds.

This value is only used for key roll-over. Keys do not have a life-time in any other sense.


Sample Times

Several configuration fields measure various times. This section is a convenient reference for several common times, as measured in seconds.

    3600        - hour
    86400       - day
    604800      - week
    2592000     - 30-day month
    15768000    - half-year
    31536000    - year


Example File

The following is an example dnssec-tools.conf configuration file.

    #
    # Settings for DNSSEC-Tools administration.
    #
    admin-email     tewok@squirrelking.net
    #
    # Paths to required programs.  These may need adjusting for
    # individual hosts.
    #
    keygen          /usr/local/sbin/dnssec-keygen
    rndc            /usr/local/sbin/rndc
    viewimage       /usr/X11R6/bin/xview
    zonecheck       /usr/local/sbin/named-checkzone
    zonecheck-opts  -k ignore
    zonesign        /usr/local/sbin/dnssec-signzone
    keyarch         /usr/bin/keyarch
    rollrec-chk     /usr/bin/rollrec-check
    zonesigner      /usr/bin/zonesigner
    #
    # Settings for dnssec-keygen.
    #
    algorithm   rsasha1
    ksklength   2048
    zsklength   1024
    random      /dev/urandom
    
    #
    # Settings for dnssec-signzone.
    #
    endtime             +2592000        # RRSIGs good for 30 days.
    #
    # Life-times for keys.  These defaults indicate how long a key has
    # between roll-overs.  The values are measured in seconds.
    # 
    ksklife         15768000            # Half-year.
    zsklife         604800              # One week.
    lifespan-max    94608000            # Two years.
    lifespan-min    3600                # One hour.
    
    #
    # Settings that will be noticed by zonesigner.
    #
    archivedir          /usr/local/etc/dnssec-tools/KEY-SAFE
    default_keyrec      default.krf
    entropy_msg         0
    savekeys            1
    zskcount            1
    #
    # Settings for rollover-manager.
    #
    roll_logfile    /usr/local/etc/dnssec-tools/log-rollerd
    roll_loglevel   info
    roll_sleeptime  60
    #
    # GUI-usage flag.
    #
    usegui              0


COPYRIGHT

Copyright 2005-2008 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.


AUTHOR

Wayne Morrison, tewok@users.sourceforge.net


SEE ALSO

dtinitconf(8), dtconfchk(8), keyarch(8), rollerd(8), zonesigner(8)

Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3) Net::DNS::SEC::Tools::rollmgr.pm(3)