trustman(1)

1TRUSTMAN(1)           User Contributed Perl Documentation          TRUSTMAN(1)
2
3
4

NAME

6       trustman - Manage keys used as trust anchors
7

SYNOPSIS

9       trustman [options]
10

DESCRIPTION

12       trustman manages keys used by DNSSEC as trust anchors in compliance
13       with RFC5011.  It may be used as a daemon for ongoing key verification
14       or manually for initialization and one-time key verification.
15
16       By default, trustman runs as a daemon to ensure that keys stored
17       locally in configuration files still match the same keys fetched from
18       the zone where they are defined.  (named.conf and dnsval.conf are the
19       usual configuration files.)  These checks can be run once manually (-S)
20       and in the foreground (-f).
21
22       For each key mismatch check, if key mismatches are detected then
23       trustman performs the following operations:
24
25           - sets an add hold-down timer for new keys;
26           - sets a remove hold-down timer for missing keys;
27           - removes revoked keys from the configuration file.
28
29       On subsequent runs, the timers are checked.  If the timers have
30       expired, keys are added or removed from the configuration file, as
31       appropriate.
32

OPTIONS

34       trustman takes a number of options, each of which is described in this
35       section.  Each option name may be shortened to the minimum number of
36       unique characters, but some options also have an alias (as noted.)  The
37       single-letter form of each option is denoted in parentheses, e.g.:
38       -anchor_data_file (-a).
39
40       -anchor_data_file file (-a)
41           A persistent data file for storing new keys waiting to be added.
42
43       -config file (-c)
44           Create a configuration file for trustman from the command line
45           options given.  The existing DNSSEC-Tools configuration file is
46           copied to the specified configuration file, and new configuration
47           entries are appended corresponding to the command line options.
48           trustman-specific entries already in the existing configuration
49           file will be replaced with new entries from the command line.  This
50           will allow fewer command line options to be specified in the
51           future.
52
53       -dtconfig config_file (-d)
54           Name of an alternate DNSSEC-Tools configuration file to be
55           processed.  If specified, this configuration file is used in place
56           of the normal DNSSEC-Tools configuration file not in addition to
57           it.  Also, it will be handled prior to keyrec files, rollrec files,
58           and command-line options.
59
60       -dnsval_conf_file /path/to/dnsval.conf (-k)
61           A dnsval.conf file to read and possibly update.
62
63       -named_conf_file /path/to/named.conf (-n)
64           A named.conf file to read and possibly update.
65
66       -root_hints_file /path/to/root.hints (-o)
67           A root.hints file to read.
68
69       -tmp_dir directory (-T)
70           Specifies where temporary files should be created.  This is used
71           when creating new versions of the dnsval.conf and named.conf files
72           before they are moved into place.  Most operating systems require
73           the /tmp directory to be on the same partition as the dnsval.conf
74           and named.conf files since renames across partitions will fail.
75
76       -zone zone (-z)
77           The zone to check.  Specifying this option supersedes the default
78           configuration file.
79
80       -mail_contact_addr email_address (-m)
81           Mail address for the contact person to whom reports should be sent.
82
83       -smtp_server smtpservername (-s)
84           SMTP server that trustman should use to send reports by mail.
85
86       -nomail
87           Prevents mail from being sent, even if an SMTP server was specified
88           in the configuration file.  This is useful for only sending
89           notifications via stdout (-p) or syslog (-L).
90
91       -no_error (-N)
92           Send report even when there are no errors.
93
94       -print (-p)
95           Log messages to stdout.
96
97       -hold_time seconds (-w)
98           The value of the hold-down timer.  This is specified in seconds
99           from the time that a new key is found.  Generally, the default and
100           recommended value of 30 days should be used.
101
102       -resolv_conf_file conffile (-r)
103           A resolv.conf file to read.  /dev/null can be specified to force
104           libval to recursively answer the query rather than asking other
105           name servers.)
106
107       -single_run (-S)
108           Run only once.
109
110       -foreground (-f)
111           Run in the foreground.  trustman will still run in a loop.  To run
112           once, use the -S option instead.
113
114       -syslog (-L)
115           Log messages to syslog.
116
117       -sleeptime seconds (-t)
118           The number of seconds to sleep between checks.  Default is 3600
119           (one hour.)
120
121       -norevoke
122           This option turns off checks for the REVOKE bit.
123
124       -help (-h)
125           Display a help message.
126
127       -verbose (-v)
128           Gives verbose output.
129
130       -Version (-V)
131           Displays the version information for trustman and the DNSSEC-Tools
132           package.
133

CONFIGURATION

135       In addition to the command line arguments, the dnssec-tools.conf file
136       can be configured with the following tokens to remove the need to use
137       some of the command-line options.  The command-line options always
138       override the settings in the dnssec-tools.conf file.
139
140       tasmtpserver servername
141           This is equivalent to the -smtp_server flag for specifying where to
142           send email notices through.
143
144       tacontact contact_email
145           This is equivalent to the -mail_contact_addr flag for specifying
146           where to send email notices to.
147
148       taanchorfile file
149           This specifies the file where trustman state information to be
150           kept.  This is equivalent to the -anchor_data_file flag.
151
152       taresolvconffile file
153           This specifies the resolv.conf file to use.  This is equivalent to
154           the -resolv_conf_file flag.
155
156       tanamedconffile file
157           This specifies the named.conf file to read and write.  This is
158           equivalent to the -named_conf_file flag.
159
160       tadnsvalconffile file
161           This specifies the dnsval.conf file to read and write.  This is
162           equivalent to the -dnsval_conf_file flag.
163
164       taroothintsfile file
165           This specifies the root.hints file to read.  This is equivalent to
166           the -root_hints_file flag.
167
168       tatmpdir directory
169           This specifies where temporary files should be created.  This is
170           used when creating new versions of the dnsval.conf and named.conf
171           files before they're moved into place.  Most operating systems
172           require the /tmp directory to be on the same partition as the
173           dnsval.conf and named.conf files, since renames across partitions
174           will fail.
175

COPYRIGHT

177       Copyright 2006-2011 SPARTA, Inc.  All rights reserved.  See the COPYING
178       file included with the DNSSEC-Tools package for details.
179

Author

181       Lindy Foster
182
183       (Current contact for trustman is Wayne Morrison,
184       tewok@users.sourceforge.net.)
185