1DTINITCONF(1)         User Contributed Perl Documentation        DTINITCONF(1)
2
3
4

NAME

6       dtinitconf - Creates a DNSSEC-Tools configuration file
7

SYNOPSIS

9         dtinitconf [options]
10

DESCRIPTION

12       The dtinitconf program initializes the DNSSEC-Tools configuration file.
13       By default, the actual configuration file will be created, though the
14       created file can be specified by the user.  Existing files, whether the
15       default or one specified by the user, will not be overwritten unless
16       specifically directed by the user.
17
18       Each configuration field can be individually specified on the command
19       line.  The user will also be prompted for the fields, with default
20       values taken from the DNSSEC-Tools defaults.pm module.  If the
21       -noprompt option is given, then a default configuration file (modulo
22       command-line arguments) will be created.
23
24       Configuration entries are created for several BIND programs.  Several
25       locations on the system are searched to find the locations of these
26       programs.  First, the directories in the path environment variable are
27       checked; the names of any directories that contain the BIND programs
28       are saved.  Next, several common locations for BIND programs are
29       checked; again, the names of directories that contain the BIND programs
30       are saved.  After collecting these directories, the user is presented
31       with this list and may choose to use whichever set is desired.  If no
32       directories are found that contain the BIND programs, the user is
33       prompted for the proper location.
34
35       If the configuration file's parent directory does not exist, then an
36       attempt is made to create the directory.  The new directory's ownership
37       will be set to root for the owner and dnssec for the group, assuming
38       the dnssec group exists.  Writability checks for the directory will not
39       be performed if the -outfile option is given.
40

OPTIONS

42       dtinitconf takes options that control the contents of the newly
43       generated DNSSEC-Tools configuration file.  Each configuration file
44       entry has a corresponding command-line option.  The options, described
45       below, are ordered in logical groups.
46
47   Key-related Options
48       These options deal with different aspects of creating and managing
49       encryption keys.
50
51       -algorithm algorithm
52           Selects the cryptographic algorithm. The value of algorithm must be
53           one that is recognized by the installed version of dnssec-keygen.
54
55       -kskcount KSK-count
56           The default number of KSK keys that will be created for a zone.
57
58       -ksklength keylen
59           The default KSK key length to be passed to dnssec-keygen.
60
61       -ksklife lifespan
62           The default length of time between KSK rollovers.  This is measured
63           in seconds.  This value must be within the range of the minlife and
64           maxlife values.
65
66           This value is only used for key rollover.  Keys do not have a life-
67           time in any other sense.
68
69       -maxlife maxlifespan
70           The maximum length of time between key rollovers.  This is measured
71           in seconds.  The ksklife and zsklife values must be not greater
72           than this value.
73
74           This value is only used for key rollover.  Keys do not have a life-
75           time in any other sense.
76
77       -minlife minlifespan
78           The minimum length of time between key rollovers.  This is measured
79           in seconds.  The ksklife and zsklife values must be not less than
80           this value.
81
82           This value is only used for key rollover.  Keys do not have a life-
83           time in any other sense.
84
85       -zskcount ZSK-count
86           The default number of ZSK keys that will be created for a zone.
87
88       -zsklength keylen
89           The default ZSK key length to be passed to dnssec-keygen.
90
91       -zsklife lifespan
92           The default length of time between ZSK rollovers.  This is measured
93           in seconds.  This value must be within the range of the minlife and
94           maxlife values.
95
96           This value is only used for key rollover.  Keys do not have a life-
97           time in any other sense.
98
99       -random randomdev
100           The random device generator to be passed to dnssec-keygen.
101
102   Zone-related Options
103       These options deal with different aspects of zone signing.
104
105       -endtime endtime
106           The zone default expiration time to be passed to dnssec-signzone.
107
108   trustman-related Options
109       These options deal with different aspects of executing trustman.
110
111       -genroothints roothints
112           A new root.hints file will be created at the specified location.
113           dtinitconf requires that the file not already exist.
114
115           The root.hints file is retrieved from
116           http://www.internic.net/zones/named.root.  It is not considered a
117           fatal error if dtinitconf is unable to fetch the file.  Rather, a
118           warning message will be given and creation of the configuration
119           file will continue.
120
121       -ta-contact email
122           The email address of the trustman administrator.
123
124       -ta-resolvconf resolvconffile
125           The location of the resolv.conf file.
126
127       -ta-smtpserver hostname
128           The SMTP server for the trustman command.
129
130       -ta-tmpdir hostname
131           The temporary directory for the trustman command.
132
133   BIND Options
134       These options deal specifically with functionality provided by BIND.
135
136       -rndc rndc-path
137           rndc is the path to BIND's rndc command.
138
139   DNSSEC-Tools Options
140       These options deal specifically with functionality provided by DNSSEC-
141       Tools.
142
143       -admin email-address
144           admin is the email address of the DNSSEC-Tools administrator.  This
145           is the default address used by the dt_adminmail() routine.
146
147       -archivedir directory
148           directory is the archived-key directory.  Old encryption keys are
149           moved to this directory, but only if they are to be saved and not
150           deleted.
151
152       -autosign
153           A flag indicating that rollerd should automatically sign zonefiles
154           that are found to be newer than their signed zonefile.  If
155           -noautosign is specified, this will be set to false.
156
157       -binddir directory
158           directory is the directory holding the BIND programs.  If the
159           reserved word "path" is specified, then existence of the BIND
160           programs is not verified when dtinitconf is executed.  Rather, the
161           user's PATH directories will be searched for the BIND programs when
162           the DNSSEC-Tools are executed.
163
164       -dtdir directory
165           directory is the directory holding the DNSSEC-Tools programs.  If
166           the reserved word "path" is specified, then existence of the
167           DNSSEC-Tools programs is not verified when dtinitconf is executed.
168           Rather, the user's PATH directories will be searched for the
169           DNSSEC-Tools programs when those tools are executed.
170
171       -entropy_msg
172           A flag indicating that zonesigner should display a message about
173           entropy generation.  This is primarily dependent on the
174           implementation of a system's random number generation.
175
176       -mailer-server host
177           The mail server that will be contacted by dt_adminmail().  This is
178           passed to Mail::Send.
179
180       -mailer-server mailtype
181           The mail type that will be contacted by dt_adminmail().  This is
182           passed to Mail::Mailer (by way of Mail::Send.)  Any values
183           recognized by Mail::Mailer may be used here.
184
185       -noentropy_msg
186           A flag indicating that zonesigner should not display a message
187           about entropy generation.  This is primarily dependent on the
188           implementation of a system's random number generation.
189
190       -roll-loadzone
191       -no-roll-loadzone
192           Flags indicating whether or not rollerd should have the DNS daemon
193           load zones.
194
195       -roll-logfile logfile
196           logfile is the logfile for the rollerd daemon.
197
198       -roll-loglevel loglevel
199           loglevel is the logging level for the rollerd daemon.
200
201       -roll-phasemsg length
202           length is the default length of phase-related log messages used by
203           rollerd.  The valid levels are "long" and "short", with "long"
204           being the default value.
205
206           The long message length means that a phase description will be
207           included with some log messages.  For example, the long form of a
208           message about ZSK rollover phase 3 will look like this:  "ZSK phase
209           3 (Waiting for old zone data to expire from caches)".
210
211           The short message length means that a phase description will not be
212           included with some log messages.  For example, the short form of a
213           message about ZSK rollover phase 3 will look like this:  "ZSK phase
214           3".
215
216       -roll-sleeptime sleep-time
217           sleep-time is the sleep-time for the rollerd daemon.
218
219       -roll-username username
220           username is the user for which the rollerd daemon will be executed.
221           If this is a username, it must correspond to a valid uid; if it is
222           a uid, it must correspond to a valid username.
223
224       -roll-logtz logtz
225           loglevel is the timezone of the message timestamp for rollerd's
226           logfile.
227
228       -zoneerrs error-count
229           error-count is the maximum error count for zones used by the
230           rollerd daemon.
231
232       -savekeys
233           A flag indicating that old keys should be moved to the archive
234           directory.
235
236       -nosavekeys
237           A flag indicating that old keys should not be moved to the archive
238           directory but will instead be left in place.
239
240       -usegui
241           A flag indicating that the GUI for specifying command options may
242           be used.
243
244       -nousegui
245           A flag indicating that the GUI for specifying command options
246           should not be used.
247
248       -zoneparser parser-module
249           parser-module is the name of the Perl module that will be used to
250           parse zone files.  The default is specified in
251           dnssec_tools_default().
252
253   dtinitconf Options
254       These options deal specifically with dtinitconf.
255
256       -outfile conffile
257           The configuration file will be written to conffile.  If this is not
258           given, then the default configuration file (as returned by
259           Net::DNS::SEC::Tools::conf::getconffile()) will be used.
260
261           If conffile is given as -, then the new configuration file will be
262           written to the standard output.
263
264           conffile must be writable.
265
266       -overwrite
267           If -overwrite is specified, existing output files may be
268           overwritten.  Without -overwrite, if the output file is found to
269           exist then dtinitconf will give an error message and exit.
270
271       -noprompt
272           If -noprompt is specified, the user will not be prompted for any
273           input.  The configuration file will be created from command-line
274           options and DNSSEC-Tools defaults.  Guesses will be made for the
275           BIND paths, based on the PATH environment variable.
276
277           WARNING:  After using the -noprompt option, the configuration file
278           must be checked to ensure that the defaults are appropriate and
279           acceptable for the installation.
280
281       -template
282           If -template is specified, a default configuration file is created.
283           However, all entries are commented out.
284
285           The only command line options that may be used in conjunction with
286           -template are -outfile and -overwrite.
287
288       -edit
289           If -edit is specified, the output file will be edited after it has
290           been created.  The EDITOR environment variable is consulted for the
291           editor to use.  If the EDITOR environment variable isn't defined,
292           then the vi editor will be used.
293
294       -verbose
295           Provide verbose output.
296
297       -Version
298           Displays the version information for dtinitconf and the DNSSEC-
299           Tools package.
300
301       -help
302           Display a usage message and exit.
303
305       Copyright 2006-2014 SPARTA, Inc.  All rights reserved.  See the COPYING
306       file included with the DNSSEC-Tools package for details.
307

AUTHOR

309       Wayne Morrison, tewok@tislabs.com
310

SEE ALSO

312       dnssec-keygen(8), dnssec-signzone(8), named-checkzone(8), keyarch(8),
313       rollckk(8), rollerd(8), zonesigner(8)
314
315       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
316       Net::DNS::SEC::Tools::dnssectools.pm(3),
317       Net::DNS::SEC::Tools::tooloptions.pm(3), QWizard.pm(3)
318
319       dnssec-tools.conf(5)
320
321
322
323perl v5.30.0                      2019-07-24                     DTINITCONF(1)
Impressum