1DTINITCONF(1) User Contributed Perl Documentation DTINITCONF(1)
2
3
4
6 dtinitconf - Creates a DNSSEC-Tools configuration file
7
9 dtinitconf [options]
10
12 The dtinitconf program initializes the DNSSEC-Tools configuration file.
13 By default, the actual configuration file will be created, though the
14 created file can be specified by the user. Existing files, whether the
15 default or one specified by the user, will not be overwritten unless
16 specifically directed by the user.
17
18 Each configuration field can be individually specified on the command
19 line. The user will also be prompted for the fields, with default
20 values taken from the DNSSEC-Tools defaults.pm module. If the
21 -noprompt option is given, then a default configuration file (modulo
22 command-line arguments) will be created.
23
24 Configuration entries are created for several BIND programs. Several
25 locations on the system are searched to find the locations of these
26 programs. First, the directories in the path environment variable are
27 checked; the names of any directories that contain the BIND programs
28 are saved. Next, several common locations for BIND programs are
29 checked; again, the names of directories that contain the BIND programs
30 are saved. After collecting these directories, the user is presented
31 with this list and may choose to use whichever set is desired. If no
32 directories are found that contain the BIND programs, the user is
33 prompted for the proper location.
34
35 If the configuration file's parent directory does not exist, then an
36 attempt is made to create the directory. The new directory's ownership
37 will be set to root for the owner and dnssec for the group, assuming
38 the dnssec group exists. Writability checks for the directory will not
39 be performed if the -outfile option is given.
40
42 dtinitconf takes options that control the contents of the newly
43 generated DNSSEC-Tools configuration file. Each configuration file
44 entry has a corresponding command-line option. The options, described
45 below, are ordered in logical groups.
46
47 Key-related Options
48 These options deal with different aspects of creating and managing
49 encryption keys.
50
51 -algorithm algorithm
52 Selects the cryptographic algorithm. The value of algorithm must be
53 one that is recognized by the installed version of dnssec-keygen.
54
55 -kskcount KSK-count
56 The default number of KSK keys that will be created for a zone.
57
58 -ksklength keylen
59 The default KSK key length to be passed to dnssec-keygen.
60
61 -ksklife lifespan
62 The default length of time between KSK rollovers. This is measured
63 in seconds. This value must be within the range of the minlife and
64 maxlife values.
65
66 This value is only used for key rollover. Keys do not have a life-
67 time in any other sense.
68
69 -maxlife maxlifespan
70 The maximum length of time between key rollovers. This is measured
71 in seconds. The ksklife and zsklife values must be not greater
72 than this value.
73
74 This value is only used for key rollover. Keys do not have a life-
75 time in any other sense.
76
77 -minlife minlifespan
78 The minimum length of time between key rollovers. This is measured
79 in seconds. The ksklife and zsklife values must be not less than
80 this value.
81
82 This value is only used for key rollover. Keys do not have a life-
83 time in any other sense.
84
85 -zskcount ZSK-count
86 The default number of ZSK keys that will be created for a zone.
87
88 -zsklength keylen
89 The default ZSK key length to be passed to dnssec-keygen.
90
91 -zsklife lifespan
92 The default length of time between ZSK rollovers. This is measured
93 in seconds. This value must be within the range of the minlife and
94 maxlife values.
95
96 This value is only used for key rollover. Keys do not have a life-
97 time in any other sense.
98
99 -random randomdev
100 The random device generator to be passed to dnssec-keygen.
101
102 Zone-related Options
103 These options deal with different aspects of zone signing.
104
105 -endtime endtime
106 The zone default expiration time to be passed to dnssec-signzone.
107
108 trustman-related Options
109 These options deal with different aspects of executing trustman.
110
111 -genroothints roothints
112 A new root.hints file will be created at the specified location.
113 dtinitconf requires that the file not already exist.
114
115 The root.hints file is retrieved from
116 http://www.internic.net/zones/named.root. It is not considered a
117 fatal error if dtinitconf is unable to fetch the file. Rather, a
118 warning message will be given and creation of the configuration
119 file will continue.
120
121 -ta-contact email
122 The email address of the trustman administrator.
123
124 -ta-resolvconf resolvconffile
125 The location of the resolv.conf file.
126
127 -ta-smtpserver hostname
128 The SMTP server for the trustman command.
129
130 -ta-tmpdir hostname
131 The temporary directory for the trustman command.
132
133 BIND Options
134 These options deal specifically with functionality provided by BIND.
135
136 -rndc rndc-path
137 rndc is the path to BIND's rndc command.
138
139 DNSSEC-Tools Options
140 These options deal specifically with functionality provided by DNSSEC-
141 Tools.
142
143 -admin email-address
144 admin is the email address of the DNSSEC-Tools administrator. This
145 is the default address used by the dt_adminmail() routine.
146
147 -archivedir directory
148 directory is the archived-key directory. Old encryption keys are
149 moved to this directory, but only if they are to be saved and not
150 deleted.
151
152 -autosign
153 A flag indicating that rollerd should automatically sign zonefiles
154 that are found to be newer than their signed zonefile. If
155 -noautosign is specified, this will be set to false.
156
157 -binddir directory
158 directory is the directory holding the BIND programs. If the
159 reserved word "path" is specified, then existence of the BIND
160 programs is not verified when dtinitconf is executed. Rather, the
161 user's PATH directories will be searched for the BIND programs when
162 the DNSSEC-Tools are executed.
163
164 -dtdir directory
165 directory is the directory holding the DNSSEC-Tools programs. If
166 the reserved word "path" is specified, then existence of the
167 DNSSEC-Tools programs is not verified when dtinitconf is executed.
168 Rather, the user's PATH directories will be searched for the
169 DNSSEC-Tools programs when those tools are executed.
170
171 -entropy_msg
172 A flag indicating that zonesigner should display a message about
173 entropy generation. This is primarily dependent on the
174 implementation of a system's random number generation.
175
176 -mailer-server host
177 The mail server that will be contacted by dt_adminmail(). This is
178 passed to Mail::Send.
179
180 -mailer-server mailtype
181 The mail type that will be contacted by dt_adminmail(). This is
182 passed to Mail::Mailer (by way of Mail::Send.) Any values
183 recognized by Mail::Mailer may be used here.
184
185 -noentropy_msg
186 A flag indicating that zonesigner should not display a message
187 about entropy generation. This is primarily dependent on the
188 implementation of a system's random number generation.
189
190 -roll-loadzone
191 -no-roll-loadzone
192 Flags indicating whether or not rollerd should have the DNS daemon
193 load zones.
194
195 -roll-logfile logfile
196 logfile is the logfile for the rollerd daemon.
197
198 -roll-loglevel loglevel
199 loglevel is the logging level for the rollerd daemon.
200
201 -roll-phasemsg length
202 length is the default length of phase-related log messages used by
203 rollerd. The valid levels are "long" and "short", with "long"
204 being the default value.
205
206 The long message length means that a phase description will be
207 included with some log messages. For example, the long form of a
208 message about ZSK rollover phase 3 will look like this: "ZSK phase
209 3 (Waiting for old zone data to expire from caches)".
210
211 The short message length means that a phase description will not be
212 included with some log messages. For example, the short form of a
213 message about ZSK rollover phase 3 will look like this: "ZSK phase
214 3".
215
216 -roll-sleeptime sleep-time
217 sleep-time is the sleep-time for the rollerd daemon.
218
219 -roll-username username
220 username is the user for which the rollerd daemon will be executed.
221 If this is a username, it must correspond to a valid uid; if it is
222 a uid, it must correspond to a valid username.
223
224 -roll-logtz logtz
225 loglevel is the timezone of the message timestamp for rollerd's
226 logfile.
227
228 -zoneerrs error-count
229 error-count is the maximum error count for zones used by the
230 rollerd daemon.
231
232 -savekeys
233 A flag indicating that old keys should be moved to the archive
234 directory.
235
236 -nosavekeys
237 A flag indicating that old keys should not be moved to the archive
238 directory but will instead be left in place.
239
240 -usegui
241 A flag indicating that the GUI for specifying command options may
242 be used.
243
244 -nousegui
245 A flag indicating that the GUI for specifying command options
246 should not be used.
247
248 -zoneparser parser-module
249 parser-module is the name of the Perl module that will be used to
250 parse zone files. The default is specified in
251 dnssec_tools_default().
252
253 dtinitconf Options
254 These options deal specifically with dtinitconf.
255
256 -outfile conffile
257 The configuration file will be written to conffile. If this is not
258 given, then the default configuration file (as returned by
259 Net::DNS::SEC::Tools::conf::getconffile()) will be used.
260
261 If conffile is given as -, then the new configuration file will be
262 written to the standard output.
263
264 conffile must be writable.
265
266 -overwrite
267 If -overwrite is specified, existing output files may be
268 overwritten. Without -overwrite, if the output file is found to
269 exist then dtinitconf will give an error message and exit.
270
271 -noprompt
272 If -noprompt is specified, the user will not be prompted for any
273 input. The configuration file will be created from command-line
274 options and DNSSEC-Tools defaults. Guesses will be made for the
275 BIND paths, based on the PATH environment variable.
276
277 WARNING: After using the -noprompt option, the configuration file
278 must be checked to ensure that the defaults are appropriate and
279 acceptable for the installation.
280
281 -template
282 If -template is specified, a default configuration file is created.
283 However, all entries are commented out.
284
285 The only command line options that may be used in conjunction with
286 -template are -outfile and -overwrite.
287
288 -edit
289 If -edit is specified, the output file will be edited after it has
290 been created. The EDITOR environment variable is consulted for the
291 editor to use. If the EDITOR environment variable isn't defined,
292 then the vi editor will be used.
293
294 -verbose
295 Provide verbose output.
296
297 -Version
298 Displays the version information for dtinitconf and the DNSSEC-
299 Tools package.
300
301 -help
302 Display a usage message and exit.
303
305 Copyright 2006-2014 SPARTA, Inc. All rights reserved. See the COPYING
306 file included with the DNSSEC-Tools package for details.
307
309 Wayne Morrison, tewok@tislabs.com
310
312 dnssec-keygen(8), dnssec-signzone(8), named-checkzone(8), keyarch(8),
313 rollckk(8), rollerd(8), zonesigner(8)
314
315 Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
316 Net::DNS::SEC::Tools::dnssectools.pm(3),
317 Net::DNS::SEC::Tools::tooloptions.pm(3), QWizard.pm(3)
318
319 dnssec-tools.conf(5)
320
321
322
323perl v5.36.0 2023-01-19 DTINITCONF(1)