1DTCONFCHK(1) User Contributed Perl Documentation DTCONFCHK(1)
2
6 dtconfchk - Check a DNSSEC-Tools configuration file for sanity
7
9 dtconfchk [options] [config_file]
10
12 dtconfchk checks a DNSSEC-Tools configuration file to determine if the
13 entries are valid. If a configuration file isn't specified, the system
14 configuration file will be verified.
15 Without any display options, dtconfchk displays error messages for
17 problems found, followed by a summary line. Display options will
18 increase or decrease the amount of detail about the configuration
19 file's sanity. In all cases, the exit code is the count of errors
20 found in the file.
21 The tests are divided into five groups: key-related checks, zone-
23 related checks, path checks, rollover checks, and miscellaneous checks.
24 The checks in each of these self-explanatory groups are described
25 below.
26 The default_keyrec configuration entry is not checked. This entry
28 specifies the default keyrec file name and isn't necessarily expected
29 to exist in any particular place.
30 Key-related Checks
32 The following key-related checks are performed:
34 algorithm
36 Ensure the algorithm field is valid. The acceptable values may
37 be found in the dnssec-keygen man page.
38 ksklength
40 Ensure the ksklength field is valid. The acceptable values may
41 be found in the dnssec-keygen man page.
42 ksklife Ensure the ksklife field is valid. The acceptable values may
44 be found in the defaults.pm man page.
45 zskcount
47 Ensure the zskcount field is valid. The ZSK count must be pos‐
48 itive.
49 zsklength
51 Ensure the zsklength field is valid. The acceptable values may
52 be found in the dnssec-keygen man page.
53 zsklife Ensure the zsklife field is valid. The acceptable values may
55 be found in the defaults.pm man page.
56 random Ensure the random field is valid. This file must be a charac‐
58 ter device file.
59 Zone-related Checks
61 The following zone-related checks are performed:
63 endtime Ensure the endtime field is valid. This value is assumed to be
65 in the "+NNNNNN" format. There is a lower limit of two hours.
66 (This is an artificial limit under which it may not make sense
67 to have an end-time.)
68 Path Checks
70 The following path checks are performed:
72 keygen Ensure the keygen field is valid. If the filename starts with
74 a '/', the file must be a regular executable file.
75 viewimage
77 Ensure the viewimage field is valid. If the filename starts
78 with a '/', the file must be a regular executable file.
79 zonecheck
81 Ensure the zonecheck field is valid. If the filename starts
82 with a '/', the file must be a regular executable file.
83 zonesign
85 Ensure the zonesign field is valid. If the filename starts
86 with a '/', the file must be a regular executable file.
87 Rollover Daemon Checks
89 The following checks are performed for rollerd values:
91 roll_logfile
93 Ensure that the log file for the rollerd is valid. If the file
94 exists, it must be a regular file.
95 roll_loglevel
97 Ensure that the logging level for the rollerd is reasonable.
98 The log level must be one of the following text or numeric val‐
99 ues:
100 tmi 1 Overly verbose informational messages.
102 expire 3 A verbose countdown of zone expiration is given.
103 info 4 Informational messages.
104 phase 6 Current state of zone.
105 err 8 Error messages.
106 fatal 9 Fatal errors.
107 Specifying a particular log level will causes messages of a
109 higher numeric value to also be displayed.
110 roll_sleeptime
112 Ensure that the rollerd's sleep-time is reasonable. rollerd's
113 sleep-time must be at least one minute.
114 Miscellaneous Checks
116 The following miscellaneous checks are performed:
118 admin-email
120 Ensure that the admin-email field is defined and has a value.
121 dtconfchk does not try to validate the email address itself.
122 archivedir
124 Ensure that the archivedir directory is actually a directory.
125 This check is only performed if the savekeys flag is set on.
126 entropy_msg
128 Ensure that the entropy_msg flag is either 0 or 1.
129 savekeys
131 Ensure that the savekeys flag is either 0 or 1. If this flag
132 is set to 1, then the archivedir field will also be checked.
133 usegui Ensure that the usegui flag is either 0 or 1.
135
137 -expert
138 This option will bypass the following checks:
139 - KSK has a longer lifespan than the configuration
141 file's default minimum lifespan
142 - KSK has a shorter lifespan than the configuration
144 file's default maximum lifespan
145 - ZSKs have a longer lifespan than the configuration
147 file's default minimum lifespan
148 - ZSKs have a shorter lifespan than the configuration
150 file's default maximum lifespan
151 -quiet
153 No output will be given. The number of errors will be used as the
154 exit code.
155 -summary
157 A final summary of success or failure will be printed. The number
158 of errors will be used as the exit code.
159 -verbose
161 Success or failure status of each check will be given. A + or -
162 prefix will be given for each valid and invalid entry. The number
163 of errors will be used as the exit code.
164 -help
166 Display a usage message.
167
169 Copyright 2004-2007 SPARTA, Inc. All rights reserved. See the COPYING
170 file included with the DNSSEC-Tools package for details.
171
173 Wayne Morrison, tewok@users.sourceforge.net
174
176 dtdefs(8), dtinitconf(8), rollerd(8), zonesigner(8)
177 Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3)
179 dnssec-tools.conf(5)
181perl v5.8.8 2007-09-14 DTCONFCHK(1)