1DTCONFCHK(1) User Contributed Perl Documentation DTCONFCHK(1)
2
3
4
6 dtconfchk - Check a DNSSEC-Tools configuration file for sanity
7
9 dtconfchk [options] [config_file]
10
12 dtconfchk checks a DNSSEC-Tools configuration file to determine if the
13 entries are valid. If a configuration file isn't specified, the system
14 configuration file will be verified.
15
16 Without any display options, dtconfchk displays error messages for
17 problems found, followed by a summary line. Display options will
18 increase or decrease the amount of detail about the configuration
19 file's sanity. In all cases, the exit code is the count of errors
20 found in the file.
21
22 The tests are divided into five groups: key-related checks, zone-
23 related checks, path checks, rollover checks, and miscellaneous checks.
24 The checks in each of these self-explanatory groups are described
25 below.
26
27 The default_keyrec configuration entry is not checked. This entry
28 specifies the default keyrec file name and isn't necessarily expected
29 to exist in any particular place.
30
31 Key-related Checks
32
33 The following key-related checks are performed:
34
35 algorithm
36 Ensure the algorithm field is valid. The acceptable values may
37 be found in the dnssec-keygen man page.
38
39 ksklength
40 Ensure the ksklength field is valid. The acceptable values may
41 be found in the dnssec-keygen man page.
42
43 ksklife Ensure the ksklife field is valid. The acceptable values may
44 be found in the defaults.pm man page.
45
46 zskcount
47 Ensure the zskcount field is valid. The ZSK count must be pos‐
48 itive.
49
50 zsklength
51 Ensure the zsklength field is valid. The acceptable values may
52 be found in the dnssec-keygen man page.
53
54 zsklife Ensure the zsklife field is valid. The acceptable values may
55 be found in the defaults.pm man page.
56
57 random Ensure the random field is valid. This file must be a charac‐
58 ter device file.
59
60 Zone-related Checks
61
62 The following zone-related checks are performed:
63
64 endtime Ensure the endtime field is valid. This value is assumed to be
65 in the "+NNNNNN" format. There is a lower limit of two hours.
66 (This is an artificial limit under which it may not make sense
67 to have an end-time.)
68
69 Path Checks
70
71 The following path checks are performed:
72
73 keygen Ensure the keygen field is valid. If the filename starts with
74 a '/', the file must be a regular executable file.
75
76 viewimage
77 Ensure the viewimage field is valid. If the filename starts
78 with a '/', the file must be a regular executable file.
79
80 zonecheck
81 Ensure the zonecheck field is valid. If the filename starts
82 with a '/', the file must be a regular executable file.
83
84 zonesign
85 Ensure the zonesign field is valid. If the filename starts
86 with a '/', the file must be a regular executable file.
87
88 Rollover Daemon Checks
89
90 The following checks are performed for rollerd values:
91
92 roll_logfile
93 Ensure that the log file for the rollerd is valid. If the file
94 exists, it must be a regular file.
95
96 roll_loglevel
97 Ensure that the logging level for the rollerd is reasonable.
98 The log level must be one of the following text or numeric val‐
99 ues:
100
101 tmi 1 Overly verbose informational messages.
102 expire 3 A verbose countdown of zone expiration is given.
103 info 4 Informational messages.
104 phase 6 Current state of zone.
105 err 8 Error messages.
106 fatal 9 Fatal errors.
107
108 Specifying a particular log level will causes messages of a
109 higher numeric value to also be displayed.
110
111 roll_sleeptime
112 Ensure that the rollerd's sleep-time is reasonable. rollerd's
113 sleep-time must be at least one minute.
114
115 Miscellaneous Checks
116
117 The following miscellaneous checks are performed:
118
119 admin-email
120 Ensure that the admin-email field is defined and has a value.
121 dtconfchk does not try to validate the email address itself.
122
123 archivedir
124 Ensure that the archivedir directory is actually a directory.
125 This check is only performed if the savekeys flag is set on.
126
127 entropy_msg
128 Ensure that the entropy_msg flag is either 0 or 1.
129
130 savekeys
131 Ensure that the savekeys flag is either 0 or 1. If this flag
132 is set to 1, then the archivedir field will also be checked.
133
134 usegui Ensure that the usegui flag is either 0 or 1.
135
137 -expert
138 This option will bypass the following checks:
139
140 - KSK has a longer lifespan than the configuration
141 file's default minimum lifespan
142
143 - KSK has a shorter lifespan than the configuration
144 file's default maximum lifespan
145
146 - ZSKs have a longer lifespan than the configuration
147 file's default minimum lifespan
148
149 - ZSKs have a shorter lifespan than the configuration
150 file's default maximum lifespan
151
152 -quiet
153 No output will be given. The number of errors will be used as the
154 exit code.
155
156 -summary
157 A final summary of success or failure will be printed. The number
158 of errors will be used as the exit code.
159
160 -verbose
161 Success or failure status of each check will be given. A + or -
162 prefix will be given for each valid and invalid entry. The number
163 of errors will be used as the exit code.
164
165 -help
166 Display a usage message.
167
169 Copyright 2004-2007 SPARTA, Inc. All rights reserved. See the COPYING
170 file included with the DNSSEC-Tools package for details.
171
173 Wayne Morrison, tewok@users.sourceforge.net
174
176 dtdefs(8), dtinitconf(8), rollerd(8), zonesigner(8)
177
178 Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3)
179
180 dnssec-tools.conf(5)
181
182
183
184perl v5.8.8 2007-09-14 DTCONFCHK(1)