1DTINITCONF(1) User Contributed Perl Documentation DTINITCONF(1)
2
6 dtinitconf - Creates a DNSSEC-Tools configuration file
7
9 dtinitconf [options]
10
12 The dtinitconf program initializes the DNSSEC-Tools configuration file.
13 By default, the actual configuration file will be created, though the
14 created file can be specified by the user. Existing files, whether the
15 default or one specified by the user, will not be overwritten unless
16 specifically directed by the user.
17 Each configuration field can be individually specified on the command
19 line. The user will also be prompted for the fields, with default
20 values taken from the DNSSEC-Tools defaults.pm module. If the
21 -noprompt option is given, then a default configuration file (modulo
22 command-line arguments) will be created.
23 Configuration entries are created for several BIND programs. Several
25 locations on the system are searched to find the locations of these
26 programs. First, the directories in the path environment variable are
27 checked; the names of any directories that contain the BIND programs
28 are saved. Next, several common locations for BIND programs are
29 checked; again, the names of directories that contain the BIND programs
30 are saved. After collecting these directories, the user is presented
31 with this list and may choose to use whichever set is desired. If no
32 directories are found that contain the BIND programs, the user is
33 prompted for the proper location.
34 If the configuration file's parent directory does not exist, then an
36 attempt is made to create the directory. The new directory's ownership
37 will be set to root for the owner and dnssec for the group, assuming
38 the dnssec group exists. Writability checks for the directory will not
39 be performed if the -outfile option is given.
40
42 dtinitconf takes options that control the contents of the newly
43 generated DNSSEC-Tools configuration file. Each configuration file
44 entry has a corresponding command-line option. The options, described
45 below, are ordered in logical groups.
46 Key-related Options
48 These options deal with different aspects of creating and managing
49 encryption keys.
50 -algorithm algorithm
52 Selects the cryptographic algorithm. The value of algorithm must be
53 one that is recognized by the installed version of dnssec-keygen.
54 -kskcount KSK-count
56 The default number of KSK keys that will be created for a zone.
57 -ksklength keylen
59 The default KSK key length to be passed to dnssec-keygen.
60 -ksklife lifespan
62 The default length of time between KSK rollovers. This is measured
63 in seconds. This value must be within the range of the minlife and
64 maxlife values.
65 This value is only used for key rollover. Keys do not have a life-
67 time in any other sense.
68 -maxlife maxlifespan
70 The maximum length of time between key rollovers. This is measured
71 in seconds. The ksklife and zsklife values must be not greater
72 than this value.
73 This value is only used for key rollover. Keys do not have a life-
75 time in any other sense.
76 -minlife minlifespan
78 The minimum length of time between key rollovers. This is measured
79 in seconds. The ksklife and zsklife values must be not less than
80 this value.
81 This value is only used for key rollover. Keys do not have a life-
83 time in any other sense.
84 -zskcount ZSK-count
86 The default number of ZSK keys that will be created for a zone.
87 -zsklength keylen
89 The default ZSK key length to be passed to dnssec-keygen.
90 -zsklife lifespan
92 The default length of time between ZSK rollovers. This is measured
93 in seconds. This value must be within the range of the minlife and
94 maxlife values.
95 This value is only used for key rollover. Keys do not have a life-
97 time in any other sense.
98 -random randomdev
100 The random device generator to be passed to dnssec-keygen.
101 Zone-related Options
103 These options deal with different aspects of zone signing.
104 -endtime endtime
106 The zone default expiration time to be passed to dnssec-signzone.
107 trustman-related Options
109 These options deal with different aspects of executing trustman.
110 -genroothints roothints
112 A new root.hints file will be created at the specified location.
113 dtinitconf requires that the file not already exist.
114 The root.hints file is retrieved from
116 http://www.internic.net/zones/named.root. It is not considered a
117 fatal error if dtinitconf is unable to fetch the file. Rather, a
118 warning message will be given and creation of the configuration
119 file will continue.
120 -ta-contact email
122 The email address of the trustman administrator.
123 -ta-resolvconf resolvconffile
125 The location of the resolv.conf file.
126 -ta-smtpserver hostname
128 The SMTP server for the trustman command.
129 -ta-tmpdir hostname
131 The temporary directory for the trustman command.
132 BIND Options
134 These options deal specifically with functionality provided by BIND.
135 -rndc rndc-path
137 rndc is the path to BIND's rndc command.
138 DNSSEC-Tools Options
140 These options deal specifically with functionality provided by DNSSEC-
141 Tools.
142 -admin email-address
144 admin is the email address of the DNSSEC-Tools administrator. This
145 is the default address used by the dt_adminmail() routine.
146 -archivedir directory
148 directory is the archived-key directory. Old encryption keys are
149 moved to this directory, but only if they are to be saved and not
150 deleted.
151 -binddir directory
153 directory is the directory holding the BIND programs. If the
154 reserved word "path" is specified, then existence of the BIND
155 programs is not verified when dtinitconf is executed. Rather, the
156 user's PATH directories will be searched for the BIND programs when
157 the DNSSEC-Tools are executed.
158 -dtdir directory
160 directory is the directory holding the DNSSEC-Tools programs. If
161 the reserved word "path" is specified, then existence of the
162 DNSSEC-Tools programs is not verified when dtinitconf is executed.
163 Rather, the user's PATH directories will be searched for the
164 DNSSEC-Tools programs when those tools are executed.
165 -entropy_msg
167 A flag indicating that zonesigner should display a message about
168 entropy generation. This is primarily dependent on the
169 implementation of a system's random number generation.
170 -mailer-server host
172 The mail server that will be contacted by dt_adminmail(). This is
173 passed to Mail::Send.
174 -mailer-server mailtype
176 The mail type that will be contacted by dt_adminmail(). This is
177 passed to Mail::Mailer (by way of Mail::Send.) Any values
178 recognized by Mail::Mailer may be used here.
179 -noentropy_msg
181 A flag indicating that zonesigner should not display a message
182 about entropy generation. This is primarily dependent on the
183 implementation of a system's random number generation.
184 -roll-loadzone
186 -no-roll-loadzone
187 Flags indicating whether or not rollerd should have the DNS daemon
188 load zones.
189 -roll-logfile logfile
191 logfile is the logfile for the rollerd daemon.
192 -roll-loglevel loglevel
194 loglevel is the logging level for the rollerd daemon.
195 -roll-phasemsg length
197 length is the default length of phase-related log messages used by
198 rollerd. The valid levels are "long" and "short", with "long"
199 being the default value.
200 The long message length means that a phase description will be
202 included with some log messages. For example, the long form of a
203 message about ZSK rollover phase 3 will look like this: "ZSK phase
204 3 (Waiting for old zone data to expire from caches)".
205 The short message length means that a phase description will not be
207 included with some log messages. For example, the short form of a
208 message about ZSK rollover phase 3 will look like this: "ZSK phase
209 3".
210 -roll-sleeptime sleep-time
212 sleep-time is the sleep-time for the rollerd daemon.
213 -roll-username username
215 username is the user for which the rollerd daemon will be executed.
216 If this is a username, it must correspond to a valid uid; if it is
217 a uid, it must correspond to a valid username.
218 -roll-logtz logtz
220 loglevel is the timezone of the message timestamp for rollerd's
221 logfile.
222 -zoneerrs error-count
224 error-count is the maximum error count for zones used by the
225 rollerd daemon.
226 -savekeys
228 A flag indicating that old keys should be moved to the archive
229 directory.
230 -nosavekeys
232 A flag indicating that old keys should not be moved to the archive
233 directory but will instead be left in place.
234 -usegui
236 A flag indicating that the GUI for specifying command options may
237 be used.
238 -nousegui
240 A flag indicating that the GUI for specifying command options
241 should not be used.
242 dtinitconf Options
244 These options deal specifically with dtinitconf.
245 -outfile conffile
247 The configuration file will be written to conffile. If this is not
248 given, then the default configuration file (as returned by
249 Net::DNS::SEC::Tools::conf::getconffile()) will be used.
250 If conffile is given as -, then the new configuration file will be
252 written to the standard output.
253 conffile must be writable.
255 -overwrite
257 If -overwrite is specified, existing output files may be
258 overwritten. Without -overwrite, if the output file is found to
259 exist then dtinitconf will give an error message and exit.
260 -noprompt
262 If -noprompt is specified, the user will not be prompted for any
263 input. The configuration file will be created from command-line
264 options and DNSSEC-Tools defaults. Guesses will be made for the
265 BIND paths, based on the PATH environment variable.
266 WARNING: After using the -noprompt option, the configuration file
268 must be checked to ensure that the defaults are appropriate and
269 acceptable for the installation.
270 -template
272 If -template is specified, a default configuration file is created.
273 However, all entries are commented out.
274 The only command line options that may be used in conjunction with
276 -template are -outfile and -overwrite.
277 -edit
279 If -edit is specified, the output file will be edited after it has
280 been created. The EDITOR environment variable is consulted for the
281 editor to use. If the EDITOR environment variable isn't defined,
282 then the vi editor will be used.
283 -verbose
285 Provide verbose output.
286 -Version
288 Displays the version information for dtinitconf and the DNSSEC-
289 Tools package.
290 -help
292 Display a usage message and exit.
293
295 Copyright 2006-2011 SPARTA, Inc. All rights reserved. See the COPYING
296 file included with the DNSSEC-Tools package for details.
297
299 Wayne Morrison, tewok@users.sourceforge.net
300
302 dnssec-keygen(8), dnssec-signzone(8), named-checkzone(8), keyarch(8),
303 rollckk(8), rollerd(8), zonesigner(8)
304 Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
306 Net::DNS::SEC::Tools::dnssectools.pm(3),
307 Net::DNS::SEC::Tools::tooloptions.pm(3), QWizard.pm(3)
308 dnssec-tools.conf(5)
310perl v5.12.4 2011-10-12 DTINITCONF(1)