dtconfchk(1)

1DTCONFCHK(1)          User Contributed Perl Documentation         DTCONFCHK(1)
2
3
4

NAME

6       dtconfchk - Check a DNSSEC-Tools configuration file for sanity
7

SYNOPSIS

9         dtconfchk [options] [config_file]
10

DESCRIPTION

12       dtconfchk checks a DNSSEC-Tools configuration file to determine if the
13       entries are valid.  If a configuration file isn't specified, the system
14       configuration file will be verified.
15
16       Without any display options, dtconfchk displays error messages for
17       problems found, followed by a summary line.  Display options will
18       increase or decrease the amount of detail about the configuration
19       file's sanity.  In all cases, the exit code is the count of errors
20       found in the file.
21
22       The tests are divided into five groups:  key-related checks, zone-
23       related checks, path checks, rollover checks, and miscellaneous checks.
24       The checks in each of these self-explanatory groups are described
25       below.
26
27       The default_keyrec configuration entry is not checked.  This entry
28       specifies the default keyrec file name and isn't necessarily expected
29       to exist in any particular place.
30
31   Boolean Values
32       The DNSSEC-Tools configuration file has a number of fields that are
33       expected to hold boolean values.  The recognized values for booleans
34       are as follows:
35
36           true values  - 1, true,  t, yes, y
37           false values - 0, false, f, no,  n
38
39       Positive values greater than 1 are recognized as true values, but it
40       probably would be best to use 1.
41
42       Text values that aren't in the set above are not valid and will
43       translate to false values.
44
45   Key-related Checks
46       The following key-related checks are performed:
47
48       algorithm
49               Ensure the algorithm field is valid.  The acceptable values may
50               be found in the dnssec-keygen man page.
51
52       ksklength
53               Ensure the ksklength field is valid.  The acceptable values may
54               be found in the dnssec-keygen man page.  This may also be
55               specified as ksklen.
56
57       ksklife Ensure the ksklife field is valid.  The acceptable values may
58               be found in the defaults.pm man page.
59
60       zskcount
61               Ensure the zskcount field is valid.  The ZSK count must be
62               positive.
63
64       zsklength
65               Ensure the zsklength field is valid.  The acceptable values may
66               be found in the dnssec-keygen man page.  This may also be
67               specified as zsklen.
68
69       zsklife Ensure the zsklife field is valid.  The acceptable values may
70               be found in the defaults.pm man page.
71
72       random  Ensure the random field is valid.  This file must be a
73               character device file.
74
75   Zone-related Checks
76       The following zone-related checks are performed:
77
78       endtime Ensure the endtime field is valid.  This value is assumed to be
79               in the "+NNNNNN" format.  There is a lower limit of two hours.
80               (This is an artificial limit under which it may not make sense
81               to have an end-time.)
82
83   Path Checks
84       Path checks are performed for several DNSSEC-Tools commands, several
85       BIND commands, and a few miscellaneous files.
86
87       The following path checks are performed for DNSSEC-Tools commands:
88
89       genkrf  Ensure the genkrf field is valid.  If the filename starts with
90               a '/', the file must be a regular executable file.
91
92       keyarch Ensure the keyarch field is valid.  If the filename starts with
93               a '/', the file must be a regular executable file.
94
95       rollchk Ensure the rollchk field is valid.  If the filename starts with
96               a '/', the file must be a regular executable file.
97
98       rollctl Ensure the rollctl field is valid.  If the filename starts with
99               a '/', the file must be a regular executable file.
100
101       zonesigner
102               Ensure the zonesigner field is valid.  If the filename starts
103               with a '/', the file must be a regular executable file.
104
105       The following path checks are performed for BIND tools:
106
107       keygen  Ensure the keygen field is valid.  If the filename starts with
108               a '/', the file must be a regular executable file.
109
110       rndc    Ensure the rndc field is valid.  If the filename starts with a
111               '/', the file must be a regular executable file.
112
113       zonecheck
114               Ensure the zonecheck field is valid.  If the filename starts
115               with a '/', the file must be a regular executable file.
116
117       zonesign
118               Ensure the zonesign field is valid.  If the filename starts
119               with a '/', the file must be a regular executable file.
120
121       The following path checks are performed for miscellaneous files and
122       directories:
123
124       random  Ensure the random field is valid.  The file must be a character
125               device file.
126
127       roll_logfile
128               Ensure the roll_logfile field is a regular file.
129
130       taresolvconf
131               Ensure the taresolvconf field is a regular file.
132
133       tatmpdir
134               Ensure the tatmpdir field is a directory.
135
136   Rollover Daemon Checks
137       The following checks are performed for rollerd values:
138
139       roll_loadzone
140               Ensure that the roll_loadzone flag is a valid boolean.
141
142       roll_logfile
143               Ensure that the log file for the rollerd is valid.  If the file
144               exists, it must be a regular file.
145
146       roll_loglevel
147               Ensure that the logging level for the rollerd is reasonable.
148               The log level must be one of the following text or numeric
149               values:
150
151                   tmi        1       Overly verbose informational messages.
152                   expire     3       A verbose countdown of zone expiration is given.
153                   info       4       Informational messages.
154                   phase      6       Current state of zone.
155                   err        8       Error messages.
156                   fatal      9       Fatal errors.
157
158               Specifying a particular log level will causes messages of a
159               higher numeric value to also be displayed.
160
161       roll_sleeptime
162               Ensure that the rollerd's sleep-time is reasonable.  rollerd's
163               sleep-time must be at least one minute.
164
165       roll_username
166               Ensure that the username for rollerd is valid.  If it's a
167               username, it must be translatable to a uid; if it's a uid, it
168               must translate to a known username.
169
170       log_tz  Ensure the log_tz field is either 'gmt' or 'local'.
171
172       zone_errors
173               Ensure that the zone error count is numeric and 0 or greater.
174
175   NSEC3 Checks
176       The following checks are performed for NSEC3-related values:
177
178       nsec3iter
179               Ensure that the nsec3iter iteration count falls within the
180               range used by dnssec-signzone.  The current values are from 1 -
181               65535.
182
183       nsec3optout
184               Ensure that the nsec3optout flag is a valid boolean.
185
186       usensec3
187               Ensure that the usensec3 flag is a valid boolean.
188
189   Miscellaneous Checks
190       The following miscellaneous checks are performed:
191
192       admin-email
193               Ensure that the admin-email field is defined and has a value.
194               dtconfchk does not try to validate the email address itself.
195
196       archivedir
197               Ensure that the archivedir directory is actually a directory.
198               This check is only performed if the savekeys flag is set on.
199
200       entropy_msg
201               Ensure that the entropy_msg flag is a valid boolean.
202
203       savekeys
204               Ensure that the savekeys flag is a valid boolean.  If this flag
205               is set to 1, then the archivedir field will also be checked.
206
207       usegui  Ensure that the usegui flag is a valid boolean.
208

OPTIONS

210       -expert
211           This option will bypass the following checks:
212
213               - KSK has a longer lifespan than the configuration
214                 file's default minimum lifespan
215
216               - KSK has a shorter lifespan than the configuration
217                 file's default maximum lifespan
218
219               - ZSKs have a longer lifespan than the configuration
220                 file's default minimum lifespan
221
222               - ZSKs have a shorter lifespan than the configuration
223                 file's default maximum lifespan
224
225       -quiet
226           No output will be given.  The number of errors will be used as the
227           exit code.
228
229       -summary
230           A final summary of success or failure will be printed.  The number
231           of errors will be used as the exit code.
232
233       -verbose
234           Success or failure status of each check will be given.  A + or -
235           prefix will be given for each valid and invalid entry.  The number
236           of errors will be used as the exit code.
237
238       -Version
239           Displays the version information for dtconfchk and the DNSSEC-Tools
240           package.
241
242       -help
243           Display a usage message.
244

COPYRIGHT

246       Copyright 2004-2011 SPARTA, Inc.  All rights reserved.  See the COPYING
247       file included with the DNSSEC-Tools package for details.
248

AUTHOR

250       Wayne Morrison, tewok@users.sourceforge.net
251

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

COPYRIGHT

AUTHOR

SEE ALSO