1DTCONFCHK(1)          User Contributed Perl Documentation         DTCONFCHK(1)
2
3
4

NAME

6       dtconfchk - Check a DNSSEC-Tools configuration file for sanity
7

SYNOPSIS

9         dtconfchk [options] [config_file]
10

DESCRIPTION

12       dtconfchk checks a DNSSEC-Tools configuration file to determine if the
13       entries are valid.  If a configuration file isn't specified, the system
14       configuration file will be verified.
15
16       Without any display options, dtconfchk displays error messages for
17       problems found, followed by a summary line.  Display options will
18       increase or decrease the amount of detail about the configuration
19       file's sanity.  In all cases, the exit code is the count of errors
20       found in the file.
21
22       The tests are divided into five groups:  key-related checks, zone-
23       related checks, path checks, rollover checks, and miscellaneous checks.
24       The checks in each of these self-explanatory groups are described
25       below.
26
27       The default_keyrec configuration entry is not checked.  This entry
28       specifies the default keyrec file name and isn't necessarily expected
29       to exist in any particular place.
30
31   Boolean Values
32       The DNSSEC-Tools configuration file has a number of fields that are
33       expected to hold boolean values.  The recognized values for booleans
34       are as follows:
35
36           true values  - 1, true,  t, yes, y
37           false values - 0, false, f, no,  n
38
39       Positive values greater than 1 are recognized as true values, but it
40       probably would be best to use 1.
41
42       Text values that aren't in the set above are not valid and will
43       translate to false values.
44
45   Key-related Checks
46       The following key-related checks are performed:
47
48       algorithm
49               Ensure the algorithm field is valid.  The acceptable values may
50               be found in the dnssec-keygen man page.
51
52       ksklength
53               Ensure the ksklength field is valid.  The acceptable values may
54               be found in the dnssec-keygen man page.  This may also be
55               specified as ksklen.
56
57       ksklife Ensure the ksklife field is valid.  The acceptable values may
58               be found in the defaults.pm man page.
59
60       zskcount
61               Ensure the zskcount field is valid.  The ZSK count must be
62               positive.
63
64       zsklength
65               Ensure the zsklength field is valid.  The acceptable values may
66               be found in the dnssec-keygen man page.  This may also be
67               specified as zsklen.
68
69       zsklife Ensure the zsklife field is valid.  The acceptable values may
70               be found in the defaults.pm man page.
71
72       random  Ensure the random field is valid.  This file must be a
73               character device file.
74
75   Zone-related Checks
76       The following zone-related checks are performed:
77
78       endtime Ensure the endtime field is valid.  This value is assumed to be
79               in the "+NNNNNN" format.  There is a lower limit of two hours.
80               (This is an artificial limit under which it may not make sense
81               to have an end-time.)
82
83   Path Checks
84       Path checks are performed for several DNSSEC-Tools commands, several
85       BIND commands, and a few miscellaneous files.
86
87       The following path checks are performed for DNSSEC-Tools commands:
88
89       genkrf  Ensure the genkrf field is valid.  If the filename starts with
90               a '/', the file must be a regular executable file.
91
92       keyarch Ensure the keyarch field is valid.  If the filename starts with
93               a '/', the file must be a regular executable file.
94
95       rollchk Ensure the rollchk field is valid.  If the filename starts with
96               a '/', the file must be a regular executable file.
97
98       rollctl Ensure the rollctl field is valid.  If the filename starts with
99               a '/', the file must be a regular executable file.
100
101       zonesigner
102               Ensure the zonesigner field is valid.  If the filename starts
103               with a '/', the file must be a regular executable file.
104
105       The following path checks are performed for BIND tools:
106
107       keygen  Ensure the keygen field is valid.  If the filename starts with
108               a '/', the file must be a regular executable file.
109
110       rndc    Ensure the rndc field is valid.  If the filename starts with a
111               '/', the file must be a regular executable file.
112
113       zonecheck
114               Ensure the zonecheck field is valid.  If the filename starts
115               with a '/', the file must be a regular executable file.
116
117       zonesign
118               Ensure the zonesign field is valid.  If the filename starts
119               with a '/', the file must be a regular executable file.
120
121       The following path checks are performed for miscellaneous files and
122       directories:
123
124       random  Ensure the random field is valid.  The file must be a character
125               device file.
126
127       roll_logfile
128               Ensure the roll_logfile field is a regular file.
129
130       taresolvconf
131               Ensure the taresolvconf field is a regular file.
132
133       tatmpdir
134               Ensure the tatmpdir field is a directory.
135
136   Rollover Daemon Checks
137       The following checks are performed for rollerd values:
138
139       autosign
140               Ensure that the autosign flag is a valid boolean.
141
142       log_tz  Ensure the log_tz field is either 'gmt' or 'local'.
143
144       prog_normal
145       prog_ksk1 ... prog_ksk7
146       prog_zsk1 ... prog_zsk4
147               Ensure that the rollover phase commands are valid paths.   Each
148               of these fields is a semicolon-separated command list.  The
149               file checks are run on the commands to ensure the commands
150               exist and are executable.  Options and arguments to the
151               commands are ignored, as is the default keyword.
152
153       roll_loadzone
154               Ensure that the roll_loadzone flag is a valid boolean.
155
156       roll_logfile
157               Ensure that the log file for the rollerd is valid.  If the file
158               exists, it must be a regular file.
159
160       roll_loglevel
161               Ensure that the logging level for the rollerd is reasonable.
162               The log level must be one of the following text or numeric
163               values:
164
165                   tmi        1       Overly verbose informational messages.
166                   expire     3       A verbose countdown of zone expiration is given.
167                   info       4       Informational messages.
168                   phase      6       Current state of zone.
169                   err        8       Error messages.
170                   fatal      9       Fatal errors.
171
172               Specifying a particular log level will causes messages of a
173               higher numeric value to also be displayed.
174
175       roll_sleeptime
176               Ensure that the rollerd's sleep-time is reasonable.  rollerd's
177               sleep-time must be at least one minute.
178
179       roll_username
180               Ensure that the username for rollerd is valid.  If it's a
181               username, it must be translatable to a uid; if it's a uid, it
182               must translate to a known username.
183
184       zone_errors
185               Ensure that the zone error count is numeric and 0 or greater.
186
187   NSEC3 Checks
188       The following checks are performed for NSEC3-related values:
189
190       nsec3iter
191               Ensure that the nsec3iter iteration count falls within the
192               range used by dnssec-signzone.  The current values are from 1 -
193               65535.
194
195       nsec3optout
196               Ensure that the nsec3optout flag is a valid boolean.
197
198       usensec3
199               Ensure that the usensec3 flag is a valid boolean.
200
201   Miscellaneous Checks
202       The following miscellaneous checks are performed:
203
204       admin-email
205               Ensure that the admin-email field is defined and has a value.
206               dtconfchk does not try to validate the email address itself.
207
208       archivedir
209               Ensure that the archivedir directory is actually a directory.
210               This check is only performed if the savekeys flag is set on.
211
212       entropy_msg
213               Ensure that the entropy_msg flag is a valid boolean.
214
215       savekeys
216               Ensure that the savekeys flag is a valid boolean.  If this flag
217               is set to 1, then the archivedir field will also be checked.
218
219       usegui  Ensure that the usegui flag is a valid boolean.
220
221       zonefile-parser
222               Ensure that the zonefile-parser flag is a valid Perl module.
223               This is checked by using the Perl "require" facility to load
224               the specified module.
225

OPTIONS

227       -expert
228           This option will bypass the following checks:
229
230               - KSK has a longer lifespan than the configuration
231                 file's default minimum lifespan
232
233               - KSK has a shorter lifespan than the configuration
234                 file's default maximum lifespan
235
236               - ZSKs have a longer lifespan than the configuration
237                 file's default minimum lifespan
238
239               - ZSKs have a shorter lifespan than the configuration
240                 file's default maximum lifespan
241
242       -quiet
243           No output will be given.  The number of errors will be used as the
244           exit code.
245
246       -summary
247           A final summary of success or failure will be printed.  The number
248           of errors will be used as the exit code.
249
250       -verbose
251           Success or failure status of each check will be given.  A + or -
252           prefix will be given for each valid and invalid entry.  The number
253           of errors will be used as the exit code.
254
255       -Version
256           Displays the version information for dtconfchk and the DNSSEC-Tools
257           package.
258
259       -help
260           Display a usage message.
261
263       Copyright 2004-2014 SPARTA, Inc.  All rights reserved.  See the COPYING
264       file included with the DNSSEC-Tools package for details.
265

AUTHOR

267       Wayne Morrison, tewok@tislabs.com
268

SEE ALSO

270       dtdefs(8), dtinitconf(8), rollerd(8), zonesigner(8)
271
272       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3)
273
274       dnssec-tools.conf(5)
275
276
277
278perl v5.36.0                      2022-07-21                      DTCONFCHK(1)
Impressum