1TRUSTMAN(1)           User Contributed Perl Documentation          TRUSTMAN(1)
2
3
4

NAME

6       trustman - Manage keys used as trust anchors
7

SYNOPSIS

9       trustman [options]
10

DESCRIPTION

12       trustman manages keys used by DNSSEC as trust anchors in compliance
13       with RFC5011.  It may be used as a daemon for ongoing key verification
14       or manually for initialization and one-time key verification.
15
16       By default, trustman runs as a daemon to ensure that keys stored
17       locally in configuration files still match the same keys fetched from
18       the zone where they are defined.  In addition, these checks can be run
19       once manually (-S) and in the foreground (-f).
20
21       For each key mismatch check, if key mismatches are detected then
22       trustman performs the following operations:
23
24           - sets an add hold-down timer for new keys;
25           - sets a remove hold-down timer for missing keys;
26           - removes revoked keys from the configuration file.
27
28       On subsequent runs, the timers are checked.  If the timers have
29       expired, keys are added to or removed from the configuration file, as
30       appropriate.
31
32       named.conf and dnsval.conf are the usual configuration files.  These
33       files must be specified in the DNSSEC-Tools configuration file or in
34       command line options.
35

OPTIONS

37       trustman takes a number of options, each of which is described in this
38       section.  Each option name may be shortened to the minimum number of
39       unique characters, but some options also have an alias (as noted.)  The
40       single-letter form of each option is denoted in parentheses, e.g.:
41       -anchor_data_file (-a).
42
43       -anchor_data_file file (-a)
44           A persistent data file for storing new keys waiting to be added.
45
46       -config file (-c)
47           Create a configuration file for trustman from the command line
48           options given.  The existing DNSSEC-Tools configuration file is
49           copied to the specified configuration file, and new configuration
50           entries are appended corresponding to the command line options.
51           trustman-specific entries already in the existing configuration
52           file will be replaced with new entries from the command line.  This
53           will allow fewer command line options to be specified in the
54           future.
55
56       -dnsval_conf_file /path/to/dnsval.conf (-k)
57           A dnsval.conf file to read, and possibly be updated.
58
59       -dtconfig config_file (-d)
60           Name of an alternate DNSSEC-Tools configuration file to be
61           processed.  If specified, this configuration file is used in place
62           of the normal DNSSEC-Tools configuration file, not in addition to
63           it.  Also, it will be handled prior to keyrec files, rollrec files,
64           and command-line options.
65
66       -foreground (-f)
67           Run in the foreground.  trustman will still run in a loop.  To run
68           once, use the -single_run option instead.
69
70       -hold_time seconds (-w)
71           The value of the hold-down timer.  This is the number of seconds
72           from the time that a new key is found.  Generally, the default and
73           recommended value of 30 days should be used.
74
75       -mail_contact_addr email_address (-m)
76           Mail address for the contact person to whom reports should be sent.
77
78       -monitor (-M)
79           Indicates that trustman was run from a monitoring system, and a
80           summary of events will be printed.  Specifying this option
81           automatically turns on the -single_run option and turns off the
82           -verbose option.
83
84           This was developed for use with the Nagios monitoring system, but
85           it can be adapted for other monitors.
86
87       -named_conf_file /path/to/named.conf (-n)
88           A named.conf file to read, and possibly update.
89
90       -nomail
91           Prevents mail from being sent, even if an SMTP server was specified
92           in the configuration file.  This is useful for only sending
93           notifications via stdout (-p) or syslog (-L).
94
95       -norevoke
96           This option turns off checks for the REVOKE bit.
97
98       -no_error (-N)
99           Send report even when there are no errors.
100
101       -print (-p)
102           Log messages to stdout.
103
104       -resolv_conf_file conffile (-r)
105           A resolv.conf file to read.  /dev/null can be specified to force
106           libval to recursively answer the query rather than asking other
107           name servers.)
108
109       -root_hints_file /path/to/root.hints (-o)
110           A root.hints file to read.
111
112       -single_run (-S)
113           Do not loop, but run only once.
114
115       -sleeptime seconds (-t)
116           The number of seconds to sleep between checks.  Default is 3600
117           (one hour.)
118
119       -smtp_server smtpservername (-s)
120           The SMTP server that trustman should use to send reports by mail.
121
122       -syslog (-L)
123           Log messages to syslog.
124
125       -tmp_dir directory (-T)
126           Specifies where temporary files should be created.  This is used
127           when creating new versions of the dnsval.conf and named.conf files
128           before they are moved into place.
129
130           Files created in this directory will be renamed to their final
131           location.  You should ensure that this directory, the final
132           dnsval.conf location, and the final named.conf location are on the
133           same disk partition.  Most operating systems will only rename files
134           within a partition and will give an error if told to rename a file
135           from one partition to another.
136
137       -zone zone (-z)
138           The zone to check.  Specifying this option supersedes the default
139           configuration file.
140
141       -help (-h)
142           Display a help message.
143
144       -verbose (-v)
145           Gives verbose output.
146
147       -Version (-V)
148           Displays the version information for trustman and the DNSSEC-Tools
149           package.
150

CONFIGURATION

152       In addition to the command line arguments, the dnssec-tools.conf file
153       can be configured with the following values to remove the need to use
154       some of the command-line options.  The command-line options always
155       override the settings in the dnssec-tools.conf file.
156
157       taanchorfile file
158           This specifies the file where trustman state information will be
159           kept.  This is equivalent to the -anchor_data_file flag.
160
161       tacontact contact_email
162           This is equivalent to the -mail_contact_addr flag for specifying to
163           whom email notices will be sent.
164
165       tadnsvalconffile file
166           This specifies the dnsval.conf file to read and write.  This is
167           equivalent to the -dnsval_conf_file flag.
168
169       tanamedconffile file
170           This specifies the named.conf file to read and write.  This is
171           equivalent to the -named_conf_file flag.
172
173       taresolvconffile file
174           This specifies the resolv.conf file to use.  This is equivalent to
175           the -resolv_conf_file flag.
176
177       taroothintsfile file
178           This specifies the root.hints file to read.  This is equivalent to
179           the -root_hints_file flag.
180
181       tasmtpserver servername
182           This is equivalent to the -smtp_server flag for specifying the SMTP
183           server to which email notices will be sent.
184
185       tatmpdir directory
186           This specifies where temporary files should be created.  This is
187           used when creating new versions of the dnsval.conf and named.conf
188           files before they're moved into place.
189
190           See the note about renaming in the description of the -tmp_dir
191           option.
192

EXIT CODES

194       trustman may exit for the following reasons:
195
196           0 - Successful execution.  In daemon mode, this may just mean
197               that the daemon was successfully started.  The daemon itself
198               may exit with some other error.
199
200           1 - Invalid options were specified.
201
202           2 - No new-key file was specified.
203
204           3 - Unable to open the new-key file.
205
206           4 - Unable to determine a set of zones to check.
207
208           5 - Some form of file-management error was encountered.
209
211       Copyright 2006-2014 SPARTA, Inc.  All rights reserved.  See the COPYING
212       file included with the DNSSEC-Tools package for details.
213

Author

215       Lindy Foster
216
217       (Current contact for trustman is Wayne Morrison, tewok@tislabs.com.)
218

SEE ALSO

220       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
221
222       dnssec-tools.conf(5)
223
224
225
226perl v5.36.0                      2022-07-21                       TRUSTMAN(1)
Impressum