1DTCONFCHK(1) User Contributed Perl Documentation DTCONFCHK(1)
2
6 dtconfchk - Check a DNSSEC-Tools configuration file for sanity
7
9 dtconfchk [options] [config_file]
10
12 dtconfchk checks a DNSSEC-Tools configuration file to determine if the
13 entries are valid. If a configuration file isn't specified, the system
14 configuration file will be verified.
15 Without any display options, dtconfchk displays error messages for
17 problems found, followed by a summary line. Display options will
18 increase or decrease the amount of detail about the configuration
19 file's sanity. In all cases, the exit code is the count of errors
20 found in the file.
21 The tests are divided into five groups: key-related checks, zone-
23 related checks, path checks, rollover checks, and miscellaneous checks.
24 The checks in each of these self-explanatory groups are described
25 below.
26 The default_keyrec configuration entry is not checked. This entry
28 specifies the default keyrec file name and isn't necessarily expected
29 to exist in any particular place.
30 Boolean Values
32 The DNSSEC-Tools configuration file has a number of fields that are
33 expected to hold boolean values. The recognized values for booleans
34 are as follows:
35 true values - 1, true, t, yes, y
37 false values - 0, false, f, no, n
38 Positive values greater than 1 are recognized as true values, but it
40 probably would be best to use 1.
41 Text values that aren't in the set above are not valid and will
43 translate to false values.
44 Key-related Checks
46 The following key-related checks are performed:
47 algorithm
49 Ensure the algorithm field is valid. The acceptable values may
50 be found in the dnssec-keygen man page.
51 ksklength
53 Ensure the ksklength field is valid. The acceptable values may
54 be found in the dnssec-keygen man page. This may also be
55 specified as ksklen.
56 ksklife Ensure the ksklife field is valid. The acceptable values may
58 be found in the defaults.pm man page.
59 zskcount
61 Ensure the zskcount field is valid. The ZSK count must be
62 positive.
63 zsklength
65 Ensure the zsklength field is valid. The acceptable values may
66 be found in the dnssec-keygen man page. This may also be
67 specified as zsklen.
68 zsklife Ensure the zsklife field is valid. The acceptable values may
70 be found in the defaults.pm man page.
71 random Ensure the random field is valid. This file must be a
73 character device file.
74 Zone-related Checks
76 The following zone-related checks are performed:
77 endtime Ensure the endtime field is valid. This value is assumed to be
79 in the "+NNNNNN" format. There is a lower limit of two hours.
80 (This is an artificial limit under which it may not make sense
81 to have an end-time.)
82 Path Checks
84 Path checks are performed for several DNSSEC-Tools commands, several
85 BIND commands, and a few miscellaneous files.
86 The following path checks are performed for DNSSEC-Tools commands:
88 genkrf Ensure the genkrf field is valid. If the filename starts with
90 a '/', the file must be a regular executable file.
91 keyarch Ensure the keyarch field is valid. If the filename starts with
93 a '/', the file must be a regular executable file.
94 rollchk Ensure the rollchk field is valid. If the filename starts with
96 a '/', the file must be a regular executable file.
97 rollctl Ensure the rollctl field is valid. If the filename starts with
99 a '/', the file must be a regular executable file.
100 zonesigner
102 Ensure the zonesigner field is valid. If the filename starts
103 with a '/', the file must be a regular executable file.
104 The following path checks are performed for BIND tools:
106 keygen Ensure the keygen field is valid. If the filename starts with
108 a '/', the file must be a regular executable file.
109 rndc Ensure the rndc field is valid. If the filename starts with a
111 '/', the file must be a regular executable file.
112 zonecheck
114 Ensure the zonecheck field is valid. If the filename starts
115 with a '/', the file must be a regular executable file.
116 zonesign
118 Ensure the zonesign field is valid. If the filename starts
119 with a '/', the file must be a regular executable file.
120 The following path checks are performed for miscellaneous files and
122 directories:
123 random Ensure the random field is valid. The file must be a character
125 device file.
126 roll_logfile
128 Ensure the roll_logfile field is a regular file.
129 taresolvconf
131 Ensure the taresolvconf field is a regular file.
132 tatmpdir
134 Ensure the tatmpdir field is a directory.
135 Rollover Daemon Checks
137 The following checks are performed for rollerd values:
138 autosign
140 Ensure that the autosign flag is a valid boolean.
141 log_tz Ensure the log_tz field is either 'gmt' or 'local'.
143 prog_normal
145 prog_ksk1 ... prog_ksk7
146 prog_zsk1 ... prog_zsk4
147 Ensure that the rollover phase commands are valid paths. Each
148 of these fields is a semicolon-separated command list. The
149 file checks are run on the commands to ensure the commands
150 exist and are executable. Options and arguments to the
151 commands are ignored, as is the default keyword.
152 roll_loadzone
154 Ensure that the roll_loadzone flag is a valid boolean.
155 roll_logfile
157 Ensure that the log file for the rollerd is valid. If the file
158 exists, it must be a regular file.
159 roll_loglevel
161 Ensure that the logging level for the rollerd is reasonable.
162 The log level must be one of the following text or numeric
163 values:
164 tmi 1 Overly verbose informational messages.
166 expire 3 A verbose countdown of zone expiration is given.
167 info 4 Informational messages.
168 phase 6 Current state of zone.
169 err 8 Error messages.
170 fatal 9 Fatal errors.
171 Specifying a particular log level will causes messages of a
173 higher numeric value to also be displayed.
174 roll_sleeptime
176 Ensure that the rollerd's sleep-time is reasonable. rollerd's
177 sleep-time must be at least one minute.
178 roll_username
180 Ensure that the username for rollerd is valid. If it's a
181 username, it must be translatable to a uid; if it's a uid, it
182 must translate to a known username.
183 zone_errors
185 Ensure that the zone error count is numeric and 0 or greater.
186 NSEC3 Checks
188 The following checks are performed for NSEC3-related values:
189 nsec3iter
191 Ensure that the nsec3iter iteration count falls within the
192 range used by dnssec-signzone. The current values are from 1 -
193 65535.
194 nsec3optout
196 Ensure that the nsec3optout flag is a valid boolean.
197 usensec3
199 Ensure that the usensec3 flag is a valid boolean.
200 Miscellaneous Checks
202 The following miscellaneous checks are performed:
203 admin-email
205 Ensure that the admin-email field is defined and has a value.
206 dtconfchk does not try to validate the email address itself.
207 archivedir
209 Ensure that the archivedir directory is actually a directory.
210 This check is only performed if the savekeys flag is set on.
211 entropy_msg
213 Ensure that the entropy_msg flag is a valid boolean.
214 savekeys
216 Ensure that the savekeys flag is a valid boolean. If this flag
217 is set to 1, then the archivedir field will also be checked.
218 usegui Ensure that the usegui flag is a valid boolean.
220 zonefile-parser
222 Ensure that the zonefile-parser flag is a valid Perl module.
223 This is checked by using the Perl "require" facility to load
224 the specified module.
225
227 -expert
228 This option will bypass the following checks:
229 - KSK has a longer lifespan than the configuration
231 file's default minimum lifespan
232 - KSK has a shorter lifespan than the configuration
234 file's default maximum lifespan
235 - ZSKs have a longer lifespan than the configuration
237 file's default minimum lifespan
238 - ZSKs have a shorter lifespan than the configuration
240 file's default maximum lifespan
241 -quiet
243 No output will be given. The number of errors will be used as the
244 exit code.
245 -summary
247 A final summary of success or failure will be printed. The number
248 of errors will be used as the exit code.
249 -verbose
251 Success or failure status of each check will be given. A + or -
252 prefix will be given for each valid and invalid entry. The number
253 of errors will be used as the exit code.
254 -Version
256 Displays the version information for dtconfchk and the DNSSEC-Tools
257 package.
258 -help
260 Display a usage message.
261
263 Copyright 2004-2014 SPARTA, Inc. All rights reserved. See the COPYING
264 file included with the DNSSEC-Tools package for details.
265
267 Wayne Morrison, tewok@tislabs.com
268
270 dtdefs(8), dtinitconf(8), rollerd(8), zonesigner(8)
271 Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3)
273 dnssec-tools.conf(5)
275perl v5.38.0 2023-07-19 DTCONFCHK(1)