NAME¶
dtconfchk - Check a DNSSEC-Tools configuration file for sanity
SYNOPSIS¶
dtconfchk [options] [config_file]
DESCRIPTION¶
dtconfchk checks a DNSSEC-Tools configuration file to determine if the
entries are valid. If a configuration file isn't specified, the system
configuration file will be verified.
Without any display options,
dtconfchk displays error messages for
problems found, followed by a summary line. Display options will increase or
decrease the amount of detail about the configuration file's sanity. In all
cases, the exit code is the count of errors found in the file.
The tests are divided into five groups: key-related checks, zone-related checks,
path checks, rollover checks, and miscellaneous checks. The checks in each of
these self-explanatory groups are described below.
The
default_keyrec configuration entry is not checked. This entry
specifies the default
keyrec file name and isn't necessarily expected
to exist in any particular place.
Boolean Values¶
The DNSSEC-Tools configuration file has a number of fields that are expected to
hold boolean values. The recognized values for booleans are as follows:
true values - 1, true, t, yes, y
false values - 0, false, f, no, n
Positive values greater than 1 are recognized as true values, but it probably
would be best to use 1.
Text values that aren't in the set above are not valid and will translate to
false values.
The following key-related checks are performed:
- algorithm
- Ensure the algorithm field is valid. The acceptable
values may be found in the dnssec-keygen man page.
- ksklength
- Ensure the ksklength field is valid. The acceptable
values may be found in the dnssec-keygen man page. This may also be
specified as ksklen.
- ksklife
- Ensure the ksklife field is valid. The acceptable
values may be found in the defaults.pm man page.
- zskcount
- Ensure the zskcount field is valid. The ZSK count
must be positive.
- zsklength
- Ensure the zsklength field is valid. The acceptable
values may be found in the dnssec-keygen man page. This may also be
specified as zsklen.
- zsklife
- Ensure the zsklife field is valid. The acceptable
values may be found in the defaults.pm man page.
- random
- Ensure the random field is valid. This file must be
a character device file.
The following zone-related checks are performed:
- endtime
- Ensure the endtime field is valid. This value is
assumed to be in the "+NNNNNN" format. There is a lower limit of
two hours. (This is an artificial limit under which it may not make
sense to have an end-time.)
Path Checks¶
Path checks are performed for several DNSSEC-Tools commands, several BIND
commands, and a few miscellaneous files.
The following path checks are performed for DNSSEC-Tools commands:
- genkrf
- Ensure the genkrf field is valid. If the filename
starts with a '/', the file must be a regular executable file.
- keyarch
- Ensure the keyarch field is valid. If the filename
starts with a '/', the file must be a regular executable file.
- rollchk
- Ensure the rollchk field is valid. If the filename
starts with a '/', the file must be a regular executable file.
- rollctl
- Ensure the rollctl field is valid. If the filename
starts with a '/', the file must be a regular executable file.
- zonesigner
- Ensure the zonesigner field is valid. If the
filename starts with a '/', the file must be a regular executable
file.
The following path checks are performed for BIND tools:
- keygen
- Ensure the keygen field is valid. If the filename
starts with a '/', the file must be a regular executable file.
- rndc
- Ensure the rndc field is valid. If the filename
starts with a '/', the file must be a regular executable file.
- zonecheck
- Ensure the zonecheck field is valid. If the filename
starts with a '/', the file must be a regular executable file.
- zonesign
- Ensure the zonesign field is valid. If the filename
starts with a '/', the file must be a regular executable file.
The following path checks are performed for miscellaneous files and directories:
- random
- Ensure the random field is valid. The file must be a
character device file.
- roll_logfile
- Ensure the roll_logfile field is a regular
file.
- taresolvconf
- Ensure the taresolvconf field is a regular
file.
- tatmpdir
- Ensure the tatmpdir field is a directory.
Rollover Daemon Checks¶
The following checks are performed for
rollerd values:
- autosign
- Ensure that the autosign flag is a valid
boolean.
- log_tz
- Ensure the log_tz field is either 'gmt' or
'local'.
- prog_normal
- prog_ksk1 ... prog_ksk7
- prog_zsk1 ... prog_zsk4
- Ensure that the rollover phase commands are valid paths.
Each of these fields is a semicolon-separated command list. The file
checks are run on the commands to ensure the commands exist and are
executable. Options and arguments to the commands are ignored, as is the
default keyword.
- roll_loadzone
- Ensure that the roll_loadzone flag is a valid
boolean.
- roll_logfile
- Ensure that the log file for the rollerd is valid.
If the file exists, it must be a regular file.
- roll_loglevel
- Ensure that the logging level for the rollerd is
reasonable. The log level must be one of the following text or numeric
values:
tmi 1 Overly verbose informational messages.
expire 3 A verbose countdown of zone expiration is given.
info 4 Informational messages.
phase 6 Current state of zone.
err 8 Error messages.
fatal 9 Fatal errors.
Specifying a particular log level will causes messages of a higher numeric
value to also be displayed.
- roll_sleeptime
- Ensure that the rollerd's sleep-time is reasonable.
rollerd's sleep-time must be at least one minute.
- roll_username
- Ensure that the username for rollerd is valid. If
it's a username, it must be translatable to a uid; if it's a uid, it must
translate to a known username.
- zone_errors
- Ensure that the zone error count is numeric and 0 or
greater.
NSEC3 Checks¶
The following checks are performed for NSEC3-related values:
- nsec3iter
- Ensure that the nsec3iter iteration count falls
within the range used by dnssec-signzone. The current values are
from 1 - 65535.
- nsec3optout
- Ensure that the nsec3optout flag is a valid
boolean.
- usensec3
- Ensure that the usensec3 flag is a valid
boolean.
Miscellaneous Checks¶
The following miscellaneous checks are performed:
- admin-email
- Ensure that the admin-email field is defined and has
a value. dtconfchk does not try to validate the email address
itself.
- archivedir
- Ensure that the archivedir directory is actually a
directory. This check is only performed if the savekeys flag is set
on.
- entropy_msg
- Ensure that the entropy_msg flag is a valid
boolean.
- savekeys
- Ensure that the savekeys flag is a valid boolean. If
this flag is set to 1, then the archivedir field will also be
checked.
- usegui
- Ensure that the usegui flag is a valid boolean.
OPTIONS¶
- -expert
- This option will bypass the following checks:
- KSK has a longer lifespan than the configuration
file's default minimum lifespan
- KSK has a shorter lifespan than the configuration
file's default maximum lifespan
- ZSKs have a longer lifespan than the configuration
file's default minimum lifespan
- ZSKs have a shorter lifespan than the configuration
file's default maximum lifespan
- -quiet
- No output will be given. The number of errors will be used
as the exit code.
- -summary
- A final summary of success or failure will be printed. The
number of errors will be used as the exit code.
- -verbose
- Success or failure status of each check will be given. A
+ or - prefix will be given for each valid and invalid
entry. The number of errors will be used as the exit code.
- -Version
- Displays the version information for dtconfchk and
the DNSSEC-Tools package.
- -help
- Display a usage message.
COPYRIGHT¶
Copyright 2004-2012 SPARTA, Inc. All rights reserved. See the COPYING file
included with the DNSSEC-Tools package for details.
AUTHOR¶
Wayne Morrison, tewok@tislabs.com
SEE ALSO¶
dtdefs(8),
dtinitconf(8),
rollerd(8),
zonesigner(8)
Net::DNS::SEC::Tools::conf.pm(3),
Net::DNS::SEC::Tools::defaults.pm (3)
dnssec-tools.conf(5)