.\" -*- mode: troff; coding: utf-8 -*- .\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ . ds C` "" . ds C' "" 'br\} .el\{\ . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "DTCONFCHK 1" .TH DTCONFCHK 1 2023-07-29 "perl v5.38.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME dtconfchk \- Check a DNSSEC\-Tools configuration file for sanity .SH SYNOPSIS .IX Header "SYNOPSIS" .Vb 1 \& dtconfchk [options] [config_file] .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBdtconfchk\fR checks a DNSSEC-Tools configuration file to determine if the entries are valid. If a configuration file isn't specified, the system configuration file will be verified. .PP Without any display options, \fBdtconfchk\fR displays error messages for problems found, followed by a summary line. Display options will increase or decrease the amount of detail about the configuration file's sanity. In all cases, the exit code is the count of errors found in the file. .PP The tests are divided into five groups: key-related checks, zone-related checks, path checks, rollover checks, and miscellaneous checks. The checks in each of these self-explanatory groups are described below. .PP The \fIdefault_keyrec\fR configuration entry is not checked. This entry specifies the default \fIkeyrec\fR file name and isn't necessarily expected to exist in any particular place. .SS "Boolean Values" .IX Subsection "Boolean Values" The DNSSEC-Tools configuration file has a number of fields that are expected to hold boolean values. The recognized values for booleans are as follows: .PP .Vb 2 \& true values \- 1, true, t, yes, y \& false values \- 0, false, f, no, n .Ve .PP Positive values greater than 1 are recognized as true values, but it probably would be best to use 1. .PP Text values that aren't in the set above are not valid and will translate to false values. .SS "Key-related Checks" .IX Subsection "Key-related Checks" The following key-related checks are performed: .IP \fIalgorithm\fR 8 .IX Item "algorithm" Ensure the \fIalgorithm\fR field is valid. The acceptable values may be found in the \fBdnssec-keygen\fR man page. .IP \fIksklength\fR 8 .IX Item "ksklength" Ensure the \fIksklength\fR field is valid. The acceptable values may be found in the \fBdnssec-keygen\fR man page. This may also be specified as \fIksklen\fR. .IP \fIksklife\fR 8 .IX Item "ksklife" Ensure the \fIksklife\fR field is valid. The acceptable values may be found in the \fBdefaults.pm\fR man page. .IP \fIzskcount\fR 8 .IX Item "zskcount" Ensure the \fIzskcount\fR field is valid. The ZSK count must be positive. .IP \fIzsklength\fR 8 .IX Item "zsklength" Ensure the \fIzsklength\fR field is valid. The acceptable values may be found in the \fBdnssec-keygen\fR man page. This may also be specified as \fIzsklen\fR. .IP \fIzsklife\fR 8 .IX Item "zsklife" Ensure the \fIzsklife\fR field is valid. The acceptable values may be found in the \fBdefaults.pm\fR man page. .IP \fIrandom\fR 8 .IX Item "random" Ensure the \fIrandom\fR field is valid. This file must be a character device file. .SS "Zone-related Checks" .IX Subsection "Zone-related Checks" The following zone-related checks are performed: .IP \fIendtime\fR 8 .IX Item "endtime" Ensure the \fIendtime\fR field is valid. This value is assumed to be in the "+NNNNNN" format. There is a lower limit of two hours. (This is an artificial limit under which it \fImay\fR not make sense to have an end-time.) .SS "Path Checks" .IX Subsection "Path Checks" Path checks are performed for several DNSSEC-Tools commands, several BIND commands, and a few miscellaneous files. .PP The following path checks are performed for DNSSEC-Tools commands: .IP \fIgenkrf\fR 8 .IX Item "genkrf" Ensure the \fIgenkrf\fR field is valid. If the filename starts with a '/', the file must be a regular executable file. .IP \fIkeyarch\fR 8 .IX Item "keyarch" Ensure the \fIkeyarch\fR field is valid. If the filename starts with a '/', the file must be a regular executable file. .IP \fIrollchk\fR 8 .IX Item "rollchk" Ensure the \fIrollchk\fR field is valid. If the filename starts with a '/', the file must be a regular executable file. .IP \fIrollctl\fR 8 .IX Item "rollctl" Ensure the \fIrollctl\fR field is valid. If the filename starts with a '/', the file must be a regular executable file. .IP \fIzonesigner\fR 8 .IX Item "zonesigner" Ensure the \fIzonesigner\fR field is valid. If the filename starts with a '/', the file must be a regular executable file. .PP The following path checks are performed for BIND tools: .IP \fIkeygen\fR 8 .IX Item "keygen" Ensure the \fIkeygen\fR field is valid. If the filename starts with a '/', the file must be a regular executable file. .IP \fIrndc\fR 8 .IX Item "rndc" Ensure the \fIrndc\fR field is valid. If the filename starts with a '/', the file must be a regular executable file. .IP \fIzonecheck\fR 8 .IX Item "zonecheck" Ensure the \fIzonecheck\fR field is valid. If the filename starts with a '/', the file must be a regular executable file. .IP \fIzonesign\fR 8 .IX Item "zonesign" Ensure the \fIzonesign\fR field is valid. If the filename starts with a '/', the file must be a regular executable file. .PP The following path checks are performed for miscellaneous files and directories: .IP \fIrandom\fR 8 .IX Item "random" Ensure the \fIrandom\fR field is valid. The file must be a character device file. .IP \fIroll_logfile\fR 8 .IX Item "roll_logfile" Ensure the \fIroll_logfile\fR field is a regular file. .IP \fItaresolvconf\fR 8 .IX Item "taresolvconf" Ensure the \fItaresolvconf\fR field is a regular file. .IP \fItatmpdir\fR 8 .IX Item "tatmpdir" Ensure the \fItatmpdir\fR field is a directory. .SS "Rollover Daemon Checks" .IX Subsection "Rollover Daemon Checks" The following checks are performed for \fBrollerd\fR values: .IP \fIautosign\fR 8 .IX Item "autosign" Ensure that the \fIautosign\fR flag is a valid boolean. .IP \fIlog_tz\fR 8 .IX Item "log_tz" Ensure the \fIlog_tz\fR field is either 'gmt' or 'local'. .IP \fIprog_normal\fR 8 .IX Item "prog_normal" .PD 0 .IP "\fIprog_ksk1\fR ... \fIprog_ksk7\fR" 8 .IX Item "prog_ksk1 ... prog_ksk7" .IP "\fIprog_zsk1\fR ... \fIprog_zsk4\fR" 8 .IX Item "prog_zsk1 ... prog_zsk4" .PD Ensure that the rollover phase commands are valid paths. Each of these fields is a semicolon-separated command list. The file checks are run on the commands to ensure the commands exist and are executable. Options and arguments to the commands are ignored, as is the \fIdefault\fR keyword. .IP \fIroll_loadzone\fR 8 .IX Item "roll_loadzone" Ensure that the \fIroll_loadzone\fR flag is a valid boolean. .IP \fIroll_logfile\fR 8 .IX Item "roll_logfile" Ensure that the log file for the \fBrollerd\fR is valid. If the file exists, it must be a regular file. .IP \fIroll_loglevel\fR 8 .IX Item "roll_loglevel" Ensure that the logging level for the \fBrollerd\fR is reasonable. The log level must be one of the following text or numeric values: .Sp .Vb 6 \& tmi 1 Overly verbose informational messages. \& expire 3 A verbose countdown of zone expiration is given. \& info 4 Informational messages. \& phase 6 Current state of zone. \& err 8 Error messages. \& fatal 9 Fatal errors. .Ve .Sp Specifying a particular log level will causes messages of a higher numeric value to also be displayed. .IP \fIroll_sleeptime\fR 8 .IX Item "roll_sleeptime" Ensure that the \fBrollerd\fR's sleep-time is reasonable. \&\fBrollerd\fR's sleep-time must be at least one minute. .IP \fIroll_username\fR 8 .IX Item "roll_username" Ensure that the username for \fBrollerd\fR is valid. If it's a username, it must be translatable to a uid; if it's a uid, it must translate to a known username. .IP \fIzone_errors\fR 8 .IX Item "zone_errors" Ensure that the zone error count is numeric and 0 or greater. .SS "NSEC3 Checks" .IX Subsection "NSEC3 Checks" The following checks are performed for NSEC3\-related values: .IP \fInsec3iter\fR 8 .IX Item "nsec3iter" Ensure that the \fInsec3iter\fR iteration count falls within the range used by \&\fBdnssec-signzone\fR. The current values are from 1 \- 65535. .IP \fInsec3optout\fR 8 .IX Item "nsec3optout" Ensure that the \fInsec3optout\fR flag is a valid boolean. .IP \fIusensec3\fR 8 .IX Item "usensec3" Ensure that the \fIusensec3\fR flag is a valid boolean. .SS "Miscellaneous Checks" .IX Subsection "Miscellaneous Checks" The following miscellaneous checks are performed: .IP \fIadmin-email\fR 8 .IX Item "admin-email" Ensure that the \fIadmin-email\fR field is defined and has a value. \&\fBdtconfchk\fR does not try to validate the email address itself. .IP \fIarchivedir\fR 8 .IX Item "archivedir" Ensure that the \fIarchivedir\fR directory is actually a directory. This check is only performed if the \fIsavekeys\fR flag is set on. .IP \fIentropy_msg\fR 8 .IX Item "entropy_msg" Ensure that the \fIentropy_msg\fR flag is a valid boolean. .IP \fIsavekeys\fR 8 .IX Item "savekeys" Ensure that the \fIsavekeys\fR flag is a valid boolean. If this flag is set to 1, then the \fIarchivedir\fR field will also be checked. .IP \fIusegui\fR 8 .IX Item "usegui" Ensure that the \fIusegui\fR flag is a valid boolean. .IP \fIzonefile-parser\fR 8 .IX Item "zonefile-parser" Ensure that the \fIzonefile-parser\fR flag is a valid Perl module. This is checked by using the Perl "require" facility to load the specified module. .SH OPTIONS .IX Header "OPTIONS" .IP \fB\-expert\fR 4 .IX Item "-expert" This option will bypass the following checks: .Sp .Vb 2 \& \- KSK has a longer lifespan than the configuration \& file\*(Aqs default minimum lifespan \& \& \- KSK has a shorter lifespan than the configuration \& file\*(Aqs default maximum lifespan \& \& \- ZSKs have a longer lifespan than the configuration \& file\*(Aqs default minimum lifespan \& \& \- ZSKs have a shorter lifespan than the configuration \& file\*(Aqs default maximum lifespan .Ve .IP \fB\-quiet\fR 4 .IX Item "-quiet" No output will be given. The number of errors will be used as the exit code. .IP \fB\-summary\fR 4 .IX Item "-summary" A final summary of success or failure will be printed. The number of errors will be used as the exit code. .IP \fB\-verbose\fR 4 .IX Item "-verbose" Success or failure status of each check will be given. A \fB+\fR or \fB\-\fR prefix will be given for each valid and invalid entry. The number of errors will be used as the exit code. .IP \fB\-Version\fR 4 .IX Item "-Version" Displays the version information for \fBdtconfchk\fR and the DNSSEC-Tools package. .IP \fB\-help\fR 4 .IX Item "-help" Display a usage message. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2004\-2014 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details. .SH AUTHOR .IX Header "AUTHOR" Wayne Morrison, tewok@tislabs.com .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBdtdefs\|(8)\fR, \&\fBdtinitconf\|(8)\fR, \&\fBrollerd\|(8)\fR, \&\fBzonesigner\|(8)\fR .PP \&\fBNet::DNS::SEC::Tools::conf.pm\|(3)\fR, \&\fBNet::DNS::SEC::Tools::defaults.pm\|(3)\fR .PP \&\fBdnssec\-tools.conf\|(5)\fR