1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
#
# DNSSEC-Tools Configuration
#
#
# Settings for DNSSEC-Tools administration.
#
admin-email root@localhost
#
# Paths to needed programs. These may need adjusting for individual hosts.
#
keyarch /usr/sbin/keyarch
rollchk /usr/sbin/rollchk
zonesigner /usr/sbin/zonesigner
keygen /usr/sbin/dnssec-keygen
rndc /usr/sbin/rndc
zonecheck /usr/sbin/named-checkzone
zonesign /usr/sbin/dnssec-signzone
#
# Key-related values.
#
algorithm rsasha256
ksklength 2048
zsklength 1024
random /dev/urandom
#
# NSEC3 functionality
#
usensec3 no
nsec3iter 100
nsec3salt random:64
nsec3optout no
#
# Settings for dnssec-signzone.
#
endtime +2592000 # RRSIGs good for thirty days.
#
# Life-times for keys. These defaults indicate how long a key has
# between rollovers. The values are measured in seconds.
#
# Sample values:
# 3600 hour
# 86400 day
# 604800 week
# 2592000 30-day month
# 15768000 half-year
# 31536000 year
#
lifespan-max 94608000
lifespan-min 3600
ksklife 15768000
zsklife 604800
#
# Settings for zonesigner.
#
archivedir /var/lib/dnssec-tools/archive
entropy_msg 1
savekeys 1
kskcount 1
zskcount 1
#
# Settings for rollerd.
#
roll_loadzone 1
roll_logfile /var/log/dnssec-tools/rollerd.log
roll_loglevel phase
roll_phasemsg long
roll_sleeptime 3600
zone_errors 5
log_tz gmt
#
# Settings for trustman
#
tacontact
tasmtpserver localhost
taresolvconf localhost
tatmpdir /var/run/dnssec-tools/trustman
#
# GUI-usage flag.
#
usegui 0
|
