Trustman is used as a tool to check and notify the administrator of changes in Trust Anchors (TAs). It can check the TAs in Bind's named.conf file and in DNSSEC-Tool's dnsval.conf. dnsval.conf is the configuration file for DNSSEC-Tool's validation libraries and is usually found in /usr/local/etc/dnssec-tools/dnsval.conf or /etc/dnssec-tools/dnsval.conf. In order for trustman to verify the keys it needs to manage the libval and libsres libraries need to be installed (which come with the DNSSEC-Tools package).
An administrator can load the TA's to be managed into the dnsval.conf and/or named.conf files and have trustman run as a daemon and routinely check those configured zones for TA changes. When trustman is run it will notify the administrator of any changes between the local configuration files and the published TAs for one or more zones. Trustman can also be configured to add the newly found TAs to these files. By default trustman runs in daemon mode and can be configured to send email to an administrator when it notices any changes in the Trust Anchors. It can also be run on as a command-line utility as well with verbose output so operators can examine in detail the steps it is taking to analyze newly found keys.
This tool was designed so that an operator of a validating recursive server can automatically be notified of any changes in the TAs used by an administered server.
Getting started with trustman
To get started with trustman you can run the following steps (after you've configured the dnssec-tools.conf so that it at least contains valid tasmtpserver and tacontact settings).
- Given a dnsval.conf file that has been configured with the Trust Anchors (TAs) you wish to keep track of you can then run trustman to check on them. This example shows a new key being detected for the dnssec-tools.org zone. If run again in the future (86400 seconds later) or if it was run continuously in the background it would eventually add this new key to the /etc/dnssec-tools/dnsval.conf.
> trustman -f -S -k /etc/dnssec-tools/dnsval.conf -a /etc/dnssec-tools/trustman.storage reading and parsing trust keys from /usr/local/etc/dnssec-tools/dnsval.conf Reading and parsing trust keys from /etc/dnssec-tools/dnsval.conf Found a key for dnssec-tools.org Checking zone keys for validity Checking the live "dnssec-tools.org" key dnssec-tools.org ... refresh_secs=43200, refresh_time=1209637099 adding holddown for new key in dnssec-tools.org (1209680299 seconds from now) sending mail to email@example.com Writing new keys to /etc/dnssec-tools/trustman.storage checking new keys for timing hold down timer for dnssec-tools.org still in the future (86400 seconds)
- The '-f' flag runs trustman in the foreground and the '-S' flag forces it to run once and then quit. By default, trustman will run in daemon mode. It will run in the background and notify an administrator via E-Mail when it discovers an action it will eventually take or is taking.
Running trustman as a daemon
For daemon mode the following should be added to the dnssec-tools.conf file usually locate in /usr/local/etc/dnssec-tools/dnssec-tools.conf:
tacontact firstname.lastname@example.org tasmtpserver localhost tasleeptime 3600 taanchorfile /usr/local/etc/dnssec-tools/trustman.anchorfile tadnsvalconffile /usr/local/etc/dnssec-tools/dnsval.conf
|tacontact||Address to send emails to|
|tasmtpserver||Host name of outgoing mail server to use|
|tasleeptime||Time in seconds between checking for TA changes (in daemon mode)|
|taanchorfile||File that trustman can store TAs it downloads for comparisons/updates|
|tadnsvalconffile||Location of the dnsval.conf file|