Template:Trustman ShortTorial

From DNSSEC-Tools
Jump to: navigation, search


{{#if:1| {{#if:| {{#if:1| {{#if:| {{#if:| {{#if:|
DNSSEC-Tools Component
This describes trustman, which in the Recursive Server Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: trustman
Tool Type: Recursive Server Tools
Manual: Manual


Example: Example


CLI: Help


Tutorial: Tutorial


How To: How To


Download: trustman


Trustman is used as a tool to check and notify the administrator of changes in Trust Anchors (TAs). It can check the TAs in Bind's named.conf file and in DNSSEC-Tool's dnsval.conf. dnsval.conf is the configuration file for DNSSEC-Tool's validation libraries and is usually found in /usr/local/etc/dnssec-tools/dnsval.conf or /etc/dnssec-tools/dnsval.conf. In order for trustman to verify the keys it needs to manage the libval and libsres libraries need to be installed (which come with the DNSSEC-Tools package).

An administrator can load the TA's to be managed into the dnsval.conf and/or named.conf files and have trustman run as a daemon and routinely check those configured zones for TA changes. When trustman is run it will notify the administrator of any changes between the local configuration files and the published TAs for one or more zones. Trustman can also be configured to add the newly found TAs to these files. By default trustman runs in daemon mode and can be configured to send email to an administrator when it notices any changes in the Trust Anchors. It can also be run on as a command-line utility as well with verbose output so operators can examine in detail the steps it is taking to analyze newly found keys.

This tool was designed so that an operator of a validating recursive server can automatically be notified of any changes in the TAs used by an administered server.

Getting started with trustman

To get started with trustman you can run the following steps (after you've configured the dnssec-tools.conf so that it at least contains valid tasmtpserver and tacontact settings).

  • Given a dnsval.conf file that has been configured with the Trust Anchors (TAs) you wish to keep track of you can then run trustman to check on them. This example shows a new key being detected for the dnssec-tools.org zone. If run again in the future (86400 seconds later) or if it was run continuously in the background it would eventually add this new key to the /etc/dnssec-tools/dnsval.conf.

> trustman -f -S -k /etc/dnssec-tools/dnsval.conf -a /etc/dnssec-tools/trustman.storage
reading and parsing trust keys from /usr/local/etc/dnssec-tools/dnsval.conf
Reading and parsing trust keys from /etc/dnssec-tools/dnsval.conf
 Found a key for dnssec-tools.org
Checking zone keys for validity
 Checking the live "dnssec-tools.org" key
  dnssec-tools.org ...  refresh_secs=43200, refresh_time=1209637099
  adding holddown for new key in dnssec-tools.org (1209680299 seconds from now)
sending mail to root@hardakers.net
Writing new keys to /etc/dnssec-tools/trustman.storage
checking new keys for timing
 hold down timer for dnssec-tools.org still in the future (86400 seconds)

  • The '-f' flag runs trustman in the foreground and the '-S' flag forces it to run once and then quit. By default, trustman will run in daemon mode. It will run in the background and notify an administrator via E-Mail when it discovers an action it will eventually take or is taking.

Running trustman as a daemon

For daemon mode the following should be added to the dnssec-tools.conf file usually locate in /usr/local/etc/dnssec-tools/dnssec-tools.conf:

tacontact        admin@example.com
tasmtpserver     localhost
tasleeptime      3600
taanchorfile     /usr/local/etc/dnssec-tools/trustman.anchorfile
tadnsvalconffile /usr/local/etc/dnssec-tools/dnsval.conf
tacontact Address to send emails to
tasmtpserver Host name of outgoing mail server to use
tasleeptime Time in seconds between checking for TA changes (in daemon mode)
taanchorfile File that trustman can store TAs it downloads for comparisons/updates
tadnsvalconffile Location of the dnsval.conf file