# include another configfile, so you can split up configuration settings. # for example, you can store your dynamica trust anchor configuration in # a file called keys.conf. # include: "keys.conf" # program configuration config: # directory to go to for performing autotrust. # by default, autotrust will store files in the current directory. working-dir: "/var/lib/autotrust" # where to find the root-hints. # by default, autotrust uses builtin root hints from libunbound. # root-hints: "/etc/named.root" # where to log messages. by default, logs will be outputted to # @logfile@. # If no log-file is given, stderr is used. log-file: "/var/log/autotrust.log" # whether to use syslog as logging device. not default. # if set to "yes", the log-file option will be ignored. # use-syslog: "no" # where to store the pid. by default, the pidfile is set to # @pidfile@. # the pidfile is only used if autotrust runs as daemon. pid-file: "/var/run/autotrust.pid" # where to store trust anchor state. by default, it is stored in # @statefile@. state-file: "/var/lib/autotrust/autotrust.state" # where to find the the trust anchors (these can be used for Unbound). # trust-anchor-file: "trust-anchor.file" # where to find the the trust anchors (these can be used for # BIND9 and Unbound). you can also put your BIND configuration file # here, though it is recommended to solely put the trusted-keys clause # in this file and include it in your actual BIND configuration file. trusted-keys-file: "/etc/pki/dnssec-keys/named.dnssec.keys" #trusted-keys-file: "/etc/pki/dnssec-keys/production/*.conf" #trusted-keys-file: "/etc/pki/dnssec-keys/production/reverse/*.conf" # what resolv.conf file to use. # by default, autotrust doesn't use configured nameservers, but queries # for the answers himself. By providing your resolver configuration, the # program will run much faster. # resolv-conf: "/etc/resolv.conf" # by default, autotrust makes use of both ipv4 and ipv6. setting one of # these options to "no" eliminates the use of the that protocol version. # do-ip4: "yes" # do-ip6: "yes" # specify the time when a trust anchor may be added. # by default, add holddown time is 30 days. # STRONGLY RECOMMENDED VALUE: 30days or higher # add-holddown: 2592000 # 30 days # specify the time when a trust anchor may be removed. # by default, del holddown time is 30 days. # STRONGLY RECOMMENDED VALUE: 30days or higher # del-holddown: 2592000 # 30 days # how many times must a pending trust anchor be seen, before adding it # to the valid trust anchor set. by default, 2 times. # STRONGLY RECOMMENDED VALUE: 2 or higher # pending-count: 2 # keep trust anchors with the START state in the state information file. # by default, trust anchors in the state START are not stored. # keep-start: "no" # keep trust anchors with the REMOVED state in the state information. # by default, trust anchors in the state REMOVED are not stored. # keep-removed: "no" # Fedora/EPEL: nameservers are restarted via the autostart.cron job # instead of via resolver-pidfile/resolver-reload # the pidfile that stores the process id of your resolver. # by default, autotrust does not know about your resolver and will not # signal resolvers. You may configure multiple resolver pidfiles. # resolver-pidfile: "/var/run/unbound/unbound.pid" # resolver-pidfile: "/var/run/named/named.pid" # you may also specify the reload command to be executed. # resolver-reload: "unbound-control reload" # resolver-reload: "rndc reload" # if you use Unbound, you can specify the Undbound configuration # here, so that autotrust uses the same configuration. This option was # built in for debugging purposes (to configure stub zones), and is # considered experimental. unbound-conf: "/etc/unbound/unbound.conf" # specify the time when a missing trust anchor may not be used # as valid trust anchor anymore. If keep-missing is 0, missing keys # are never removed (unless revoked), which is the default. # STRONGLY RECOMMENDED VALUE: 0, or 1year or higher # keep-missing: 31536000 # 1 year # log if keys gone missing, regardless of the used verbosity level. # on by default. # alert-missing: "yes" # run autotrust as daemon. By default "no". # daemonize: "no" # if you have a superior trust point configured, the subordinate trust # anchors will be removed after 180 days after the superior trust point # was introduced. by default, this option is disabled, you may enable it # by setting 'superior-trust' to "yes". # THIS OPTION IS NOT IMPLEMENTED YET # superior-trust: "no" # set the level of verbosity. default it it set to 1. the higher this # number, the more log messages you will get. if you want no # output at all, set verbosity to 0 (you will log only error and # warning messages). # verbosity: 1