1 <!-- Creator : groff version 1.20.1 -->
2 <!-- CreationDate: Sat Aug 28 01:15:12 2010 -->
3 <!DOCTYPE html PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN"
4 "http://www.w3.org/TR/html4/loose.dtd">
7 <meta name=
"generator" content=
"groff -Thtml, see www.gnu.org">
8 <meta http-equiv=
"Content-Type" content=
"text/html; charset=US-ASCII">
9 <meta name=
"Content-Style" content=
"text/css">
10 <style type=
"text/css">
11 p
{ margin-top: 0; margin-bottom: 0; vertical-align: top
}
12 pre
{ margin-top: 0; margin-bottom: 0; vertical-align: top
}
13 table
{ margin-top: 0; margin-bottom: 0; vertical-align: top
}
14 h1
{ text-align: center
}
16 <title>zkt
−keyman
</title>
21 <h1 align=
"center">zkt
−keyman
</h1>
23 <a href=
"#NAME">NAME
</a><br>
24 <a href=
"#SYNOPSYS">SYNOPSYS
</a><br>
25 <a href=
"#DESCRIPTION">DESCRIPTION
</a><br>
26 <a href=
"#GENERAL OPTIONS">GENERAL OPTIONS
</a><br>
27 <a href=
"#COMMAND OPTIONS">COMMAND OPTIONS
</a><br>
28 <a href=
"#SAMPLE USAGE">SAMPLE USAGE
</a><br>
29 <a href=
"#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES
</a><br>
30 <a href=
"#FILES">FILES
</a><br>
31 <a href=
"#BUGS">BUGS
</a><br>
32 <a href=
"#AUTHORS">AUTHORS
</a><br>
33 <a href=
"#COPYRIGHT">COPYRIGHT
</a><br>
34 <a href=
"#SEE ALSO">SEE ALSO
</a><br>
45 <p style=
"margin-left:11%; margin-top: 1em">zkt
−keyman
46 — A DNSSEC key management tool
</p>
49 <a name=
"SYNOPSYS"></a>
54 <p style=
"margin-left:11%; margin-top: 1em"><b>zkt
−keyman
55 −C
</b><label
> [
<b>−V|--view
</b>
56 <i>view
</i>] [
<b>−c
</b> <i>file
</i>]
57 [
<b>−krpz
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
59 zkt
−keyman
−−create=
</b><label
>
60 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
61 <i>file
</i>] [
<b>−krpz
</b>]
62 [{
<i>keyfile
</i>|
<i>dir
</i>}
<i>...
</i>]
</p>
65 <p style=
"margin-left:11%; margin-top: 1em"><b>zkt
−keyman
66 −</b>{
<b>P
</b>|
<b>A
</b>|
<b>D
</b>|
<b>R
</b>}
<b><keytag
></b>
67 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
68 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
70 zkt
−keyman
−−published=
</b><keytag
>
71 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
72 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
74 zkt
−keyman
−−active=
</b><keytag
>
75 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
76 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
78 zkt
−keyman
−−depreciate=
</b><keytag
>
79 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
80 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
82 zkt
−keyman
−−rename=
</b><keytag
>
83 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
84 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
88 <p style=
"margin-left:11%; margin-top: 1em"><b>zkt
−keyman
89 −−destroy=
</b><keytag
>
90 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
91 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
95 <p style=
"margin-left:11%; margin-top: 1em"><b>zkt
−keyman
96 −9 |
−−ksk-rollover
<br>
97 zkt
−keyman
−1 |
98 −−ksk-roll-phase1
</b> <i>do.ma.in.
</i>
99 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
101 zkt
−keyman
−2 |
102 −−ksk-roll-phase2
</b> <i>do.ma.in.
</i>
103 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
105 zkt
−keyman
−3 |
106 −−ksk-roll-phase3
</b> <i>do.ma.in.
</i>
107 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
109 zkt
−keyman
−0 |
−−ksk-roll-stat
</b>
110 <i>do.ma.in.
</i> [
<b>−V|--view
</b> <i>view
</i>]
111 [
<b>−c
</b> <i>file
</i>]
</p>
114 <a name=
"DESCRIPTION"></a>
118 <p style=
"margin-left:11%; margin-top: 1em">The
119 <i>zkt
−keyman
</i> command is a wrapper around
120 <i>dnssec-keygen(
8)
</i> to assist in dnssec zone key
123 <p style=
"margin-left:11%; margin-top: 1em">The command is
124 useful in dns key management. It is suitable for
125 modification of key status.
</p>
128 <a name=
"GENERAL OPTIONS"></a>
133 <p style=
"margin-left:11%; margin-top: 1em"><b>−V
</b>
134 <i>view
</i><b>,
−−view=
</b><i>view
</i></p>
136 <p style=
"margin-left:22%;">Try to read the default
137 configuration out of a file named
138 <i>dnssec-
<view
>.conf .
</i> Instead of specifying the
139 −V or --view option every time, it is also possible to
140 create a hard or softlink to the executable file to give it
141 an additional name like
142 <i>zkt
−keyman
−<view
> .
</i></p>
144 <p style=
"margin-left:11%;"><b>−c
</b> <i>file
</i><b>,
145 −−config=
</b><i>file
</i></p>
147 <p style=
"margin-left:22%;">Read default values from the
148 specified config file. Otherwise the default config file is
149 read or build in defaults will be used.
</p>
151 <p style=
"margin-left:11%;"><b>−O
</b>
153 −−config-option=
</b><i>optstr
</i></p>
155 <p style=
"margin-left:22%;">Set any config file option via
156 the commandline. Several config file options could be
157 specified at the argument string but have to be delimited by
158 semicolon (or newline).
</p>
160 <p style=
"margin-left:11%;"><b>−d
</b>,
161 <b>−−directory
</b></p>
163 <p style=
"margin-left:22%;">Skip directory arguments. This
164 will be useful in combination with wildcard arguments to
165 prevent dnsssec-zkt to list all keys found in
166 subdirectories. For example
"zkt
−keyman -d
167 *
" will print out a list of all keys only found in the
168 current directory. Maybe it is easier to use
169 "zkt
−keyman .
" instead (without -r set). The
170 option works similar to the
−d option of
173 <p style=
"margin-left:11%;"><b>−k
</b>,
174 <b>−−ksk
</b></p>
176 <p style=
"margin-left:22%;">Select key signing keys only
177 (default depends on command mode).
</p>
179 <p style=
"margin-left:11%;"><b>−z
</b>,
180 <b>−−zsk
</b></p>
182 <p style=
"margin-left:22%;">Select zone signing keys only
183 (default depends on command mode).
</p>
185 <p style=
"margin-left:11%;"><b>−r
</b>,
186 <b>−−recursive
</b></p>
188 <p style=
"margin-left:22%;">Recursive mode (default is
190 Also settable in the dnssec.conf file (Parameter:
193 <p style=
"margin-left:11%;"><b>−F
</b>,
194 <b>−−setlifetime
</b></p>
196 <p style=
"margin-left:22%;">Set the key lifetime of all the
197 selected keys. Use option -k, -z, -l or the file and dir
198 argument for key selection.
</p>
201 <a name=
"COMMAND OPTIONS"></a>
206 <p style=
"margin-left:11%; margin-top: 1em"><b>−h
</b>,
207 <b>−−help
</b></p>
209 <p style=
"margin-left:22%;">Print out the online help.
</p>
211 <p style=
"margin-left:11%;"><b>−C
</b> <i>zone
</i><b>,
212 −−create=
</b><i>zone
</i></p>
214 <p style=
"margin-left:22%;">Create a new zone signing key
215 for the given zone. Add option
<b>−k
</b> to create a
216 key signing key. The key algorithm and key length will be
217 examined from built-in default values or from the parameter
218 settings in the
<i>dnssec.conf
</i> file.
<br>
219 The keyfile will be created in the current directory if the
220 <b>−p
</b> option is specified.
</p>
222 <p style=
"margin-left:11%;"><b>−R
</b>
223 <i>keyid
</i><b>,
−−revoke=
</b><i>keyid
</i></p>
225 <p style=
"margin-left:22%;">Revoke the key signing key with
226 the given keyid. A revoked key has bit
8 in the flags field
227 set (see RFC5011). The keyid is the numeric keytag with an
228 optionally added zone name separated by a colon.
</p>
231 <p style=
"margin-left:11%;"><b>−−rename=
"</b><i>keyid
</i></p>
233 <p style=
"margin-left:22%;">Rename the key files of the key
234 with the given keyid (Look at key file names starting with
235 an lower
’k
’). The keyid is the numeric keytag
236 with an optionally added zone name separated by a colon.
</p>
239 <p style=
"margin-left:11%;"><b>−−destroy=
</b><i>keyid
</i></p>
241 <p style=
"margin-left:22%;">Deletes the key with the given
242 keyid. The keyid is the numeric keytag with an optionally
243 added zone name separated by a colon. Beware that this
244 deletes both private and public keyfiles, thus the key is
245 unrecoverable lost.
</p>
247 <p style=
"margin-left:11%;"><b>−P|A|D
</b>
248 <i>keyid,
</i> <b>−−published=
</b><i>keyid,
</i>
249 <b>−−active=
</b><i>keyid,
</i>
250 <b>−−depreciated=
</b><i>keyid
</i></p>
252 <p style=
"margin-left:22%;">Change the status of the given
253 dnssec key to published (
<b>−P
</b>), active
254 (
<b>−A
</b>) or depreciated (
<b>−D
</b>). The
255 <i>keyid
</i> is the numeric keytag with an optionally added
256 zone name separated by a colon. Setting the status to
257 "published
" or
"depreciate
" will change
258 the filename of the private key file to
259 ".published
" or
".depreciated
"
260 respectivly. This prevents the usage of the key as a signing
261 key by the use of
<i>dnssec-signzone(
8)
</i>. The time of
262 status change will be stored in the
’mtime
’
263 field of the corresponding
".key
" file. Key
264 activation via option
<b>−A
</b> will restore the
265 original timestamp and file name (
".private
").
</p>
268 <p style=
"margin-left:11%;"><b>−−ksk-roll-phase[
123]
</b>
271 <p style=
"margin-left:22%;">Initiate a key signing key
272 rollover of the specified domain. This feature is currently
273 in experimental status and is mainly for the use in an
274 hierachical environment. Use --ksk-rollover for a little
275 more detailed description.
</p>
278 <a name=
"SAMPLE USAGE"></a>
282 <p style=
"margin-left:11%; margin-top: 1em"><b>zkt-keyman
283 −C example.net
−k
−r ./zonedir
</b></p>
285 <p style=
"margin-left:22%;">Create a new key signing key
286 for the zone
"example.net
". Store the key in the
287 same directory below
"zonedir
" where the other
288 "example.net
" keys life.
</p>
290 <p style=
"margin-left:11%;"><b>zkt-keyman
−D
123245
293 <p style=
"margin-left:22%;">Depreciate the key with tag
294 "12345" below the current directory,
</p>
296 <p style=
"margin-left:11%;"><b>zkt-keyman --view intern
297 −C example.net
</b></p>
299 <p style=
"margin-left:22%;">Create a new zone key for the
300 internal zone example.net.
</p>
302 <p style=
"margin-left:11%;"><b>zkt-keyman-intern
</b></p>
304 <p style=
"margin-left:22%;">Same as above. The binary file
305 <i>zkt
−keyman
</i> has another link, named
306 <i>zkt-keyman-intern
</i> made, and
<i>zkt
−keyman
</i>
307 examines argv[
0] to find a view whose zones it proceeds to
310 <h2>ENVIRONMENT VARIABLES
311 <a name=
"ENVIRONMENT VARIABLES"></a>
316 <p style=
"margin-left:11%; margin-top: 1em">ZKT_CONFFILE
</p>
318 <p style=
"margin-left:22%;">Specifies the name of the
319 default global configuration files.
</p>
327 <p style=
"margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf
</i></p>
329 <p style=
"margin-left:22%;">Built-in default global
330 configuration file. The name of the default global config
331 file is settable via the environment variable
335 <p style=
"margin-left:11%;"><i>/var/named/dnssec-
<view
>.conf
</i></p>
337 <p style=
"margin-left:22%;">View specific global
338 configuration file.
</p>
340 <p style=
"margin-left:11%;"><i>./dnssec.conf
</i></p>
342 <p style=
"margin-left:22%;">Local configuration file (only
343 used in
<b>−C
</b> mode).
</p>
351 <a name=
"AUTHORS"></a>
355 <p style=
"margin-left:11%; margin-top: 1em">Holger
359 <a name=
"COPYRIGHT"></a>
363 <p style=
"margin-left:11%; margin-top: 1em">Copyright (c)
364 2005 − 2008 by Holger Zuleger. Licensed under the BSD
365 Licences. There is NO warranty; not even for MERCHANTABILITY
366 or FITNESS FOR A PARTICULAR PURPOSE.
</p>
369 <a name=
"SEE ALSO"></a>
374 <p style=
"margin-left:11%; margin-top: 1em">dnssec-keygen(
8),
375 dnssec-signzone(
8), rndc(
8), named.conf(
5), zkt-conf(
8),
376 zkt-ls(
8), zkt-signer(
8)
<br>
377 RFC4641
"DNSSEC Operational Practices
" by Miek
378 Gieben and Olaf Kolkman,
<br>
379 DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
<br>
380 (http://www.nlnetlabs.nl/dnssec_howto/)
</p>
