1 <!-- Creator : groff version 1.20.1 -->
2 <!-- CreationDate: Tue Aug 4 21:33:40 2009 -->
3 <!DOCTYPE html PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN"
4 "http://www.w3.org/TR/html4/loose.dtd">
7 <meta name=
"generator" content=
"groff -Thtml, see www.gnu.org">
8 <meta http-equiv=
"Content-Type" content=
"text/html; charset=US-ASCII">
9 <meta name=
"Content-Style" content=
"text/css">
10 <style type=
"text/css">
11 p
{ margin-top: 0; margin-bottom: 0; vertical-align: top
}
12 pre
{ margin-top: 0; margin-bottom: 0; vertical-align: top
}
13 table
{ margin-top: 0; margin-bottom: 0; vertical-align: top
}
14 h1
{ text-align: center
}
16 <title>dnssec-zkt
</title>
21 <h1 align=
"center">dnssec-zkt
</h1>
23 <a href=
"#NAME">NAME
</a><br>
24 <a href=
"#SYNOPSYS">SYNOPSYS
</a><br>
25 <a href=
"#DESCRIPTION">DESCRIPTION
</a><br>
26 <a href=
"#GENERAL OPTIONS">GENERAL OPTIONS
</a><br>
27 <a href=
"#COMMAND OPTIONS">COMMAND OPTIONS
</a><br>
28 <a href=
"#SAMPLE USAGE">SAMPLE USAGE
</a><br>
29 <a href=
"#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES
</a><br>
30 <a href=
"#FILES">FILES
</a><br>
31 <a href=
"#BUGS">BUGS
</a><br>
32 <a href=
"#AUTHORS">AUTHORS
</a><br>
33 <a href=
"#COPYRIGHT">COPYRIGHT
</a><br>
34 <a href=
"#SEE ALSO">SEE ALSO
</a><br>
44 <p style=
"margin-left:11%; margin-top: 1em">dnssec-zkt
45 — Secure DNS zone key tool
</p>
48 <a name=
"SYNOPSYS"></a>
53 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-zkt
</b>
54 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
55 <i>file
</i>] [
<b>−l
</b> <i>list
</i>]
56 [
<b>−adefhkLrptz
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
59 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-zkt
60 −C
</b><label
> [
<b>−V|--view
</b>
61 <i>view
</i>] [
<b>−c
</b> <i>file
</i>]
62 [
<b>−krpz
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
64 dnssec-zkt
−−create=
</b><label
>
65 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
66 <i>file
</i>] [
<b>−krpz
</b>]
67 [{
<i>keyfile
</i>|
<i>dir
</i>}
<i>...
</i>]
</p>
69 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-zkt
70 −</b>{
<b>P
</b>|
<b>A
</b>|
<b>D
</b>|
<b>R
</b>}
<b><keytag
></b>
71 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
72 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
74 dnssec-zkt
−−published=
</b><keytag
>
75 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
76 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
78 dnssec-zkt
−−active=
</b><keytag
>
79 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
80 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
82 dnssec-zkt
−−depreciate=
</b><keytag
>
83 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
84 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
86 dnssec-zkt
−−rename=
</b><keytag
>
87 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
88 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
91 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-zkt
92 −−destroy=
</b><keytag
>
93 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
94 <i>file
</i>] [
<b>−r
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
97 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-zkt
98 −T
</b> [
<b>−V|--view
</b> <i>view
</i>]
99 [
<b>−c
</b> <i>file
</i>] [
<b>−l
</b> <i>list
</i>]
100 [
<b>−hr
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
<i>...
</i>]
102 dnssec-zkt
−−list-trustedkeys
</b>
103 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
104 <i>file
</i>] [
<b>−l
</b> <i>list
</i>]
105 [
<b>−hr
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
108 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-zkt
109 −K
</b> [
<b>−V|--view
</b> <i>view
</i>]
110 [
<b>−c
</b> <i>file
</i>] [
<b>−l
</b> <i>list
</i>]
111 [
<b>−hkzr
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
113 dnssec-zkt
−−list-dnskeys
</b>
114 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
115 <i>file
</i>] [
<b>−l
</b> <i>list
</i>]
116 [
<b>−hkzr
</b>] [{
<i>keyfile
</i>|
<i>dir
</i>}
119 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-zkt
120 −Z
</b> [
<b>−V|--view
</b> <i>view
</i>]
121 [
<b>−c
</b> <i>file
</i>]
<b><br>
122 dnssec-zkt
−−zone-config
</b>
123 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
126 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-zkt
127 −9 |
−−ksk-rollover
<br>
128 dnssec-zkt
−1 |
−−ksk-roll-phase1
</b>
129 <i>do.ma.in.
</i> [
<b>−V|--view
</b> <i>view
</i>]
130 [
<b>−c
</b> <i>file
</i>]
<b><br>
131 dnssec-zkt
−2 |
−−ksk-roll-phase2
</b>
132 <i>do.ma.in.
</i> [
<b>−V|--view
</b> <i>view
</i>]
133 [
<b>−c
</b> <i>file
</i>]
<b><br>
134 dnssec-zkt
−3 |
−−ksk-roll-phase3
</b>
135 <i>do.ma.in.
</i> [
<b>−V|--view
</b> <i>view
</i>]
136 [
<b>−c
</b> <i>file
</i>]
<b><br>
137 dnssec-zkt
−0 |
−−ksk-roll-stat
</b>
138 <i>do.ma.in.
</i> [
<b>−V|--view
</b> <i>view
</i>]
139 [
<b>−c
</b> <i>file
</i>]
</p>
142 <a name=
"DESCRIPTION"></a>
146 <p style=
"margin-left:11%; margin-top: 1em">The
147 <i>dnssec-zkt
</i> command is a wrapper around
148 <i>dnssec-keygen(
8)
</i> to assist in dnssec zone key
151 <p style=
"margin-left:11%; margin-top: 1em">In the common
152 usage the command prints out information about all dnssec
153 (zone) keys found in the given (or predefined default)
154 directory. It is also possible to specify keyfiles (K*.key)
155 as arguments. With option
<b>−r
</b> subdirectories
156 will be searched recursively, and all dnssec keys found will
157 be listed sorted by domain name, key type and generation
158 time. In that mode the use of the
<b>−p
</b> option may
159 be helpful to find the location of the keyfile in the
162 <p style=
"margin-left:11%; margin-top: 1em">Other forms of
163 the command print out keys in a format suitable for a
164 trusted-key section or as a DNSKEY resource record.
</p>
166 <p style=
"margin-left:11%; margin-top: 1em">The command is
167 also useful in dns key management. It offers monitoring of
168 key lifetime and modification of key status.
</p>
171 <a name=
"GENERAL OPTIONS"></a>
176 <p style=
"margin-left:11%; margin-top: 1em"><b>−V
</b>
177 <i>view
</i><b>,
−−view=
</b><i>view
</i></p>
179 <p style=
"margin-left:22%;">Try to read the default
180 configuration out of a file named
181 <i>dnssec-
<view
>.conf .
</i> Instead of specifying the
182 −V or --view option every time, it is also possible to
183 create a hard or softlink to the executable file to give it
184 an additional name like
<i>dnssec-zkt-
<view
> .
</i></p>
186 <p style=
"margin-left:11%;"><b>−c
</b> <i>file
</i><b>,
187 −−config=
</b><i>file
</i></p>
189 <p style=
"margin-left:22%;">Read default values from the
190 specified config file. Otherwise the default config file is
191 read or build in defaults will be used.
</p>
193 <p style=
"margin-left:11%;"><b>−O
</b>
195 −−config-option=
</b><i>optstr
</i></p>
197 <p style=
"margin-left:22%;">Set any config file option via
198 the commandline. Several config file options could be
199 specified at the argument string but have to be delimited by
200 semicolon (or newline).
</p>
202 <p style=
"margin-left:11%;"><b>−l
</b> <i>list
</i></p>
204 <p style=
"margin-left:22%;">Print out information solely
205 about domains given in the comma or space separated list.
206 Take care of, that every domain name has a trailing dot.
</p>
208 <p style=
"margin-left:11%;"><b>−d
</b>,
209 <b>−−directory
</b></p>
211 <p style=
"margin-left:22%;">Skip directory arguments. This
212 will be useful in combination with wildcard arguments to
213 prevent dnsssec-zkt to list all keys found in
214 subdirectories. For example
"dnssec-zkt -d *
" will
215 print out a list of all keys only found in the current
216 directory. Maybe it is easier to use
"dnssec-zkt
217 .
" instead (without -r set). The option works similar
218 to the
−d option of
<i>ls(
1)
</i>.
</p>
220 <p style=
"margin-left:11%;"><b>−L
</b>,
221 <b>−−left-justify
</b></p>
223 <p style=
"margin-left:22%;">Print out the domain name left
226 <p style=
"margin-left:11%;"><b>−k
</b>,
227 <b>−−ksk
</b></p>
229 <p style=
"margin-left:22%;">Select and print key signing
230 keys only (default depends on command mode).
</p>
232 <p style=
"margin-left:11%;"><b>−z
</b>,
233 <b>−−zsk
</b></p>
235 <p style=
"margin-left:22%;">Select and print zone signing
236 keys only (default depends on command mode).
</p>
238 <p style=
"margin-left:11%;"><b>−r
</b>,
239 <b>−−recursive
</b></p>
241 <p style=
"margin-left:22%;">Recursive mode (default is
243 Also settable in the dnssec.conf file (Parameter:
246 <p style=
"margin-left:11%;"><b>−p
</b>,
247 <b>−−path
</b></p>
249 <p style=
"margin-left:22%;">Print pathname in listing mode.
250 In -C mode, don
’t create the new key in the same
251 directory as (already existing) keys with the same
254 <p style=
"margin-left:11%;"><b>−a
</b>,
255 <b>−−age
</b></p>
257 <p style=
"margin-left:22%;">Print age of key in weeks,
258 days, hours, minutes and seconds (default is off).
<br>
259 Also settable in the dnssec.conf file (Parameter:
262 <p style=
"margin-left:11%;"><b>−f
</b>,
263 <b>−−lifetime
</b></p>
265 <p style=
"margin-left:22%;">Print the key lifetime.
</p>
267 <p style=
"margin-left:11%;"><b>−F
</b>,
268 <b>−−setlifetime
</b></p>
270 <p style=
"margin-left:22%;">Set the key lifetime of all the
271 selected keys. Use option -k, -z, -l or the file and dir
272 argument for key selection.
</p>
274 <p style=
"margin-left:11%;"><b>−e
</b>,
275 <b>−−exptime
</b></p>
277 <p style=
"margin-left:22%;">Print the key expiration
280 <p style=
"margin-left:11%;"><b>−t
</b>,
281 <b>−−time
</b></p>
283 <p style=
"margin-left:22%;">Print the key generation time
284 (default is on).
<br>
285 Also settable in the dnssec.conf file (Parameter:
288 <table width=
"100%" border=
"0" rules=
"none" frame=
"void"
289 cellspacing=
"0" cellpadding=
"0">
290 <tr valign=
"top" align=
"left">
291 <td width=
"11%"></td>
295 <p><b>−h
</b></p></td>
300 <p>No header or trusted-key section header and trailer in
301 -T mode
</p></td></tr>
305 <a name=
"COMMAND OPTIONS"></a>
310 <p style=
"margin-left:11%; margin-top: 1em"><b>−H
</b>,
311 <b>−−help
</b></p>
313 <p style=
"margin-left:22%;">Print out the online help.
</p>
315 <p style=
"margin-left:11%;"><b>−T
</b>,
316 <b>−−list-trustedkeys
</b></p>
318 <p style=
"margin-left:22%;">List all key signing keys as a
319 <i>named.conf
</i> trusted-key section. Use
<b>−h
</b>
320 to supress the section header/trailer.
</p>
322 <p style=
"margin-left:11%;"><b>−K
</b>,
323 <b>−−list-dnskeys
</b></p>
325 <p style=
"margin-left:22%;">List the public part of all the
326 keys in DNSKEY resource record format. Use
<b>−h
</b>
327 to suppress comment lines.
</p>
329 <p style=
"margin-left:11%;"><b>−C
</b> <i>zone
</i><b>,
330 −−create=
</b><i>zone
</i></p>
332 <p style=
"margin-left:22%;">Create a new zone signing key
333 for the given zone. Add option
<b>−k
</b> to create a
334 key signing key. The key algorithm and key length will be
335 examined from built-in default values or from the parameter
336 settings in the
<i>dnssec.conf
</i> file.
<br>
337 The keyfile will be created in the current directory if the
338 <b>−p
</b> option is specified.
</p>
340 <p style=
"margin-left:11%;"><b>−R
</b>
341 <i>keyid
</i><b>,
−−revoke=
</b><i>keyid
</i></p>
343 <p style=
"margin-left:22%;">Revoke the key signing key with
344 the given keyid. A revoked key has bit
8 in the flags filed
345 set (see RFC5011). The keyid is the numeric keytag with an
346 optionally added zone name separated by a colon.
</p>
349 <p style=
"margin-left:11%;"><b>−−rename=
"</b><i>keyid
</i></p>
351 <p style=
"margin-left:22%;">Rename the key files of the key
352 with the given keyid (Look at key file names starting with
353 an lower
’k
’). The keyid is the numeric keytag
354 with an optionally added zone name separated by a colon.
</p>
357 <p style=
"margin-left:11%;"><b>−−destroy=
</b><i>keyid
</i></p>
359 <p style=
"margin-left:22%;">Deletes the key with the given
360 keyid. The keyid is the numeric keytag with an optionally
361 added zone name separated by a colon. Beware that this
362 deletes both private and public keyfiles, thus the key is
363 unrecoverable lost.
</p>
365 <p style=
"margin-left:11%;"><b>−P|A|D
</b>
366 <i>keyid,
</i> <b>−−published=
</b><i>keyid,
</i>
367 <b>−−active=
</b><i>keyid,
</i>
368 <b>−−depreciated=
</b><i>keyid
</i></p>
370 <p style=
"margin-left:22%;">Change the status of the given
371 dnssec key to published (
<b>−P
</b>), active
372 (
<b>−A
</b>) or depreciated (
<b>−D
</b>). The
373 <i>keyid
</i> is the numeric keytag with an optionally added
374 zone name separated by a colon. Setting the status to
375 "published
" or
"depreciate
" will change
376 the filename of the private key file to
377 ".published
" or
".depreciated
"
378 respectivly. This prevents the usage of the key as a signing
379 key by the use of
<i>dnssec-signzone(
8)
</i>. The time of
380 status change will be stored in the
’mtime
’
381 field of the corresponding
".key
" file. Key
382 activation via option
<b>−A
</b> will restore the
383 original timestamp and file name (
".private
").
</p>
385 <p style=
"margin-left:11%;"><b>−Z
</b>,
386 <b>−−zone-config
</b></p>
388 <p style=
"margin-left:22%;">Write all config parameters to
389 stdout. The output is suitable as a template for the
390 <i>dnssec.conf
</i> file, so the easiest way to create a
391 <i>dnssec.conf
</i> file is to redirect the standard output
392 of the above command. Pay attention not to overwrite an
396 <p style=
"margin-left:11%;"><b>−−ksk-roll-phase[
123]
</b>
399 <p style=
"margin-left:22%;">Initiate a key signing key
400 rollover of the specified domain. This feature is currently
401 in experimental status and is mainly for the use in an
402 hierachical environment. Use --ksk-rollover for a little
403 more detailed description.
</p>
406 <a name=
"SAMPLE USAGE"></a>
410 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-zkt
413 <p style=
"margin-left:22%;">Print out a list of all zone
414 keys found below the current directory.
</p>
416 <p style=
"margin-left:11%;"><b>dnssec-zkt
−Z
−c
419 <p style=
"margin-left:22%;">Print out the compiled in
420 default parameters.
</p>
422 <p style=
"margin-left:11%;"><b>dnssec-zkt
−C
423 example.net
−k
−r ./zonedir
</b></p>
425 <p style=
"margin-left:22%;">Create a new key signing key
426 for the zone
"example.net
". Store the key in the
427 same directory below
"zonedir
" where the other
428 "example.net
" keys live.
</p>
430 <p style=
"margin-left:11%;"><b>dnssec-zkt
−T
431 ./zonedir/example.net
</b></p>
433 <p style=
"margin-left:22%;">Print out a trusted-key section
434 containing the key signing keys of
435 "example.net
".
</p>
437 <p style=
"margin-left:11%;"><b>dnssec-zkt
−D
123245
440 <p style=
"margin-left:22%;">Depreciate the key with tag
441 "12345" below the current directory,
</p>
443 <p style=
"margin-left:11%;"><b>dnssec-zkt --view
446 <p style=
"margin-left:22%;">Print out a list of all zone
447 keys found below the directory where all the zones of view
448 intern live. There should be a seperate dnssec config file
449 <i>dnssec-intern.conf
</i> with a directory option to take
452 <p style=
"margin-left:11%;"><b>dnssec-zkt-intern
</b></p>
454 <p style=
"margin-left:22%;">Same as above. The binary file
455 <i>dnssec-zkt
</i> has another link, named
456 <i>dnssec-zkt-intern
</i> made, and
<i>dnssec-zkt
</i>
457 examines argv[
0] to find a view whose zones it proceeds to
460 <h2>ENVIRONMENT VARIABLES
461 <a name=
"ENVIRONMENT VARIABLES"></a>
466 <p style=
"margin-left:11%; margin-top: 1em">ZKT_CONFFILE
</p>
468 <p style=
"margin-left:22%;">Specifies the name of the
469 default global configuration files.
</p>
477 <p style=
"margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf
</i></p>
479 <p style=
"margin-left:22%;">Built-in default global
480 configuration file. The name of the default global config
481 file is settable via the environment variable
485 <p style=
"margin-left:11%;"><i>/var/named/dnssec-
<view
>.conf
</i></p>
487 <p style=
"margin-left:22%;">View specific global
488 configuration file.
</p>
490 <p style=
"margin-left:11%;"><i>./dnssec.conf
</i></p>
492 <p style=
"margin-left:22%;">Local configuration file (only
493 used in
<b>−C
</b> mode).
</p>
500 <p style=
"margin-left:11%; margin-top: 1em">Some of the
501 general options will not be meaningful in all of the command
503 The option
<b>−l
</b> and the ksk rollover options
504 insist on domain names ending with a dot.
</p>
507 <a name=
"AUTHORS"></a>
511 <p style=
"margin-left:11%; margin-top: 1em">Holger Zuleger,
515 <a name=
"COPYRIGHT"></a>
519 <p style=
"margin-left:11%; margin-top: 1em">Copyright (c)
520 2005 − 2008 by Holger Zuleger. Licensed under the BSD
521 Licences. There is NO warranty; not even for MERCHANTABILITY
522 or FITNESS FOR A PARTICULAR PURPOSE.
</p>
525 <a name=
"SEE ALSO"></a>
530 <p style=
"margin-left:11%; margin-top: 1em">dnssec-keygen(
8),
531 dnssec-signzone(
8), rndc(
8), named.conf(
5),
532 dnssec-signer(
8),
<br>
533 RFC4641
"DNSSEC Operational Practices
" by Miek
534 Gieben and Olaf Kolkman,
<br>
535 DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
<br>
536 (http://www.nlnetlabs.nl/dnssec_howto/)
</p>
