193 lines
6.5 KiB
Plaintext
193 lines
6.5 KiB
Plaintext
.\" Man page generated from reStructuredText.
|
|
.
|
|
.TH "DNSSEC-COVERAGE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
|
|
.SH NAME
|
|
dnssec-coverage \- checks future DNSKEY coverage for a zone
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.SH SYNOPSIS
|
|
.sp
|
|
\fBdnssec\-coverage\fP [\fB\-K\fP\fIdirectory\fP] [\fB\-l\fP\fIlength\fP]
|
|
[\fB\-f\fP\fIfile\fP] [\fB\-d\fP\fIDNSKEY TTL\fP] [\fB\-m\fP\fImax TTL\fP]
|
|
[\fB\-r\fP\fIinterval\fP] [\fB\-c\fP\fIcompilezone path\fP] [\fB\-k\fP] [\fB\-z\fP]
|
|
[zone...]
|
|
.SH DESCRIPTION
|
|
.sp
|
|
\fBdnssec\-coverage\fP verifies that the DNSSEC keys for a given zone or a
|
|
set of zones have timing metadata set properly to ensure no future
|
|
lapses in DNSSEC coverage.
|
|
.sp
|
|
If \fBzone\fP is specified, then keys found in the key repository matching
|
|
that zone are scanned, and an ordered list is generated of the events
|
|
scheduled for that key (i.e., publication, activation, inactivation,
|
|
deletion). The list of events is walked in order of occurrence. Warnings
|
|
are generated if any event is scheduled which could cause the zone to
|
|
enter a state in which validation failures might occur: for example, if
|
|
the number of published or active keys for a given algorithm drops to
|
|
zero, or if a key is deleted from the zone too soon after a new key is
|
|
rolled, and cached data signed by the prior key has not had time to
|
|
expire from resolver caches.
|
|
.sp
|
|
If \fBzone\fP is not specified, then all keys in the key repository will
|
|
be scanned, and all zones for which there are keys will be analyzed.
|
|
(Note: This method of reporting is only accurate if all the zones that
|
|
have keys in a given repository share the same TTL parameters.)
|
|
.SH OPTIONS
|
|
.sp
|
|
\fB\-K\fP \fIdirectory\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Sets the directory in which keys can be found. Defaults to the
|
|
current working directory.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-f\fP \fIfile\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
If a \fBfile\fP is specified, then the zone is read from that file; the
|
|
largest TTL and the DNSKEY TTL are determined directly from the zone
|
|
data, and the \fB\-m\fP and \fB\-d\fP options do not need to be specified
|
|
on the command line.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-l\fP \fIduration\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
The length of time to check for DNSSEC coverage. Key events scheduled
|
|
further into the future than \fBduration\fP will be ignored, and
|
|
assumed to be correct.
|
|
.sp
|
|
The value of \fBduration\fP can be set in seconds, or in larger units
|
|
of time by adding a suffix: mi for minutes, h for hours, d for days,
|
|
w for weeks, mo for months, y for years.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-m\fP \fImaximum TTL\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Sets the value to be used as the maximum TTL for the zone or zones
|
|
being analyzed when determining whether there is a possibility of
|
|
validation failure. When a zone\-signing key is deactivated, there
|
|
must be enough time for the record in the zone with the longest TTL
|
|
to have expired from resolver caches before that key can be purged
|
|
from the DNSKEY RRset. If that condition does not apply, a warning
|
|
will be generated.
|
|
.sp
|
|
The length of the TTL can be set in seconds, or in larger units of
|
|
time by adding a suffix: mi for minutes, h for hours, d for days, w
|
|
for weeks, mo for months, y for years.
|
|
.sp
|
|
This option is not necessary if the \fB\-f\fP has been used to specify a
|
|
zone file. If \fB\-f\fP has been specified, this option may still be
|
|
used; it will override the value found in the file.
|
|
.sp
|
|
If this option is not used and the maximum TTL cannot be retrieved
|
|
from a zone file, a warning is generated and a default value of 1
|
|
week is used.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-d\fP \fIDNSKEY TTL\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Sets the value to be used as the DNSKEY TTL for the zone or zones
|
|
being analyzed when determining whether there is a possibility of
|
|
validation failure. When a key is rolled (that is, replaced with a
|
|
new key), there must be enough time for the old DNSKEY RRset to have
|
|
expired from resolver caches before the new key is activated and
|
|
begins generating signatures. If that condition does not apply, a
|
|
warning will be generated.
|
|
.sp
|
|
The length of the TTL can be set in seconds, or in larger units of
|
|
time by adding a suffix: mi for minutes, h for hours, d for days, w
|
|
for weeks, mo for months, y for years.
|
|
.sp
|
|
This option is not necessary if \fB\-f\fP has been used to specify a
|
|
zone file from which the TTL of the DNSKEY RRset can be read, or if a
|
|
default key TTL was set using ith the \fB\-L\fP to \fBdnssec\-keygen\fP\&. If
|
|
either of those is true, this option may still be used; it will
|
|
override the values found in the zone file or the key file.
|
|
.sp
|
|
If this option is not used and the key TTL cannot be retrieved from
|
|
the zone file or the key file, then a warning is generated and a
|
|
default value of 1 day is used.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-r\fP \fIresign interval\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Sets the value to be used as the resign interval for the zone or
|
|
zones being analyzed when determining whether there is a possibility
|
|
of validation failure. This value defaults to 22.5 days, which is
|
|
also the default in \fBnamed\fP\&. However, if it has been changed by the
|
|
\fBsig\-validity\-interval\fP option in named.conf, then it should also
|
|
be changed here.
|
|
.sp
|
|
The length of the interval can be set in seconds, or in larger units
|
|
of time by adding a suffix: mi for minutes, h for hours, d for days,
|
|
w for weeks, mo for months, y for years.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-k\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Only check KSK coverage; ignore ZSK events. Cannot be used with
|
|
\fB\-z\fP\&.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-z\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Only check ZSK coverage; ignore KSK events. Cannot be used with
|
|
\fB\-k\fP\&.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-c\fP \fIcompilezone path\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Specifies a path to a \fBnamed\-compilezone\fP binary. Used for testing.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.SH SEE ALSO
|
|
.sp
|
|
\fBdnssec\-checkds\fP(8), \fBdnssec\-dsfromkey\fP(8),
|
|
\fBdnssec\-keygen\fP(8), \fBdnssec\-signzone\fP(8)
|
|
.SH AUTHOR
|
|
Internet Systems Consortium
|
|
.SH COPYRIGHT
|
|
2020, Internet Systems Consortium
|
|
.\" Generated by docutils manpage writer.
|
|
.
|