Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   29550 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

DNSSEC-COVERAGE(8)		     BIND9		    DNSSEC-COVERAGE(8)

NAME
       dnssec-coverage - checks future DNSKEY coverage for a zone

SYNOPSIS
       dnssec-coverage [-K directory] [-f file] [-d DNSKEY TTL] [-m max TTL]
		       [-r interval] [-c compilezone path] [zone]

DESCRIPTION
       dnssec-coverage verifies that the DNSSEC keys for a given zone or a set
       of zones have timing metadata set properly to ensure no future lapses
       in DNSSEC coverage.

       If zone is specified, then keys found in the key repository matching
       that zone are scanned, and an ordered list is generated of the events
       scheduled for that key (i.e., publication, activation, inactivation,
       deletion). The list of events is walked in order of occurrence.
       Warnings are generated if any event is scheduled which could cause the
       zone to enter a state in which validation failures might occur: for
       example, if the number of published or active keys for a given
       algorithm drops to zero, or if a key is deleted from the zone too soon
       after a new key is rolled, and cached data signed by the prior key has
       not had time to expire from resolver caches.

       If zone is not specified, then all keys in the key repository will be
       scanned, and all zones for which there are keys will be analyzed.
       (Note: This method of reporting is only accurate if all the zones that
       have keys in a given repository share the same TTL parameters.)

OPTIONS
       -f file
	   If a file is specified, then the zone is read from that file; the
	   largest TTL and the DNSKEY TTL are determined directly from the
	   zone data, and the -m and -d options do not need to be specified on
	   the command line.

       -K directory
	   Sets the directory in which keys can be found. Defaults to the
	   current working directory.

       -m maximum TTL
	   Sets the value to be used as the maximum TTL for the zone or zones
	   being analyzed when determining whether there is a possibility of
	   validation failure. When a zone-signing key is deactivated, there
	   must be enough time for the record in the zone with the longest TTL
	   to have expired from resolver caches before that key can be purged
	   from the DNSKEY RRset. If that condition does not apply, a warning
	   will be generated.

	   The length of the TTL can be set in seconds, or in larger units of
	   time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for
	   days, 'w' for weeks, 'mo' for months, 'y' for years.

	   This option is mandatory unless the -f has been used to specify a
	   zone file. (If -f has been specified, this option may still be
	   used; it will overrde the value found in the file.)

       -d DNSKEY TTL
	   Sets the value to be used as the DNSKEY TTL for the zone or zones
	   being analyzed when determining whether there is a possibility of
	   validation failure. When a key is rolled (that is, replaced with a
	   new key), there must be enough time for the old DNSKEY RRset to
	   have expired from resolver caches before the new key is activated
	   and begins generating signatures. If that condition does not apply,
	   a warning will be generated.

	   The length of the TTL can be set in seconds, or in larger units of
	   time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for
	   days, 'w' for weeks, 'mo' for months, 'y' for years.

	   This option is mandatory unless the -f has been used to specify a
	   zone file, or a default key TTL was set with the -L to
	   dnssec-keygen. (If either of those is true, this option may still
	   be used; it will overrde the value found in the zone or key file.)

       -r resign interval
	   Sets the value to be used as the resign interval for the zone or
	   zones being analyzed when determining whether there is a
	   possibility of validation failure. This value defaults to 22.5
	   days, which is also the default in named. However, if it has been
	   changed by the sig-validity-interval option in named.conf, then it
	   should also be changed here.

	   The length of the interval can be set in seconds, or in larger
	   units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
	   'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

       -c compilezone path
	   Specifies a path to a named-compilezone binary. Used for testing.

SEE ALSO
       dnssec-checkds(8), dnssec-dsfromkey(8), dnssec-keygen(8),
       dnssec-signzone(8)

AUTHOR
       Internet Systems Consortium

COPYRIGHT
       Copyright © 2013 Internet Systems Consortium, Inc. ("ISC")

BIND9				April 16, 2012		    DNSSEC-COVERAGE(8)

Vote for polarhome