dnssec-zkt man page on DragonFly

Man page or keyword search:  
man Server   44335 pages
apropos Keyword Search (all sections)
Output format
DragonFly logo
[printable version]

dnssec-zkt(8)							 dnssec-zkt(8)

NAME
       dnssec-zkt — Secure DNS zone key tool

SYNOPSYS
       dnssec-zkt [-V|--view view] [-c file] [-l list] [-adefhkLrptz]
       [{keyfile|dir} ...]

       dnssec-zkt -C<label> [-V|--view view] [-c file] [-krpz] [{keyfile|dir}
       ...]
       dnssec-zkt --create=<label> [-V|--view view] [-c file] [-krpz]
       [{keyfile|dir} ...]

       dnssec-zkt -{P|A|D|R}<keytag> [-V|--view view] [-c file] [-r]
       [{keyfile|dir} ...]
       dnssec-zkt --published=<keytag> [-V|--view view] [-c file] [-r]
       [{keyfile|dir} ...]
       dnssec-zkt --active=<keytag> [-V|--view view] [-c file] [-r]
       [{keyfile|dir} ...]
       dnssec-zkt --depreciate=<keytag> [-V|--view view] [-c file] [-r]
       [{keyfile|dir} ...]
       dnssec-zkt --rename=<keytag> [-V|--view view] [-c file] [-r]
       [{keyfile|dir} ...]

       dnssec-zkt --destroy=<keytag> [-V|--view view] [-c file] [-r]
       [{keyfile|dir} ...]

       dnssec-zkt -T [-V|--view view] [-c file] [-l list] [-hr] [{keyfile|dir}
       ...]
       dnssec-zkt --list-trustedkeys [-V|--view view] [-c file] [-l list]
       [-hr] [{keyfile|dir} ...]

       dnssec-zkt -K [-V|--view view] [-c file] [-l list] [-hkzr]
       [{keyfile|dir} ...]
       dnssec-zkt --list-dnskeys [-V|--view view] [-c file] [-l list] [-hkzr]
       [{keyfile|dir} ...]

       dnssec-zkt -Z [-V|--view view] [-c file]
       dnssec-zkt --zone-config [-V|--view view] [-c file]

       dnssec-zkt -9 | --ksk-rollover
       dnssec-zkt -1 | --ksk-roll-phase1 do.ma.in.  [-V|--view view] [-c file]
       dnssec-zkt -2 | --ksk-roll-phase2 do.ma.in.  [-V|--view view] [-c file]
       dnssec-zkt -3 | --ksk-roll-phase3 do.ma.in.  [-V|--view view] [-c file]
       dnssec-zkt -0 | --ksk-roll-stat do.ma.in.  [-V|--view view] [-c file]

DESCRIPTION
       The dnssec-zkt command is a wrapper around dnssec-keygen(8)  to	assist
       in dnssec zone key management.

       In the common usage the command prints out information about all dnssec
       (zone) keys found in the given (or predefined default)  directory.   It
       is  also	 possible  to  specify	keyfiles  (K*.key) as arguments.  With
       option -r subdirectories will be searched recursively, and  all	dnssec
       keys  found  will  be  listed  sorted  by  domain  name,	 key  type and
       generation time.	 In that mode the use of the -p option may be  helpful
       to find the location of the keyfile in the directory tree.

       Other  forms  of	 the command print out keys in a format suitable for a
       trusted-key section or as a DNSKEY resource record.

       The command is also useful in dns key management.  It offers monitoring
       of key lifetime and modification of key status.

GENERAL OPTIONS
       -V view, --view=view
	      Try  to  read  the  default  configuration  out  of a file named
	      dnssec-<view>.conf .  Instead of specifying  the	-V  or	--view
	      option  every  time,  it	is  also  possible to create a hard or
	      softlink to the executable file to give it  an  additional  name
	      like dnssec-zkt-<view> .

       -c file, --config=file
	      Read  default  values from the specified config file.  Otherwise
	      the default config file is read or build	in  defaults  will  be
	      used.

       -O optstr, --config-option=optstr
	      Set  any config file option via the commandline.	Several config
	      file options could be specified at the argument string but  have
	      to be delimited by semicolon (or newline).

       -l list
	      Print out information solely about domains given in the comma or
	      space separated list.  Take care of, that every domain name  has
	      a trailing dot.

       -d, --directory
	      Skip  directory  arguments.   This will be useful in combination
	      with wildcard arguments to prevent dnsssec-zkt to list all  keys
	      found  in	 subdirectories.   For	example "dnssec-zkt -d *" will
	      print out	 a  list  of  all  keys	 only  found  in  the  current
	      directory.   Maybe  it  is  easier to use "dnssec-zkt ." instead
	      (without -r set).	 The option works similar to the -d option  of
	      ls(1).

       -L, --left-justify
	      Print out the domain name left justified.

       -k, --ksk
	      Select  and  print  key  signing	keys  only (default depends on
	      command mode).

       -z, --zsk
	      Select and print zone signing  keys  only	 (default  depends  on
	      command mode).

       -r, --recursive
	      Recursive mode (default is off).
	      Also settable in the dnssec.conf file (Parameter: Recursive).

       -p, --path
	      Print  pathname  in  listing mode.  In -C mode, don't create the
	      new key in the same directory as (already	 existing)  keys  with
	      the same label.

       -a, --age
	      Print  age  of  key  in  weeks, days, hours, minutes and seconds
	      (default is off).
	      Also settable in the dnssec.conf file (Parameter: PrintAge).

       -f, --lifetime
	      Print the key lifetime.

       -F, --setlifetime
	      Set the key lifetime of all the selected keys.  Use  option  -k,
	      -z, -l or the file and dir argument for key selection.

       -e, --exptime
	      Print the key expiration time.

       -t, --time
	      Print the key generation time (default is on).
	      Also settable in the dnssec.conf file (Parameter: PrintTime).

       -h     No header or trusted-key section header and trailer in -T mode

COMMAND OPTIONS
       -H, --help
	      Print out the online help.

       -T, --list-trustedkeys
	      List  all	 key signing keys as a named.conf trusted-key section.
	      Use -h to supress the section header/trailer.

       -K, --list-dnskeys
	      List the public part of all the keys in DNSKEY  resource	record
	      format.  Use -h to suppress comment lines.

       -C zone,	 --create=zone
	      Create a new zone signing key for the given zone.	 Add option -k
	      to create a key signing key.  The key algorithm and  key	length
	      will  be	examined  from	built-in  default  values  or from the
	      parameter settings in the dnssec.conf file.
	      The keyfile will be created in the current directory if  the  -p
	      option is specified.

       -R keyid, --revoke=keyid
	      Revoke  the key signing key with the given keyid.	 A revoked key
	      has bit 8 in the flags filed set (see RFC5011).	The  keyid  is
	      the  numeric keytag with an optionally added zone name separated
	      by a colon.

       --rename="keyid
	      Rename the key files of the key with the given  keyid  (Look  at
	      key  file	 names	starting with an lower 'k').  The keyid is the
	      numeric keytag with an optionally added zone name separated by a
	      colon.

       --destroy=keyid
	      Deletes  the key with the given keyid.  The keyid is the numeric
	      keytag with an optionally added zone name separated by a	colon.
	      Beware  that this deletes both private and public keyfiles, thus
	      the key is unrecoverable lost.

       -P|A|D keyid, --published=keyid, --active=keyid, --depreciated=keyid
	      Change the status of the given dnssec  key  to  published	 (-P),
	      active  (-A)  or	depreciated  (-D).   The  keyid is the numeric
	      keytag with an optionally added zone name separated by a	colon.
	      Setting  the  status  to "published" or "depreciate" will change
	      the  filename  of	 the  private  key  file  to  ".published"  or
	      ".depreciated"  respectivly.  This prevents the usage of the key
	      as a signing key by the use of dnssec-signzone(8).  The time  of
	      status  change  will  be	stored	in  the	 'mtime'  field of the
	      corresponding ".key" file.  Key activation via  option  -A  will
	      restore the original timestamp and file name (".private").

       -Z, --zone-config
	      Write  all  config parameters to stdout.	The output is suitable
	      as a template for the dnssec.conf file, so the  easiest  way  to
	      create  a dnssec.conf file is to redirect the standard output of
	      the above command.  Pay attention not to overwrite  an  existing
	      file.

       --ksk-roll-phase[123] do.ma.in.
	      Initiate	a  key	signing	 key rollover of the specified domain.
	      This feature is currently in experimental status and  is	mainly
	      for  the	use in an hierachical environment.  Use --ksk-rollover
	      for a little more detailed description.

SAMPLE USAGE
       dnssec-zkt -r .
	      Print out a list of  all	zone  keys  found  below  the  current
	      directory.

       dnssec-zkt -Z -c ""
	      Print out the compiled in default parameters.

       dnssec-zkt -C example.net -k -r ./zonedir
	      Create  a new key signing key for the zone "example.net".	 Store
	      the key in the same directory below "zonedir"  where  the	 other
	      "example.net" keys live.

       dnssec-zkt -T ./zonedir/example.net
	      Print  out a trusted-key section containing the key signing keys
	      of "example.net".

       dnssec-zkt -D 123245 -r .
	      Depreciate the key with tag "12345" below the current directory,

       dnssec-zkt --view intern
	      Print out a list of all zone  keys  found	 below	the  directory
	      where  all  the  zones  of  view intern live.  There should be a
	      seperate dnssec config file dnssec-intern.conf with a  directory
	      option to take affect of this.

       dnssec-zkt-intern
	      Same  as	above.	 The  binary file dnssec-zkt has another link,
	      named dnssec-zkt-intern made, and dnssec-zkt examines argv[0] to
	      find a view whose zones it proceeds to process.

ENVIRONMENT VARIABLES
       ZKT_CONFFILE
	      Specifies the name of the default global configuration files.

FILES
       /etc/namedb/dnssec.conf
	      Built-in	default	 global	 configuration	file.  The name of the
	      default global config  file  is  settable	 via  the  environment
	      variable ZKT_CONFFILE.

       /etc/namedb/dnssec-<view>.conf
	      View specific global configuration file.

       ./dnssec.conf
	      Local configuration file (only used in -C mode).

BUGS
       Some  of	 the  general  options	will  not  be meaningful in all of the
       command modes.
       The option -l and the ksk  rollover  options  insist  on	 domain	 names
       ending with a dot.

AUTHORS
       Holger Zuleger, Mans Nilsson

COPYRIGHT
       Copyright  (c)  2005  - 2008 by Holger Zuleger.	Licensed under the BSD
       Licences. There is NO warranty; not even for MERCHANTABILITY or FITNESS
       FOR A PARTICULAR PURPOSE.

SEE ALSO
       dnssec-keygen(8),  dnssec-signzone(8),  rndc(8), named.conf(5), dnssec-
       signer(8),
       RFC4641 "DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
       DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
       (http://www.nlnetlabs.nl/dnssec_howto/)

ZKT 0.99b			August 1, 2009			 dnssec-zkt(8)
[top]

List of man pages available for DragonFly

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net