summaryrefslogtreecommitdiffstats
path: root/doc/man/dnssec-coverage.8in
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
commit45d6379135504814ab723b57f0eb8be23393a51d (patch)
treed4f2ec4acca824a8446387a758b0ce4238a4dffa /doc/man/dnssec-coverage.8in
parentInitial commit. (diff)
downloadbind9-45d6379135504814ab723b57f0eb8be23393a51d.tar.xz
bind9-45d6379135504814ab723b57f0eb8be23393a51d.zip
Adding upstream version 1:9.16.44.upstream/1%9.16.44upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/man/dnssec-coverage.8in')
-rw-r--r--doc/man/dnssec-coverage.8in192
1 files changed, 192 insertions, 0 deletions
diff --git a/doc/man/dnssec-coverage.8in b/doc/man/dnssec-coverage.8in
new file mode 100644
index 0000000..1dde5bc
--- /dev/null
+++ b/doc/man/dnssec-coverage.8in
@@ -0,0 +1,192 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-COVERAGE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-coverage \- checks future DNSKEY coverage for a zone
+.SH SYNOPSIS
+.sp
+\fBdnssec\-coverage\fP [\fB\-K\fP\fIdirectory\fP] [\fB\-l\fP\fIlength\fP]
+[\fB\-f\fP\fIfile\fP] [\fB\-d\fP\fIDNSKEY TTL\fP] [\fB\-m\fP\fImax TTL\fP]
+[\fB\-r\fP\fIinterval\fP] [\fB\-c\fP\fIcompilezone path\fP] [\fB\-k\fP] [\fB\-z\fP]
+[zone...]
+.SH DESCRIPTION
+.sp
+\fBdnssec\-coverage\fP verifies that the DNSSEC keys for a given zone or a
+set of zones have timing metadata set properly to ensure no future
+lapses in DNSSEC coverage.
+.sp
+If \fBzone\fP is specified, then keys found in the key repository matching
+that zone are scanned, and an ordered list is generated of the events
+scheduled for that key (i.e., publication, activation, inactivation,
+deletion). The list of events is walked in order of occurrence. Warnings
+are generated if any event is scheduled which could cause the zone to
+enter a state in which validation failures might occur: for example, if
+the number of published or active keys for a given algorithm drops to
+zero, or if a key is deleted from the zone too soon after a new key is
+rolled, and cached data signed by the prior key has not had time to
+expire from resolver caches.
+.sp
+If \fBzone\fP is not specified, then all keys in the key repository will
+be scanned, and all zones for which there are keys will be analyzed.
+(Note: This method of reporting is only accurate if all the zones that
+have keys in a given repository share the same TTL parameters.)
+.SH OPTIONS
+.sp
+\fB\-K\fP \fIdirectory\fP
+.INDENT 0.0
+.INDENT 3.5
+Sets the directory in which keys can be found. Defaults to the
+current working directory.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-f\fP \fIfile\fP
+.INDENT 0.0
+.INDENT 3.5
+If a \fBfile\fP is specified, then the zone is read from that file; the
+largest TTL and the DNSKEY TTL are determined directly from the zone
+data, and the \fB\-m\fP and \fB\-d\fP options do not need to be specified
+on the command line.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-l\fP \fIduration\fP
+.INDENT 0.0
+.INDENT 3.5
+The length of time to check for DNSSEC coverage. Key events scheduled
+further into the future than \fBduration\fP will be ignored, and
+assumed to be correct.
+.sp
+The value of \fBduration\fP can be set in seconds, or in larger units
+of time by adding a suffix: mi for minutes, h for hours, d for days,
+w for weeks, mo for months, y for years.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-m\fP \fImaximum TTL\fP
+.INDENT 0.0
+.INDENT 3.5
+Sets the value to be used as the maximum TTL for the zone or zones
+being analyzed when determining whether there is a possibility of
+validation failure. When a zone\-signing key is deactivated, there
+must be enough time for the record in the zone with the longest TTL
+to have expired from resolver caches before that key can be purged
+from the DNSKEY RRset. If that condition does not apply, a warning
+will be generated.
+.sp
+The length of the TTL can be set in seconds, or in larger units of
+time by adding a suffix: mi for minutes, h for hours, d for days, w
+for weeks, mo for months, y for years.
+.sp
+This option is not necessary if the \fB\-f\fP has been used to specify a
+zone file. If \fB\-f\fP has been specified, this option may still be
+used; it will override the value found in the file.
+.sp
+If this option is not used and the maximum TTL cannot be retrieved
+from a zone file, a warning is generated and a default value of 1
+week is used.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-d\fP \fIDNSKEY TTL\fP
+.INDENT 0.0
+.INDENT 3.5
+Sets the value to be used as the DNSKEY TTL for the zone or zones
+being analyzed when determining whether there is a possibility of
+validation failure. When a key is rolled (that is, replaced with a
+new key), there must be enough time for the old DNSKEY RRset to have
+expired from resolver caches before the new key is activated and
+begins generating signatures. If that condition does not apply, a
+warning will be generated.
+.sp
+The length of the TTL can be set in seconds, or in larger units of
+time by adding a suffix: mi for minutes, h for hours, d for days, w
+for weeks, mo for months, y for years.
+.sp
+This option is not necessary if \fB\-f\fP has been used to specify a
+zone file from which the TTL of the DNSKEY RRset can be read, or if a
+default key TTL was set using ith the \fB\-L\fP to \fBdnssec\-keygen\fP\&. If
+either of those is true, this option may still be used; it will
+override the values found in the zone file or the key file.
+.sp
+If this option is not used and the key TTL cannot be retrieved from
+the zone file or the key file, then a warning is generated and a
+default value of 1 day is used.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-r\fP \fIresign interval\fP
+.INDENT 0.0
+.INDENT 3.5
+Sets the value to be used as the resign interval for the zone or
+zones being analyzed when determining whether there is a possibility
+of validation failure. This value defaults to 22.5 days, which is
+also the default in \fBnamed\fP\&. However, if it has been changed by the
+\fBsig\-validity\-interval\fP option in named.conf, then it should also
+be changed here.
+.sp
+The length of the interval can be set in seconds, or in larger units
+of time by adding a suffix: mi for minutes, h for hours, d for days,
+w for weeks, mo for months, y for years.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-k\fP
+.INDENT 0.0
+.INDENT 3.5
+Only check KSK coverage; ignore ZSK events. Cannot be used with
+\fB\-z\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-z\fP
+.INDENT 0.0
+.INDENT 3.5
+Only check ZSK coverage; ignore KSK events. Cannot be used with
+\fB\-k\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fB\-c\fP \fIcompilezone path\fP
+.INDENT 0.0
+.INDENT 3.5
+Specifies a path to a \fBnamed\-compilezone\fP binary. Used for testing.
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdnssec\-checkds\fP(8), \fBdnssec\-dsfromkey\fP(8),
+\fBdnssec\-keygen\fP(8), \fBdnssec\-signzone\fP(8)
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.