diff options
Diffstat (limited to 'doc/man/dnssec-coverage.8in')
| -rw-r--r-- | doc/man/dnssec-coverage.8in | 192 |
1 files changed, 192 insertions, 0 deletions
diff --git a/doc/man/dnssec-coverage.8in b/doc/man/dnssec-coverage.8in new file mode 100644 index 0000000..1dde5bc --- /dev/null +++ b/doc/man/dnssec-coverage.8in @@ -0,0 +1,192 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "DNSSEC-COVERAGE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9" +.SH NAME +dnssec-coverage \- checks future DNSKEY coverage for a zone +.SH SYNOPSIS +.sp +\fBdnssec\-coverage\fP [\fB\-K\fP\fIdirectory\fP] [\fB\-l\fP\fIlength\fP] +[\fB\-f\fP\fIfile\fP] [\fB\-d\fP\fIDNSKEY TTL\fP] [\fB\-m\fP\fImax TTL\fP] +[\fB\-r\fP\fIinterval\fP] [\fB\-c\fP\fIcompilezone path\fP] [\fB\-k\fP] [\fB\-z\fP] +[zone...] +.SH DESCRIPTION +.sp +\fBdnssec\-coverage\fP verifies that the DNSSEC keys for a given zone or a +set of zones have timing metadata set properly to ensure no future +lapses in DNSSEC coverage. +.sp +If \fBzone\fP is specified, then keys found in the key repository matching +that zone are scanned, and an ordered list is generated of the events +scheduled for that key (i.e., publication, activation, inactivation, +deletion). The list of events is walked in order of occurrence. Warnings +are generated if any event is scheduled which could cause the zone to +enter a state in which validation failures might occur: for example, if +the number of published or active keys for a given algorithm drops to +zero, or if a key is deleted from the zone too soon after a new key is +rolled, and cached data signed by the prior key has not had time to +expire from resolver caches. +.sp +If \fBzone\fP is not specified, then all keys in the key repository will +be scanned, and all zones for which there are keys will be analyzed. +(Note: This method of reporting is only accurate if all the zones that +have keys in a given repository share the same TTL parameters.) +.SH OPTIONS +.sp +\fB\-K\fP \fIdirectory\fP +.INDENT 0.0 +.INDENT 3.5 +Sets the directory in which keys can be found. Defaults to the +current working directory. +.UNINDENT +.UNINDENT +.sp +\fB\-f\fP \fIfile\fP +.INDENT 0.0 +.INDENT 3.5 +If a \fBfile\fP is specified, then the zone is read from that file; the +largest TTL and the DNSKEY TTL are determined directly from the zone +data, and the \fB\-m\fP and \fB\-d\fP options do not need to be specified +on the command line. +.UNINDENT +.UNINDENT +.sp +\fB\-l\fP \fIduration\fP +.INDENT 0.0 +.INDENT 3.5 +The length of time to check for DNSSEC coverage. Key events scheduled +further into the future than \fBduration\fP will be ignored, and +assumed to be correct. +.sp +The value of \fBduration\fP can be set in seconds, or in larger units +of time by adding a suffix: mi for minutes, h for hours, d for days, +w for weeks, mo for months, y for years. +.UNINDENT +.UNINDENT +.sp +\fB\-m\fP \fImaximum TTL\fP +.INDENT 0.0 +.INDENT 3.5 +Sets the value to be used as the maximum TTL for the zone or zones +being analyzed when determining whether there is a possibility of +validation failure. When a zone\-signing key is deactivated, there +must be enough time for the record in the zone with the longest TTL +to have expired from resolver caches before that key can be purged +from the DNSKEY RRset. If that condition does not apply, a warning +will be generated. +.sp +The length of the TTL can be set in seconds, or in larger units of +time by adding a suffix: mi for minutes, h for hours, d for days, w +for weeks, mo for months, y for years. +.sp +This option is not necessary if the \fB\-f\fP has been used to specify a +zone file. If \fB\-f\fP has been specified, this option may still be +used; it will override the value found in the file. +.sp +If this option is not used and the maximum TTL cannot be retrieved +from a zone file, a warning is generated and a default value of 1 +week is used. +.UNINDENT +.UNINDENT +.sp +\fB\-d\fP \fIDNSKEY TTL\fP +.INDENT 0.0 +.INDENT 3.5 +Sets the value to be used as the DNSKEY TTL for the zone or zones +being analyzed when determining whether there is a possibility of +validation failure. When a key is rolled (that is, replaced with a +new key), there must be enough time for the old DNSKEY RRset to have +expired from resolver caches before the new key is activated and +begins generating signatures. If that condition does not apply, a +warning will be generated. +.sp +The length of the TTL can be set in seconds, or in larger units of +time by adding a suffix: mi for minutes, h for hours, d for days, w +for weeks, mo for months, y for years. +.sp +This option is not necessary if \fB\-f\fP has been used to specify a +zone file from which the TTL of the DNSKEY RRset can be read, or if a +default key TTL was set using ith the \fB\-L\fP to \fBdnssec\-keygen\fP\&. If +either of those is true, this option may still be used; it will +override the values found in the zone file or the key file. +.sp +If this option is not used and the key TTL cannot be retrieved from +the zone file or the key file, then a warning is generated and a +default value of 1 day is used. +.UNINDENT +.UNINDENT +.sp +\fB\-r\fP \fIresign interval\fP +.INDENT 0.0 +.INDENT 3.5 +Sets the value to be used as the resign interval for the zone or +zones being analyzed when determining whether there is a possibility +of validation failure. This value defaults to 22.5 days, which is +also the default in \fBnamed\fP\&. However, if it has been changed by the +\fBsig\-validity\-interval\fP option in named.conf, then it should also +be changed here. +.sp +The length of the interval can be set in seconds, or in larger units +of time by adding a suffix: mi for minutes, h for hours, d for days, +w for weeks, mo for months, y for years. +.UNINDENT +.UNINDENT +.sp +\fB\-k\fP +.INDENT 0.0 +.INDENT 3.5 +Only check KSK coverage; ignore ZSK events. Cannot be used with +\fB\-z\fP\&. +.UNINDENT +.UNINDENT +.sp +\fB\-z\fP +.INDENT 0.0 +.INDENT 3.5 +Only check ZSK coverage; ignore KSK events. Cannot be used with +\fB\-k\fP\&. +.UNINDENT +.UNINDENT +.sp +\fB\-c\fP \fIcompilezone path\fP +.INDENT 0.0 +.INDENT 3.5 +Specifies a path to a \fBnamed\-compilezone\fP binary. Used for testing. +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fBdnssec\-checkds\fP(8), \fBdnssec\-dsfromkey\fP(8), +\fBdnssec\-keygen\fP(8), \fBdnssec\-signzone\fP(8) +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2023, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. |