summaryrefslogtreecommitdiffstats
path: root/doc/man/keymgr.8
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/keymgr.8')
-rw-r--r--doc/man/keymgr.8390
1 files changed, 390 insertions, 0 deletions
diff --git a/doc/man/keymgr.8 b/doc/man/keymgr.8
new file mode 100644
index 0000000..a963df3
--- /dev/null
+++ b/doc/man/keymgr.8
@@ -0,0 +1,390 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "KEYMGR" "8" "2024-09-02" "3.4.0" "Knot DNS"
+.SH NAME
+keymgr \- Knot DNS key management utility
+.SH SYNOPSIS
+.sp
+\fBkeymgr\fP [\fIconfig_option\fP] [\fIoptions\fP] \fIzone_name\fP \fIcommand\fP
+.sp
+\fBkeymgr\fP [\fIconfig_option\fP] [\fIoptions\fP] \fIkeystore_id\fP \fIcommand\fP
+.sp
+\fBkeymgr\fP [\fIconfig_option\fP] [\-j] \fB\-l\fP
+.sp
+\fBkeymgr\fP \fB\-t\fP \fIparameter\fP\&...
+.SH DESCRIPTION
+.sp
+The \fBkeymgr\fP utility serves for manual key management in Knot DNS server.
+.sp
+Functions for DNSSEC keys and KASP (Key And Signature Policy)
+management are provided.
+.sp
+The DNSSEC and KASP configuration is stored in a so called KASP database.
+The database is backed by LMDB.
+.SS Parameters
+.INDENT 0.0
+.TP
+.B \fIzone_name\fP
+Name of the zone the command is executed for.
+.UNINDENT
+.SS Config options
+.INDENT 0.0
+.TP
+\fB\-c\fP, \fB\-\-config\fP \fIfile\fP
+Use a textual configuration file (default is \fB/usr/local/etc/knot/knot.conf\fP).
+.TP
+\fB\-C\fP, \fB\-\-confdb\fP \fIdirectory\fP
+Use a binary configuration database directory (default is \fB/usr/local/var/lib/knot/confdb\fP).
+The default configuration database, if exists, has a preference to the default
+configuration file.
+.TP
+\fB\-D\fP, \fB\-\-dir\fP \fIpath\fP
+Use specified KASP database path and default configuration.
+.UNINDENT
+.SS Options
+.INDENT 0.0
+.TP
+\fB\-t\fP, \fB\-\-tsig\fP \fItsig_name\fP [\fItsig_algorithm\fP [\fItsig_bits\fP]]
+Generates a TSIG key for the given name. Optionally the key algorithm can
+be specified by its \fI\%name\fP (default: hmac\-sha256) and
+a bit length of the key (default: optimal length given by algorithm).
+The generated TSIG key is only displayed on \fIstdout\fP:
+the command does not create a file, nor include the key in a keystore.
+.TP
+\fB\-e\fP, \fB\-\-extended\fP
+Extended output (listing of keys with full description).
+.TP
+\fB\-j\fP, \fB\-\-json\fP
+Print the zones or keys in JSON format.
+.TP
+\fB\-l\fP, \fB\-\-list\fP
+Print the list of zones that have at least one key stored in the configured KASP
+database.
+.TP
+\fB\-x\fP, \fB\-\-mono\fP
+Don\(aqt generate colorized output.
+.TP
+\fB\-X\fP, \fB\-\-color\fP
+Force colorized output in the normal mode.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Print the program version. The option \fB\-VV\fP makes the program
+print the compile time configuration summary.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Keymgr runs with the same user privileges as configured for \fI\%knotd\fP\&.
+For example, if keymgr is run as \fBroot\fP, but the configured \fI\%user\fP
+is \fBknot\fP, it won\(aqt be able to read files (PEM files, KASP database, ...) readable
+only by \fBroot\fP\&.
+.UNINDENT
+.UNINDENT
+.SS Commands
+.INDENT 0.0
+.TP
+\fBlist\fP [\fItimestamp_format\fP]
+Prints the list of key IDs and parameters of keys belonging to the zone.
+.TP
+\fBgenerate\fP [\fIarguments\fP\&...]
+Generates new DNSSEC key and stores it in KASP database. Prints the key ID.
+This action takes some number of arguments (see below). Values for unspecified arguments are taken
+from corresponding policy (if \fI\-c\fP or \fI\-C\fP options used) or from Knot policy defaults.
+.TP
+\fBimport\-bind\fP \fIBIND_key_file\fP
+Imports a BIND\-style key into KASP database (converting it to PEM format).
+Takes one argument: path to BIND key file (private or public, but both MUST exist).
+.TP
+\fBimport\-pub\fP \fIBIND_pubkey_file\fP
+Imports a public key into KASP database. This key won\(aqt be rolled over nor used for signing.
+Takes one argument: path to BIND public key file.
+.TP
+\fBimport\-pem\fP \fIPEM_file\fP [\fIarguments\fP\&...]
+Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be
+specified (mainly algorithm, timers...) because they are not contained in the PEM format.
+.TP
+\fBimport\-pkcs11\fP \fIkey_id\fP [\fIarguments\fP\&...]
+Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the generate action) need to be
+specified (mainly algorithm, timers...) because they are not available. In fact, no key
+data is imported, only KASP database metadata is created.
+.TP
+\fBnsec3\-salt\fP [\fInew_salt\fP]
+Prints the current NSEC3 salt used for signing. If \fInew_salt\fP is specified, the salt is overwritten.
+The salt is printed and expected in hexadecimal, or dash if empty.
+.TP
+\fBlocal\-serial\fP [\fInew_serial\fP]
+Print SOA serial stored in KASP database when using on\-secondary DNSSEC signing.
+If \fInew_serial\fP is specified, the serial is overwritten. After updating the serial, expire the zone
+(\fBzone\-purge +expire +zonefile +journal\fP) if the server is running, or remove corresponding zone file
+and journal contents if the server is stopped.
+.TP
+\fBmaster\-serial\fP [\fInew_serial\fP]
+Print SOA serial of the remote master stored in KASP database when using on\-secondary DNSSEC signing.
+If \fInew_serial\fP is specified, the serial is overwritten (not recommended).
+.TP
+\fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...]
+Changes a timing argument (or ksk/zsk) of an existing key to a new value. \fIKey_spec\fP is either the
+key tag or a prefix of the key ID, with an optional \fI[id=|keytag=]\fP prefix; \fIarguments\fP
+are like for \fBgenerate\fP, but just the related ones.
+.TP
+\fBds\fP [\fIkey_spec\fP]
+Generate DS record (all digest algorithms together) for specified key. \fIKey_spec\fP
+is like for \fBset\fP, if unspecified, all KSKs are used.
+.TP
+\fBdnskey\fP [\fIkey_spec\fP]
+Generate DNSKEY record for specified key. \fIKey_spec\fP
+is like for \fBds\fP, if unspecified, all KSKs are used.
+.TP
+\fBdelete\fP \fIkey_spec\fP
+Remove the specified key from zone. If the key was not shared, it is also deleted from keystore.
+.TP
+\fBshare\fP \fIkey_ID\fP \fIzone_from\fP
+Import a key (specified by full key ID) from another zone as shared. After this, the key is
+owned by both zones equally.
+.UNINDENT
+.SS Keystore commands
+.INDENT 0.0
+.TP
+\fBkeystore\-test\fP
+Conduct some tests on the specified keystore. For each algorithm, key generation,
+import, removal, and use (signing and verification) are tested.
+Use a configured \fIkeystore_id\fP or \fB\-\fP for the default.
+.TP
+\fBkeystore\-bench\fP [\fInum_threads\fP]
+Conduct a signing benchmark on the specified keystore.
+Random blocks of data are signed by the selected number of threads
+(default is 1) in a loop, and the average number of signing operations per
+second for each algorithm is returned.
+Use a configured \fIkeystore_id\fP or \fB\-\fP for the default.
+.UNINDENT
+.SS Commands related to Offline KSK feature
+.INDENT 0.0
+.TP
+\fBpregenerate\fP [\fItimestamp\-from\fP] \fItimestamp\-to\fP
+Pre\-generate ZSKs for use with offline KSK, for the specified period starting from now or specified time.
+This function also applies to non\-offline KSK keys.
+.TP
+\fBshow\-offline\fP [\fItimestamp\-from\fP] [\fItimestamp\-to\fP]
+Print pre\-generated offline key\-related records for specified time interval. If \fItimestamp_to\fP
+is omitted, it will be to infinity. If \fItimestamp\-from\fP is omitted, it will start from the
+beginning.
+.TP
+\fBdel\-offline\fP \fItimestamp\-from\fP \fItimestamp\-to\fP
+Delete pre\-generated offline key\-related records in specified time interval.
+.TP
+\fBdel\-all\-old\fP
+Delete old keys that are in state \(aqremoved\(aq. This function also applies to
+non\-offline KSK keys.
+.TP
+\fBgenerate\-ksr\fP [\fItimestamp\-from\fP] \fItimestamp\-to\fP
+Print to stdout KeySigningRequest based on pre\-generated ZSKs for specified time period.
+If \fItimestamp\-from\fP is omitted, timestamp of the last offline records set is used
+or now if no records available.
+.TP
+\fBsign\-ksr\fP \fIksr_file\fP
+Read KeySigningRequest from a text file, sign it using local keyset and print SignedKeyResponse to stdout.
+.TP
+\fBvalidate\-skr\fP \fIskr_file\fP
+Read SignedKeyResponse from a text file and validate the RRSIGs in it if not corrupt.
+.TP
+\fBimport\-skr\fP \fIskr_file\fP
+Read SignedKeyResponse from a text file and import the signatures for later use in zone. If some
+signatures have already been imported, they will be deleted for the period from beginning of the SKR
+to infinity.
+.UNINDENT
+.SS Generate arguments
+.sp
+Arguments are separated by space, each of them is in format \(aqname=value\(aq.
+.INDENT 0.0
+.TP
+\fBalgorithm\fP
+Either an algorithm number (e.g. 14) or \fI\%algorithm name\fP
+without dashes (e.g. ECDSAP384SHA384).
+.TP
+\fBsize\fP
+Key length in bits.
+.TP
+\fBksk\fP
+If set to \fByes\fP, the key will be used for signing DNSKEY rrset. The generated key will also
+have the Secure Entry Point flag set to 1.
+.TP
+\fBzsk\fP
+If set to \fByes\fP, the key will be used for signing zone (except DNSKEY rrset). This flag can
+be set concurrently with the \fBksk\fP flag.
+.TP
+\fBsep\fP
+Overrides the standard setting of the Secure Entry Point flag.
+.UNINDENT
+.sp
+The following arguments are timestamps of key lifetime (see \fI\%DNSSEC key states\fP):
+.INDENT 0.0
+.TP
+\fBpre_active\fP
+Key started to be used for signing, not published (only for algorithm rollover).
+.TP
+\fBpublish\fP
+Key published.
+.TP
+\fBready\fP
+Key is waiting for submission (only for KSK).
+.TP
+\fBactive\fP
+Key used for signing.
+.TP
+\fBretire_active\fP
+Key still used for signing, but another key is active (only for KSK or algorithm rollover).
+.TP
+\fBretire\fP
+Key still published, but no longer used for signing.
+.TP
+\fBpost_active\fP
+Key no longer published, but still used for signing (only for algorithm rollover).
+.TP
+\fBrevoke\fP
+Key revoked according to \fI\%RFC 5011\fP trust anchor roll\-over.
+.TP
+\fBremove\fP
+Key deleted.
+.UNINDENT
+.SS Timestamps
+.INDENT 0.0
+.TP
+.B 0
+Zero timestamp means infinite future.
+.TP
+.B \fIUNIX_time\fP
+Positive number of seconds since 1970 UTC.
+.TP
+.B \fIYYYYMMDDHHMMSS\fP
+Date and time in this format without any punctuation.
+.TP
+.B \fIrelative_timestamp\fP
+A sign character (\fB+\fP, \fB\-\fP), a number, and an optional time unit
+(\fBy\fP, \fBmo\fP, \fBd\fP, \fBh\fP, \fBmi\fP, \fBs\fP). The default unit is one second.
+E.g. +1mi, \-2mo.
+.UNINDENT
+.SS Output timestamp formats
+.INDENT 0.0
+.TP
+.B (none)
+The timestamps are printed as UNIX timestamp.
+.TP
+\fBhuman\fP
+The timestamps are printed relatively to now using time units (e.g. \-2y5mo, +1h13s).
+.TP
+\fBiso\fP
+The timestamps are printed in the ISO8601 format (e.g. 2016\-12\-31T23:59:00).
+.UNINDENT
+.SH EXIT VALUES
+.sp
+Exit status of 0 means successful operation. Any other exit status indicates
+an error.
+.SH EXAMPLES
+.INDENT 0.0
+.IP 1. 3
+Generate new TSIG key:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr \-t my_name hmac\-sha384
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Generate new DNSSEC key:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \e
+ ksk=true created=1488034625 publish=20170223205611 retire=+10mo remove=+1y
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+Import a DNSSEC key from BIND:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. import\-bind ~/bind/Kharbinge4d5.+007+63089.key
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 4. 3
+Configure key timing:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. set 4208 active=+2mi retire=+4mi remove=+5mi
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP 5. 3
+Share a KSK from another zone:
+.INDENT 3.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9 another\-zone.com.
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 6781\fP \- DNSSEC Operational Practices.
+\fI\%RFC 7583\fP \- DNSSEC Key Rollover Timing Considerations.
+.sp
+\fBknot.conf(5)\fP,
+\fBknotc(8)\fP,
+\fBknotd(8)\fP\&.
+.SH AUTHOR
+CZ.NIC Labs <https://www.knot-dns.cz>
+.SH COPYRIGHT
+Copyright 2010–2024, CZ.NIC, z.s.p.o.
+.\" Generated by docutils manpage writer.
+.