bc6f4c1c4c1b739fd06d2de05b77b9d08c4d8a5aTinderbox User - Copyright (C) 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keymgr">
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentryinfo>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refentryinfo>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle><application>dnssec-keymgr</application></refentrytitle>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refnamediv>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refname><application>dnssec-keymgr</application></refname>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refpurpose>Ensures correct DNSKEY coverage for a zone based on a defined policy</refpurpose>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refnamediv>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </copyright>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refsynopsisdiv>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">file</replaceable></option></arg>
3d1b521b5be79913a020e373bf033657d4117d40Mark Andrews <arg choice="opt" rep="norepeat"><option>-f</option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-k</option></arg>
3d1b521b5be79913a020e373bf033657d4117d40Mark Andrews <arg choice="opt" rep="norepeat"><option>-q</option></arg>
3d1b521b5be79913a020e373bf033657d4117d40Mark Andrews <arg choice="opt" rep="norepeat"><option>-v</option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-z</option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">path</replaceable></option></arg>
c1a72112b2391bd8f149c5f19bdb12fa0d39fef4Mark Andrews <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">path</replaceable></option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">path</replaceable></option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </cmdsynopsis>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsynopsisdiv>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refsection><info><title>DESCRIPTION</title></info>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews <command>dnssec-keymgr</command> is a high level Python wrapper
2616416a677634e01cea98a07d45c305cce8274aMark Andrews to facilitate the key rollover process for zones handled by
2616416a677634e01cea98a07d45c305cce8274aMark Andrews BIND. It uses the BIND commands for manipulating DNSSEC key
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt DNSSEC policy can be read from a configuration file (default
2be9d18ee9bd1b4eec4720218e4f43352603291fMark Andrews <filename>/etc/dnssec-policy.conf</filename>), from which the key
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt parameters, publication and rollover schedule, and desired
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt coverage duration for any given zone can be determined. This
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt file may be used to define individual DNSSEC policies on a
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt per-zone basis, or to set a default policy used for all zones.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt When <command>dnssec-keymgr</command> runs, it examines the DNSSEC
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt keys for one or more zones, comparing their timing metadata against
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt the policies for those zones. If key settings do not conform to the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt DNSSEC policy (for example, because the policy has been changed),
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt they are automatically corrected.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt A zone policy can specify a duration for which we want to
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt ensure the key correctness (<option>coverage</option>). It can
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt also specify a rollover period (<option>roll-period</option>).
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If policy indicates that a key should roll over before the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt coverage period ends, then a successor key will automatically be
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt created and added to the end of the key series.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If zones are specified on the command line,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <command>dnssec-keymgr</command> will examine only those zones.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If a specified zone does not already have keys in place, then
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt keys will be generated for it according to policy.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If zones are <emphasis>not</emphasis> specified on the command
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt line, then <command>dnssec-keymgr</command> will search the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt key directory (either the current working directory or the directory
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt set by the <option>-K</option> option), and check the keys for
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt all the zones represented in the directory.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt It is expected that this tool will be run automatically and
86f221492f6f6b71c1114e3edba7373aa93d906bMark Andrews unattended (for example, by <command>cron</command>).
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <variablelist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt <term>-c <replaceable class="parameter">file</replaceable></term>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt If <option>-c</option> is specified, then the DNSSEC
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt policy is read from <option>file</option>. (If not
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt specified, then the policy is read from
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt <filename>/etc/dnssec-policy.conf</filename>; if that file
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt doesn't exist, a built-in global default policy is used.)
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Force: allow updating of key events even if they are
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt already in the past. This is not recommended for use with
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt zones in which keys have already been published. However,
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt if a set of keys has been generated all of which have
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt publication and activation dates in the past, but the
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt keys have not been published in a zone as yet, then this
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt option can be used to clean them up and turn them into a
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt proper series of keys with appropriate rollover intervals.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt <term>-g <replaceable class="parameter">keygen-path</replaceable></term>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Specifies a path to a <command>dnssec-keygen</command> binary.
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Used for testing.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
bfe9697f924fb22dbf9777a2a0bf91e7141e999eEvan Hunt <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Print the <command>dnssec-keymgr</command> help summary
bfe9697f924fb22dbf9777a2a0bf91e7141e999eEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Sets the directory in which keys can be found. Defaults to the
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt current working directory.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Only apply policies to KSK keys.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Quiet: suppress printing of <command>dnssec-keygen</command>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
c1a72112b2391bd8f149c5f19bdb12fa0d39fef4Mark Andrews <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt <term>-r <replaceable class="parameter">randomdev</replaceable></term>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Specifies a path to a file containing random data.
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt This is passed to the <command>dnssec-keygen</command> binary
c1a72112b2391bd8f149c5f19bdb12fa0d39fef4Mark Andrews<!-- TODO: what to do about "-r keyboard"? -->
c1a72112b2391bd8f149c5f19bdb12fa0d39fef4Mark Andrews </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt <term>-s <replaceable class="parameter">settime-path</replaceable></term>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Specifies a path to a <command>dnssec-settime</command> binary.
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Used for testing.
3d1b521b5be79913a020e373bf033657d4117d40Mark Andrews </varlistentry>
3d1b521b5be79913a020e373bf033657d4117d40Mark Andrews <varlistentry>
3d1b521b5be79913a020e373bf033657d4117d40Mark Andrews Print the <command>dnssec-keymgr</command> version and exit.
86f221492f6f6b71c1114e3edba7373aa93d906bMark Andrews </varlistentry>
86f221492f6f6b71c1114e3edba7373aa93d906bMark Andrews <varlistentry>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Only apply policies to ZSK keys.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </variablelist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refsection><info><title>POLICY CONFIGURATION</title></info>
2be9d18ee9bd1b4eec4720218e4f43352603291fMark Andrews The <filename>dnssec-policy.conf</filename> file can specify three kinds
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt of policies:
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <itemizedlist>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews (<option>policy <replaceable>name</replaceable> { ... };</option>)
2616416a677634e01cea98a07d45c305cce8274aMark Andrews can be inherited by zone policies or other policy classes; these
2616416a677634e01cea98a07d45c305cce8274aMark Andrews can be used to create sets of different security profiles. For
2616416a677634e01cea98a07d45c305cce8274aMark Andrews example, a policy class <userinput>normal</userinput> might specify
2616416a677634e01cea98a07d45c305cce8274aMark Andrews 1024-bit key sizes, but a class <userinput>extra</userinput> might
2616416a677634e01cea98a07d45c305cce8274aMark Andrews specify 2048 bits instead; <userinput>extra</userinput> would be
2616416a677634e01cea98a07d45c305cce8274aMark Andrews used for zones that had unusually high security needs.
2616416a677634e01cea98a07d45c305cce8274aMark Andrews Algorithm policies:
2616416a677634e01cea98a07d45c305cce8274aMark Andrews (<option>algorithm-policy <replaceable>algorithm</replaceable> { ... };</option> )
2616416a677634e01cea98a07d45c305cce8274aMark Andrews override default per-algorithm settings. For example, by default,
2616416a677634e01cea98a07d45c305cce8274aMark Andrews RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
2616416a677634e01cea98a07d45c305cce8274aMark Andrews can be modified using <command>algorithm-policy</command>, and the
2616416a677634e01cea98a07d45c305cce8274aMark Andrews new key sizes would then be used for any key of type RSASHA256.
2616416a677634e01cea98a07d45c305cce8274aMark Andrews Zone policies:
2616416a677634e01cea98a07d45c305cce8274aMark Andrews (<option>zone <replaceable>name</replaceable> { ... };</option> )
2616416a677634e01cea98a07d45c305cce8274aMark Andrews set policy for a single zone by name. A zone policy can inherit
2616416a677634e01cea98a07d45c305cce8274aMark Andrews a policy class by including a <option>policy</option> option.
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Zone names beginning with digits (i.e., 0-9) must be quoted.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </itemizedlist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Options that can be specified in policies:
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <variablelist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews The key algorithm. If no policy is defined, the default is
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews The length of time to ensure that keys will be correct; no action
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt will be taken to create new keys to be activated after this time.
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt This can be represented as a number of seconds, or as a duration using
2616416a677634e01cea98a07d45c305cce8274aMark Andrews human-readable units (examples: "1y" or "6 months").
2616416a677634e01cea98a07d45c305cce8274aMark Andrews A default value for this option can be set in algorithm policies
2616416a677634e01cea98a07d45c305cce8274aMark Andrews as well as in policy classes or zone policies.
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt If no policy is configured, the default is six months.
86f221492f6f6b71c1114e3edba7373aa93d906bMark Andrews </varlistentry>
86f221492f6f6b71c1114e3edba7373aa93d906bMark Andrews <varlistentry>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews Specifies the directory in which keys should be stored.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews Specifies the number of bits to use in creating keys.
2616416a677634e01cea98a07d45c305cce8274aMark Andrews Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
2616416a677634e01cea98a07d45c305cce8274aMark Andrews A default value for this option can be set in algorithm policies
2616416a677634e01cea98a07d45c305cce8274aMark Andrews as well as in policy classes or zone policies. If no policy is
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt configured, the default is 1024 bits for DSA keys and 2048 for
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews The key TTL. If no policy is defined, the default is one hour.
86f221492f6f6b71c1114e3edba7373aa93d906bMark Andrews </varlistentry>
86f221492f6f6b71c1114e3edba7373aa93d906bMark Andrews <varlistentry>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews How long after inactivation a key should be deleted from the zone.
2616416a677634e01cea98a07d45c305cce8274aMark Andrews Note: If <option>roll-period</option> is not set, this value is
2616416a677634e01cea98a07d45c305cce8274aMark Andrews ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
2616416a677634e01cea98a07d45c305cce8274aMark Andrews duration. A default value for this option can be set in algorithm
2616416a677634e01cea98a07d45c305cce8274aMark Andrews policies as well as in policy classes or zone policies. The default
2616416a677634e01cea98a07d45c305cce8274aMark Andrews is one month.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews How long before activation a key should be published. Note: If
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt <option>roll-period</option> is not set, this value is ignored.
2616416a677634e01cea98a07d45c305cce8274aMark Andrews Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
2616416a677634e01cea98a07d45c305cce8274aMark Andrews A default value for this option can be set in algorithm policies
2616416a677634e01cea98a07d45c305cce8274aMark Andrews as well as in policy classes or zone policies. The default is
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews How frequently keys should be rolled over.
2616416a677634e01cea98a07d45c305cce8274aMark Andrews Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
2616416a677634e01cea98a07d45c305cce8274aMark Andrews A default value for this option can be set in algorithm policies
2616416a677634e01cea98a07d45c305cce8274aMark Andrews as well as in policy classes or zone policies. If no policy is
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt configured, the default is one year for ZSK's. KSK's do not
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt roll over by default.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
2616416a677634e01cea98a07d45c305cce8274aMark Andrews Not yet implemented.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </variablelist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refsection><info><title>REMAINING WORK</title></info>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <itemizedlist>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Enable scheduling of KSK rollovers using the <option>-P sync</option>
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt <command>dnssec-settime</command>. Check the parent zone
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt (as in <command>dnssec-checkds</command>) to determine when it's
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt safe for the key to roll.
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt Allow configuration of standby keys and use of the REVOKE bit,
f72f5879424ce4081893b306b8c31f29fe9205e0Evan Hunt for keys that use RFC 5011 semantics.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </itemizedlist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle>dnssec-coverage</refentrytitle><manvolnum>8</manvolnum>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </citerefentry>,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </citerefentry>,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle>dnssec-settime</refentrytitle><manvolnum>8</manvolnum>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </citerefentry>,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle>dnssec-checkds</refentrytitle><manvolnum>8</manvolnum>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>