dnssec-keymgr.html revision 46bb3884a0738664862e3a36b7848aa374aebd45
273e660f5f11ea8a59377520134c8b4be87fedbccilix<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
273e660f5f11ea8a59377520134c8b4be87fedbccilix - Copyright (C) 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
273e660f5f11ea8a59377520134c8b4be87fedbccilix - This Source Code Form is subject to the terms of the Mozilla Public
273e660f5f11ea8a59377520134c8b4be87fedbccilix - License, v. 2.0. If a copy of the MPL was not distributed with this
273e660f5f11ea8a59377520134c8b4be87fedbccilix - file, You can obtain one at http://mozilla.org/MPL/2.0/.
5c45bb188ab729e501e48732842cb9de6a9813beAlex Valavanis<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
eb4caa8f4cdc2955b58dcd2de06fe770533414c8Jon A. Cruz<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
273e660f5f11ea8a59377520134c8b4be87fedbccilix<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
273e660f5f11ea8a59377520134c8b4be87fedbccilix<a name="man.dnssec-keymgr"></a><div class="titlepage"></div>
273e660f5f11ea8a59377520134c8b4be87fedbccilix — Ensures correct DNSKEY coverage for a zone based on a defined policy
fc336487182165df2bbcbe52800aa3d2e292b7c7Liam P. White [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
312bccd9de1cbb6c10da3e96d6e709fb19519288Liam P. White [<code class="option">-c <em class="replaceable"><code>file</code></em></code>]
273e660f5f11ea8a59377520134c8b4be87fedbccilix [<code class="option">-g <em class="replaceable"><code>path</code></em></code>]
273e660f5f11ea8a59377520134c8b4be87fedbccilix [<code class="option">-r <em class="replaceable"><code>path</code></em></code>]
273e660f5f11ea8a59377520134c8b4be87fedbccilix [<code class="option">-s <em class="replaceable"><code>path</code></em></code>]
273e660f5f11ea8a59377520134c8b4be87fedbccilix <span class="command"><strong>dnssec-keymgr</strong></span> is a high level Python wrapper
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix to facilitate the key rollover process for zones handled by
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix BIND. It uses the BIND commands for manipulating DNSSEC key
5cd969f185e1a05f873e023378d0831e71441da6joncruz metadata: <span class="command"><strong>dnssec-keygen</strong></span> and
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix <span class="command"><strong>dnssec-settime</strong></span>.
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix DNSSEC policy can be read from a configuration file (default
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix <code class="filename">/etc/dnssec-policy.conf</code>), from which the key
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix parameters, publication and rollover schedule, and desired
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix coverage duration for any given zone can be determined. This
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix file may be used to define individual DNSSEC policies on a
71aad46792b4f0eac60baac9bbeb5366e6a21e9fDiederik van Lierop per-zone basis, or to set a default policy used for all zones.
71aad46792b4f0eac60baac9bbeb5366e6a21e9fDiederik van Lierop When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix keys for one or more zones, comparing their timing metadata against
85bc45682f5dd745ceb7f01b0d47efd35853844fcilix the policies for those zones. If key settings do not conform to the
273e660f5f11ea8a59377520134c8b4be87fedbccilix DNSSEC policy (for example, because the policy has been changed),
273e660f5f11ea8a59377520134c8b4be87fedbccilix they are automatically corrected.
273e660f5f11ea8a59377520134c8b4be87fedbccilix A zone policy can specify a duration for which we want to
71aad46792b4f0eac60baac9bbeb5366e6a21e9fDiederik van Lierop ensure the key correctness (<code class="option">coverage</code>). It can
273e660f5f11ea8a59377520134c8b4be87fedbccilix also specify a rollover period (<code class="option">roll-period</code>).
273e660f5f11ea8a59377520134c8b4be87fedbccilix If policy indicates that a key should roll over before the
273e660f5f11ea8a59377520134c8b4be87fedbccilix coverage period ends, then a successor key will automatically be
273e660f5f11ea8a59377520134c8b4be87fedbccilix created and added to the end of the key series.
273e660f5f11ea8a59377520134c8b4be87fedbccilix If zones are specified on the command line,
273e660f5f11ea8a59377520134c8b4be87fedbccilix <span class="command"><strong>dnssec-keymgr</strong></span> will examine only those zones.
273e660f5f11ea8a59377520134c8b4be87fedbccilix If a specified zone does not already have keys in place, then
273e660f5f11ea8a59377520134c8b4be87fedbccilix keys will be generated for it according to policy.
5e910edf3969fcedbc5d170ceddfe15796a1e285Liam P. White If zones are <span class="emphasis"><em>not</em></span> specified on the command
273e660f5f11ea8a59377520134c8b4be87fedbccilix line, then <span class="command"><strong>dnssec-keymgr</strong></span> will search the
273e660f5f11ea8a59377520134c8b4be87fedbccilix key directory (either the current working directory or the directory
273e660f5f11ea8a59377520134c8b4be87fedbccilix set by the <code class="option">-K</code> option), and check the keys for
5cf332777b4c27336d64c273ac63bce3ee27a53dAlex Valavanis all the zones represented in the directory.
273e660f5f11ea8a59377520134c8b4be87fedbccilix It is expected that this tool will be run automatically and
273e660f5f11ea8a59377520134c8b4be87fedbccilix unattended (for example, by <span class="command"><strong>cron</strong></span>).
273e660f5f11ea8a59377520134c8b4be87fedbccilix<dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>
273e660f5f11ea8a59377520134c8b4be87fedbccilix If <code class="option">-c</code> is specified, then the DNSSEC
273e660f5f11ea8a59377520134c8b4be87fedbccilix policy is read from <code class="option">file</code>. (If not
4ea30e1bba14987abced98e7bf194b69153e9e21cilix specified, then the policy is read from
273e660f5f11ea8a59377520134c8b4be87fedbccilix <code class="filename">/etc/dnssec-policy.conf</code>; if that file
273e660f5f11ea8a59377520134c8b4be87fedbccilix doesn't exist, a built-in global default policy is used.)
273e660f5f11ea8a59377520134c8b4be87fedbccilix Force: allow updating of key events even if they are
273e660f5f11ea8a59377520134c8b4be87fedbccilix already in the past. This is not recommended for use with
273e660f5f11ea8a59377520134c8b4be87fedbccilix zones in which keys have already been published. However,
273e660f5f11ea8a59377520134c8b4be87fedbccilix if a set of keys has been generated all of which have
273e660f5f11ea8a59377520134c8b4be87fedbccilix publication and activation dates in the past, but the
273e660f5f11ea8a59377520134c8b4be87fedbccilix keys have not been published in a zone as yet, then this
273e660f5f11ea8a59377520134c8b4be87fedbccilix option can be used to clean them up and turn them into a
273e660f5f11ea8a59377520134c8b4be87fedbccilix proper series of keys with appropriate rollover intervals.
273e660f5f11ea8a59377520134c8b4be87fedbccilix<dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
(<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
Zone names beginning with digits (i.e., 0-9) must be quoted.