man.dnssec-coverage.html revision c313914d0e66b20969215e519bbf2ab4ecf39512
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
c40265eba0c99708887d68e67901924065ba2514Brian Wellington - This Source Code Form is subject to the terms of the Mozilla Public
c40265eba0c99708887d68e67901924065ba2514Brian Wellington - License, v. 2.0. If a copy of the MPL was not distributed with this
c40265eba0c99708887d68e67901924065ba2514Brian Wellington - file, You can obtain one at http://mozilla.org/MPL/2.0/.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<table width="100%" summary="Navigation header">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<th width="60%" align="center">Manual pages</th>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington <span class="application">dnssec-coverage</span>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington — checks future DNSKEY coverage for a zone
c40265eba0c99708887d68e67901924065ba2514Brian Wellington <code class="command">dnssec-coverage</code>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
c40265eba0c99708887d68e67901924065ba2514Brian Wellington [<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
c40265eba0c99708887d68e67901924065ba2514Brian Wellington [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
c40265eba0c99708887d68e67901924065ba2514Brian Wellington [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
c40265eba0c99708887d68e67901924065ba2514Brian Wellington [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
c40265eba0c99708887d68e67901924065ba2514Brian Wellington [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
c40265eba0c99708887d68e67901924065ba2514Brian Wellington [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington <p><span class="command"><strong>dnssec-coverage</strong></span>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington verifies that the DNSSEC keys for a given zone or a set of zones
c40265eba0c99708887d68e67901924065ba2514Brian Wellington have timing metadata set properly to ensure no future lapses in DNSSEC
c40265eba0c99708887d68e67901924065ba2514Brian Wellington If <code class="option">zone</code> is specified, then keys found in
c40265eba0c99708887d68e67901924065ba2514Brian Wellington the key repository matching that zone are scanned, and an ordered
c40265eba0c99708887d68e67901924065ba2514Brian Wellington list is generated of the events scheduled for that key (i.e.,
c40265eba0c99708887d68e67901924065ba2514Brian Wellington publication, activation, inactivation, deletion). The list of
c40265eba0c99708887d68e67901924065ba2514Brian Wellington events is walked in order of occurrence. Warnings are generated
c40265eba0c99708887d68e67901924065ba2514Brian Wellington if any event is scheduled which could cause the zone to enter a
c40265eba0c99708887d68e67901924065ba2514Brian Wellington state in which validation failures might occur: for example, if
c40265eba0c99708887d68e67901924065ba2514Brian Wellington the number of published or active keys for a given algorithm drops
c40265eba0c99708887d68e67901924065ba2514Brian Wellington to zero, or if a key is deleted from the zone too soon after a new
c40265eba0c99708887d68e67901924065ba2514Brian Wellington key is rolled, and cached data signed by the prior key has not had
c40265eba0c99708887d68e67901924065ba2514Brian Wellington time to expire from resolver caches.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington If <code class="option">zone</code> is not specified, then all keys in the
c40265eba0c99708887d68e67901924065ba2514Brian Wellington key repository will be scanned, and all zones for which there are
c40265eba0c99708887d68e67901924065ba2514Brian Wellington keys will be analyzed. (Note: This method of reporting is only
c40265eba0c99708887d68e67901924065ba2514Brian Wellington accurate if all the zones that have keys in a given repository
c40265eba0c99708887d68e67901924065ba2514Brian Wellington share the same TTL parameters.)
c40265eba0c99708887d68e67901924065ba2514Brian Wellington <div class="variablelist"><dl class="variablelist">
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington Sets the directory in which keys can be found. Defaults to the
c40265eba0c99708887d68e67901924065ba2514Brian Wellington current working directory.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington If a <code class="option">file</code> is specified, then the zone is
c40265eba0c99708887d68e67901924065ba2514Brian Wellington read from that file; the largest TTL and the DNSKEY TTL are
c40265eba0c99708887d68e67901924065ba2514Brian Wellington determined directly from the zone data, and the
c40265eba0c99708887d68e67901924065ba2514Brian Wellington <code class="option">-m</code> and <code class="option">-d</code> options do
c40265eba0c99708887d68e67901924065ba2514Brian Wellington not need to be specified on the command line.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington The length of time to check for DNSSEC coverage. Key events
c40265eba0c99708887d68e67901924065ba2514Brian Wellington scheduled further into the future than <code class="option">duration</code>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington will be ignored, and assumed to be correct.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington The value of <code class="option">duration</code> can be set in seconds,
c40265eba0c99708887d68e67901924065ba2514Brian Wellington or in larger units of time by adding a suffix: 'mi' for minutes,
c40265eba0c99708887d68e67901924065ba2514Brian Wellington 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
c40265eba0c99708887d68e67901924065ba2514Brian Wellington 'y' for years.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington Sets the value to be used as the maximum TTL for the zone or
c40265eba0c99708887d68e67901924065ba2514Brian Wellington zones being analyzed when determining whether there is a
c40265eba0c99708887d68e67901924065ba2514Brian Wellington possibility of validation failure. When a zone-signing key is
c40265eba0c99708887d68e67901924065ba2514Brian Wellington deactivated, there must be enough time for the record in the
c40265eba0c99708887d68e67901924065ba2514Brian Wellington zone with the longest TTL to have expired from resolver caches
c40265eba0c99708887d68e67901924065ba2514Brian Wellington before that key can be purged from the DNSKEY RRset. If that
c40265eba0c99708887d68e67901924065ba2514Brian Wellington condition does not apply, a warning will be generated.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington The length of the TTL can be set in seconds, or in larger units
c40265eba0c99708887d68e67901924065ba2514Brian Wellington of time by adding a suffix: 'mi' for minutes, 'h' for hours,
c40265eba0c99708887d68e67901924065ba2514Brian Wellington 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington This option is not necessary if the <code class="option">-f</code> has
c40265eba0c99708887d68e67901924065ba2514Brian Wellington been used to specify a zone file. If <code class="option">-f</code> has
c40265eba0c99708887d68e67901924065ba2514Brian Wellington been specified, this option may still be used; it will override
c40265eba0c99708887d68e67901924065ba2514Brian Wellington the value found in the file.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington If this option is not used and the maximum TTL cannot be retrieved
c40265eba0c99708887d68e67901924065ba2514Brian Wellington from a zone file, a warning is generated and a default value of
c40265eba0c99708887d68e67901924065ba2514Brian Wellington 1 week is used.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington Sets the value to be used as the DNSKEY TTL for the zone or
c40265eba0c99708887d68e67901924065ba2514Brian Wellington zones being analyzed when determining whether there is a
c40265eba0c99708887d68e67901924065ba2514Brian Wellington possibility of validation failure. When a key is rolled (that
c40265eba0c99708887d68e67901924065ba2514Brian Wellington is, replaced with a new key), there must be enough time for the
c40265eba0c99708887d68e67901924065ba2514Brian Wellington old DNSKEY RRset to have expired from resolver caches before
c40265eba0c99708887d68e67901924065ba2514Brian Wellington the new key is activated and begins generating signatures. If
c40265eba0c99708887d68e67901924065ba2514Brian Wellington that condition does not apply, a warning will be generated.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington The length of the TTL can be set in seconds, or in larger units
c40265eba0c99708887d68e67901924065ba2514Brian Wellington of time by adding a suffix: 'mi' for minutes, 'h' for hours,
c40265eba0c99708887d68e67901924065ba2514Brian Wellington 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington This option is not necessary if <code class="option">-f</code> has
c40265eba0c99708887d68e67901924065ba2514Brian Wellington been used to specify a zone file from which the TTL
c40265eba0c99708887d68e67901924065ba2514Brian Wellington of the DNSKEY RRset can be read, or if a default key TTL was
c40265eba0c99708887d68e67901924065ba2514Brian Wellington set using ith the <code class="option">-L</code> to
c40265eba0c99708887d68e67901924065ba2514Brian Wellington <span class="command"><strong>dnssec-keygen</strong></span>. If either of those is true,
c40265eba0c99708887d68e67901924065ba2514Brian Wellington this option may still be used; it will override the values
c40265eba0c99708887d68e67901924065ba2514Brian Wellington found in the zone file or the key file.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington If this option is not used and the key TTL cannot be retrieved
c40265eba0c99708887d68e67901924065ba2514Brian Wellington from the zone file or the key file, then a warning is generated
c40265eba0c99708887d68e67901924065ba2514Brian Wellington and a default value of 1 day is used.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
c40265eba0c99708887d68e67901924065ba2514Brian Wellington Sets the value to be used as the resign interval for the zone
c40265eba0c99708887d68e67901924065ba2514Brian Wellington or zones being analyzed when determining whether there is a
c40265eba0c99708887d68e67901924065ba2514Brian Wellington possibility of validation failure. This value defaults to
c40265eba0c99708887d68e67901924065ba2514Brian Wellington 22.5 days, which is also the default in
c40265eba0c99708887d68e67901924065ba2514Brian Wellington <span class="command"><strong>named</strong></span>. However, if it has been changed
c40265eba0c99708887d68e67901924065ba2514Brian Wellington by the <code class="option">sig-validity-interval</code> option in
c40265eba0c99708887d68e67901924065ba2514Brian Wellington <code class="filename">named.conf</code>, then it should also be
c40265eba0c99708887d68e67901924065ba2514Brian Wellington changed here.
c40265eba0c99708887d68e67901924065ba2514Brian Wellington The length of the interval can be set in seconds, or in larger
c40265eba0c99708887d68e67901924065ba2514Brian Wellington units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
c40265eba0c99708887d68e67901924065ba2514Brian Wellington 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.3 (Extended Support Version)</p>