man.dnssec-coverage.html revision 0eea9763d88e3edf9b6de585f7cfbb08de977124
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - Copyright (C) 2000-2003 Internet Software Consortium.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - Permission to use, copy, modify, and/or distribute this software for any
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - purpose with or without fee is hereby granted, provided that the above
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - copyright notice and this permission notice appear in all copies.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw - PERFORMANCE OF THIS SOFTWARE.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<!-- $Id$ -->
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0dcc71495bad040a0c83830efc85acf8d897350dnw<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c8e261054d98729a8718903716b9b8a512d8b693jp<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
c8e261054d98729a8718903716b9b8a512d8b693jp<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<p><span class="application">dnssec-coverage</span> — checks future DNSKEY coverage for a zone</p>
c8e261054d98729a8718903716b9b8a512d8b693jp<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
c8e261054d98729a8718903716b9b8a512d8b693jp<p><span><strong class="command">dnssec-coverage</strong></span>
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen verifies that the DNSSEC keys for a given zone or a set of zones
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen have timing metadata set properly to ensure no future lapses in DNSSEC
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen If <code class="option">zone</code> is specified, then keys found in
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen the key repository matching that zone are scanned, and an ordered
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen list is generated of the events scheduled for that key (i.e.,
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen publication, activation, inactivation, deletion). The list of
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw events is walked in order of occurrence. Warnings are generated
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw if any event is scheduled which could cause the zone to enter a
c8e261054d98729a8718903716b9b8a512d8b693jp state in which validation failures might occur: for example, if
c8e261054d98729a8718903716b9b8a512d8b693jp the number of published or active keys for a given algorithm drops
c8e261054d98729a8718903716b9b8a512d8b693jp to zero, or if a key is deleted from the zone too soon after a new
c8e261054d98729a8718903716b9b8a512d8b693jp key is rolled, and cached data signed by the prior key has not had
c8e261054d98729a8718903716b9b8a512d8b693jp time to expire from resolver caches.
c8e261054d98729a8718903716b9b8a512d8b693jp If <code class="option">zone</code> is not specified, then all keys in the
c8e261054d98729a8718903716b9b8a512d8b693jp key repository will be scanned, and all zones for which there are
c8e261054d98729a8718903716b9b8a512d8b693jp keys will be analyzed. (Note: This method of reporting is only
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen accurate if all the zones that have keys in a given repository
c8e261054d98729a8718903716b9b8a512d8b693jp share the same TTL parameters.)
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen Sets the directory in which keys can be found. Defaults to the
c8e261054d98729a8718903716b9b8a512d8b693jp current working directory.
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen If a <code class="option">file</code> is specified, then the zone is
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen read from that file; the largest TTL and the DNSKEY TTL are
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen determined directly from the zone data, and the
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen <code class="option">-m</code> and <code class="option">-d</code> options do
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen not need to be specified on the command line.
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban The length of time to check for DNSSEC coverage. Key events
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban scheduled further into the future than <code class="option">duration</code>
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban will be ignored, and assumed to be correct.
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban The value of <code class="option">duration</code> can be set in seconds,
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban or in larger units of time by adding a suffix: 'mi' for minutes,
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
1b91ce3959be411ccaff4e20e9ff0e54e301243anw 'y' for years.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
349d5d8f2e43f7f425bc3d025dda555187160ab7nw Sets the value to be used as the maximum TTL for the zone or
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw zones being analyzed when determining whether there is a
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw possibility of validation failure. When a zone-signing key is
c8e261054d98729a8718903716b9b8a512d8b693jp deactivated, there must be enough time for the record in the
c8e261054d98729a8718903716b9b8a512d8b693jp zone with the longest TTL to have expired from resolver caches
349d5d8f2e43f7f425bc3d025dda555187160ab7nw before that key can be purged from the DNSKEY RRset. If that
c8e261054d98729a8718903716b9b8a512d8b693jp condition does not apply, a warning will be generated.
0dcc71495bad040a0c83830efc85acf8d897350dnw The length of the TTL can be set in seconds, or in larger units
0dcc71495bad040a0c83830efc85acf8d897350dnw of time by adding a suffix: 'mi' for minutes, 'h' for hours,
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
349d5d8f2e43f7f425bc3d025dda555187160ab7nw This option is mandatory unless the <code class="option">-f</code> has
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw been used to specify a zone file. (If <code class="option">-f</code> has
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw been specified, this option may still be used; it will override
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw the value found in the file.)