man.dnssec-coverage.html revision 0eea9763d88e3edf9b6de585f7cfbb08de977124
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - copyright notice and this permission notice appear in all copies.
e502b133d630bda0ee64c1e2ce6729d96750d8abMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
29747dfe5e073a299b3681e01f5c55540f8bfed7Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein - PERFORMANCE OF THIS SOFTWARE.
9550eb2dab1d03e03e6c060f92e655d47ac1fc1bMichael Graff<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation header">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<th width="60%" align="center">Manual pages</th>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="application">dnssec-coverage</span> — checks future DNSKEY coverage for a zone</p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p><span><strong class="command">dnssec-coverage</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence verifies that the DNSSEC keys for a given zone or a set of zones
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence have timing metadata set properly to ensure no future lapses in DNSSEC
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If <code class="option">zone</code> is specified, then keys found in
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt the key repository matching that zone are scanned, and an ordered
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt list is generated of the events scheduled for that key (i.e.,
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt publication, activation, inactivation, deletion). The list of
00fb0253c9df8a4686115745ae91d501f62c7451Mark Andrews events is walked in order of occurrence. Warnings are generated
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence if any event is scheduled which could cause the zone to enter a
959cf5e112c41ba8da2a202f51bc0c7a3cf47f68Tatuya JINMEI 神明達哉 state in which validation failures might occur: for example, if
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein the number of published or active keys for a given algorithm drops
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to zero, or if a key is deleted from the zone too soon after a new
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein key is rolled, and cached data signed by the prior key has not had
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein time to expire from resolver caches.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If <code class="option">zone</code> is not specified, then all keys in the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence key repository will be scanned, and all zones for which there are
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence keys will be analyzed. (Note: This method of reporting is only
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence accurate if all the zones that have keys in a given repository
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence share the same TTL parameters.)
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the directory in which keys can be found. Defaults to the
d409ceeda41a256e8114423674d844d5f5035ee8Bob Halley current working directory.
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If a <code class="option">file</code> is specified, then the zone is
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson read from that file; the largest TTL and the DNSKEY TTL are
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence determined directly from the zone data, and the
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <code class="option">-m</code> and <code class="option">-d</code> options do
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein not need to be specified on the command line.
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson The length of time to check for DNSSEC coverage. Key events
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence scheduled further into the future than <code class="option">duration</code>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein will be ignored, and assumed to be correct.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein The value of <code class="option">duration</code> can be set in seconds,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein or in larger units of time by adding a suffix: 'mi' for minutes,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein 'y' for years.
8862388bcb44f634cbfc3e69f11ff4cb76590a4bMark Andrews<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Sets the value to be used as the maximum TTL for the zone or
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein zones being analyzed when determining whether there is a
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein possibility of validation failure. When a zone-signing key is
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein deactivated, there must be enough time for the record in the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone with the longest TTL to have expired from resolver caches
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence before that key can be purged from the DNSKEY RRset. If that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence condition does not apply, a warning will be generated.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The length of the TTL can be set in seconds, or in larger units
61e9c1cdbe29683bb2db388e4fc6a6fd59315cefDavid Lawrence of time by adding a suffix: 'mi' for minutes, 'h' for hours,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein This option is mandatory unless the <code class="option">-f</code> has
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence been used to specify a zone file. (If <code class="option">-f</code> has
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence been specified, this option may still be used; it will override
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the value found in the file.)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Sets the value to be used as the DNSKEY TTL for the zone or
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein zones being analyzed when determining whether there is a
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff possibility of validation failure. When a key is rolled (that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is, replaced with a new key), there must be enough time
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence for the old DNSKEY RRset to have expired from resolver caches
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence before the new key is activated and begins generating
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff signatures. If that condition does not apply, a warning
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence will be generated.
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer The length of the TTL can be set in seconds, or in larger units
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein of time by adding a suffix: 'mi' for minutes, 'h' for hours,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff This option is mandatory unless the <code class="option">-f</code> has
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff been used to specify a zone file, or a default key TTL was
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff set with the <code class="option">-L</code> to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">dnssec-keygen</strong></span>. (If either of those is true,
5fe5a0c02634eaadfcbc3528bf2c184557110a3bAndreas Gustafsson this option may still be used; it will override the value found
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein in the zone or key file.)
df0f58959ed82a2a43ca8d816ce9592541df9f2fMark Andrews<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
e502b133d630bda0ee64c1e2ce6729d96750d8abMark Andrews Sets the value to be used as the resign interval for the zone
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt or zones being analyzed when determining whether there is a
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff possibility of validation failure. This value defaults to
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence 22.5 days, which is also the default in
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence <span><strong class="command">named</strong></span>. However, if it has been changed
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence by the <code class="option">sig-validity-interval</code> option in
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence <code class="filename">named.conf</code>, then it should also be
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein changed here.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The length of the interval can be set in seconds, or in larger
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Only check KSK coverage; ignore ZSK events. Cannot be
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Only check ZSK coverage; ignore KSK events. Cannot be
1b106e224d3931e85d68c091fe1ec7758d9f07cbAndreas Gustafsson used with <code class="option">-k</code>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Specifies a path to a <span><strong class="command">named-compilezone</strong></span> binary.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Used for testing.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<p><span class="corpauthor">Internet Systems Consortium</span>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<table width="100%" summary="Navigation footer">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<span class="application">dnssec-checkds</span>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<td width="40%" align="right" valign="top">�<span class="application">dnssec-dsfromkey</span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p style="text-align: center;">BIND 9.11.0pre-alpha</p>