man.dnssec-coverage.html revision 11e9368a226272085c337e9e74b79808c16fbdba
8a99b24dbe8e0e713f226f4696bfa215b38ad3c6Tinderbox User - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley - copyright notice and this permission notice appear in all copies.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
b8257bd2d872546e7cc358fdf32331ce8850bca4Bob Halley - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
28fc90e6c81338c5f34e065fdda49d320e362583Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews<!-- $Id$ -->
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b66b333f59cf51ef87f973084a5023acd9317fb2Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
f1eda76d36a9744ab47007a1666197b375483912Andreas Gustafsson<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
ad82fd0a25eb13b3b9c3cfa1d8e614656d43b14dDanny Mayer<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
b45b364f2255f4abfec674e5ff94b803e34b3e83Andreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
b45b364f2255f4abfec674e5ff94b803e34b3e83Andreas Gustafsson<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson<th width="60%" align="center">Manual pages</th>
28fc90e6c81338c5f34e065fdda49d320e362583Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
559b10cc8f3e1dc4d93f55c9336f74839e9fa362Andreas Gustafsson<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
e21d199dca95aff5d50f133d6b064309e209af00Brian Wellington<p><span class="application">dnssec-coverage</span> — checks future DNSKEY coverage for a zone</p>
bf13e709db49bb19e0c2e73f0a964fe9d7bea4dfMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p><span><strong class="command">dnssec-coverage</strong></span>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein verifies that the DNSSEC keys for a given zone or a set of zones
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein have timing metadata set properly to ensure no future lapses in DNSSEC
582732ce15d48cb521a32a551de3ce5ad2cc3290Andreas Gustafsson If <code class="option">zone</code> is specified, then keys found in
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater the key repository matching that zone are scanned, and an ordered
65a66336a6e2ce2032f68139ef9c8afe18d08c14Andreas Gustafsson list is generated of the events scheduled for that key (i.e.,
65a66336a6e2ce2032f68139ef9c8afe18d08c14Andreas Gustafsson publication, activation, inactivation, deletion). The list of
65a66336a6e2ce2032f68139ef9c8afe18d08c14Andreas Gustafsson events is walked in order of occurrence. Warnings are generated
65a66336a6e2ce2032f68139ef9c8afe18d08c14Andreas Gustafsson if any event is scheduled which could cause the zone to enter a
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson state in which validation failures might occur: for example, if
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson the number of published or active keys for a given algorithm drops
582732ce15d48cb521a32a551de3ce5ad2cc3290Andreas Gustafsson to zero, or if a key is deleted from the zone too soon after a new
d22b4de3f1c3151979e2a064cb271007c710c5a7Mark Andrews key is rolled, and cached data signed by the prior key has not had
b03758b04ea5134c805d44fcc5315c878c6f7996Andreas Gustafsson time to expire from resolver caches.
1921b4f61906c1e0f1a708dd82fd9e430a0e1af8Andreas Gustafsson If <code class="option">zone</code> is not specified, then all keys in the
d4e608c5bc38af9d50fed2e89442ed05dd3c335fBrian Wellington key repository will be scanned, and all zones for which there are
2d0627005d48b7657fa11792c123466b4f974b61Mark Andrews keys will be analyzed. (Note: This method of reporting is only
9fdf20d0dea288572033095995547789059d4d6bAndreas Gustafsson accurate if all the zones that have keys in a given repository
0fc89c4ee660e825ac66774f2d4912cfc396386aMark Andrews share the same TTL parameters.)
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
b45b364f2255f4abfec674e5ff94b803e34b3e83Andreas Gustafsson Sets the directory in which keys can be found. Defaults to the
2a34beb5ab81dd9420cb1b007df32c08d93eda81Mark Andrews current working directory.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
7781f25078c491a9650dec555bdc86cb0ed49861Tatuya JINMEI 神明達哉 If a <code class="option">file</code> is specified, then the zone is
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 read from that file; the largest TTL and the DNSKEY TTL are
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 determined directly from the zone data, and the
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 <code class="option">-m</code> and <code class="option">-d</code> options do
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 not need to be specified on the command line.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
10966da999f8f7f364418aa446d8ead9c8a761cfMark Andrews The length of time to check for DNSSEC coverage. Key events
10966da999f8f7f364418aa446d8ead9c8a761cfMark Andrews scheduled further into the future than <code class="option">duration</code>
10966da999f8f7f364418aa446d8ead9c8a761cfMark Andrews will be ignored, and assumed to be correct.
10966da999f8f7f364418aa446d8ead9c8a761cfMark Andrews The value of <code class="option">duration</code> can be set in seconds,
10966da999f8f7f364418aa446d8ead9c8a761cfMark Andrews or in larger units of time by adding a suffix: 'mi' for minutes,
eb8713ed947fdf22a41dad673d561896dd6fe4a2Brian Wellington 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein 'y' for years.
d0eb2cc33c5db3366a16b1cb0abcca6ec7c8ee3cTatuya JINMEI 神明達哉<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 Sets the value to be used as the maximum TTL for the zone or
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt zones being analyzed when determining whether there is a
08f860f800d32007a0c9bf456f6c35fbb2ecbc81Evan Hunt possibility of validation failure. When a zone-signing key is
08f860f800d32007a0c9bf456f6c35fbb2ecbc81Evan Hunt deactivated, there must be enough time for the record in the
08f860f800d32007a0c9bf456f6c35fbb2ecbc81Evan Hunt zone with the longest TTL to have expired from resolver caches
08f860f800d32007a0c9bf456f6c35fbb2ecbc81Evan Hunt before that key can be purged from the DNSKEY RRset. If that
08f860f800d32007a0c9bf456f6c35fbb2ecbc81Evan Hunt condition does not apply, a warning will be generated.
ce67023ae3ad39a77da5361d0187ab6f3f0219cbMark Andrews The length of the TTL can be set in seconds, or in larger units
7ae96d882326357448f8f440c52f47ac1b1fa455Evan Hunt of time by adding a suffix: 'mi' for minutes, 'h' for hours,
b66b333f59cf51ef87f973084a5023acd9317fb2Evan Hunt 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
ecc06cbc32c5a2b91a17e65c1820c9c66313d35cMukund Sivaraman This option is mandatory unless the <code class="option">-f</code> has
ecc06cbc32c5a2b91a17e65c1820c9c66313d35cMukund Sivaraman been used to specify a zone file. (If <code class="option">-f</code> has
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson been specified, this option may still be used; it will override
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson the value found in the file.)
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafsson<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews Sets the value to be used as the DNSKEY TTL for the zone or
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews zones being analyzed when determining whether there is a
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews possibility of validation failure. When a key is rolled (that
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews is, replaced with a new key), there must be enough time
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews for the old DNSKEY RRset to have expired from resolver caches
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews before the new key is activated and begins generating
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews signatures. If that condition does not apply, a warning
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews will be generated.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews The length of the TTL can be set in seconds, or in larger units
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews of time by adding a suffix: 'mi' for minutes, 'h' for hours,
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews This option is mandatory unless the <code class="option">-f</code> has
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews been used to specify a zone file, or a default key TTL was
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews <span><strong class="command">dnssec-keygen</strong></span>. (If either of those is true,
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews this option may still be used; it will override the value found
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews in the zone or key file.)
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews Sets the value to be used as the resign interval for the zone
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews or zones being analyzed when determining whether there is a
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews possibility of validation failure. This value defaults to
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews 22.5 days, which is also the default in
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews <span><strong class="command">named</strong></span>. However, if it has been changed
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews by the <code class="option">sig-validity-interval</code> option in
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews <code class="filename">named.conf</code>, then it should also be
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews changed here.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews The length of the interval can be set in seconds, or in larger
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews Only check KSK coverage; ignore ZSK events. Cannot be
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt Only check ZSK coverage; ignore KSK events. Cannot be
94315060c2b0d9deafabe72d6a0482405fd9d377Evan Hunt<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
31f6244cc25ab0f8937edc26dbb26ba4f6a01f19Evan Hunt Specifies a path to a <span><strong class="command">named-compilezone</strong></span> binary.
31f6244cc25ab0f8937edc26dbb26ba4f6a01f19Evan Hunt Used for testing.
f10a67dad21d7dd87ee2144964faa639f96766b5Witold Krecicki <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
f10a67dad21d7dd87ee2144964faa639f96766b5Witold Krecicki <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
f10a67dad21d7dd87ee2144964faa639f96766b5Witold Krecicki <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
ce67023ae3ad39a77da5361d0187ab6f3f0219cbMark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
ce67023ae3ad39a77da5361d0187ab6f3f0219cbMark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews<table width="100%" summary="Navigation footer">
70d987def5a58ebeb8243017c0ec2e9b2c326cf4Evan Hunt<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
70d987def5a58ebeb8243017c0ec2e9b2c326cf4Evan Hunt<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
70d987def5a58ebeb8243017c0ec2e9b2c326cf4Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
70d987def5a58ebeb8243017c0ec2e9b2c326cf4Evan Hunt<span class="application">dnssec-checkds</span>�</td>
70d987def5a58ebeb8243017c0ec2e9b2c326cf4Evan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
70d987def5a58ebeb8243017c0ec2e9b2c326cf4Evan Hunt<td width="40%" align="right" valign="top">�<span class="application">dnssec-dsfromkey</span>
70d987def5a58ebeb8243017c0ec2e9b2c326cf4Evan Hunt<p style="text-align: center;">BIND 9.11.0pre-alpha</p>