man.dnssec-coverage.html revision 14a656f94b1fd0ababd84a772228dfa52276ba15
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync - Permission to use, copy, modify, and/or distribute this software for any
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - purpose with or without fee is hereby granted, provided that the above
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync - copyright notice and this permission notice appear in all copies.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync - PERFORMANCE OF THIS SOFTWARE.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync — checks future DNSKEY coverage for a zone
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync [<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync <p><span class="command"><strong>dnssec-coverage</strong></span>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync verifies that the DNSSEC keys for a given zone or a set of zones
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync have timing metadata set properly to ensure no future lapses in DNSSEC
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync If <code class="option">zone</code> is specified, then keys found in
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync the key repository matching that zone are scanned, and an ordered
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync list is generated of the events scheduled for that key (i.e.,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync publication, activation, inactivation, deletion). The list of
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync events is walked in order of occurrence. Warnings are generated
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync if any event is scheduled which could cause the zone to enter a
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync state in which validation failures might occur: for example, if
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync the number of published or active keys for a given algorithm drops
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync to zero, or if a key is deleted from the zone too soon after a new
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync key is rolled, and cached data signed by the prior key has not had
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync time to expire from resolver caches.
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync If <code class="option">zone</code> is not specified, then all keys in the
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync key repository will be scanned, and all zones for which there are
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync keys will be analyzed. (Note: This method of reporting is only
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync accurate if all the zones that have keys in a given repository
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync share the same TTL parameters.)
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync <div class="variablelist"><dl class="variablelist">
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync Sets the directory in which keys can be found. Defaults to the
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync current working directory.
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync If a <code class="option">file</code> is specified, then the zone is
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync read from that file; the largest TTL and the DNSKEY TTL are
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync determined directly from the zone data, and the
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync <code class="option">-m</code> and <code class="option">-d</code> options do
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync not need to be specified on the command line.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync The length of time to check for DNSSEC coverage. Key events
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync scheduled further into the future than <code class="option">duration</code>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync will be ignored, and assumed to be correct.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync The value of <code class="option">duration</code> can be set in seconds,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync or in larger units of time by adding a suffix: 'mi' for minutes,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync 'y' for years.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync Sets the value to be used as the maximum TTL for the zone or
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync zones being analyzed when determining whether there is a
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync possibility of validation failure. When a zone-signing key is
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync deactivated, there must be enough time for the record in the
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync zone with the longest TTL to have expired from resolver caches
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync before that key can be purged from the DNSKEY RRset. If that
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync condition does not apply, a warning will be generated.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync The length of the TTL can be set in seconds, or in larger units
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync of time by adding a suffix: 'mi' for minutes, 'h' for hours,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync This option is mandatory unless the <code class="option">-f</code> has
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync been used to specify a zone file. (If <code class="option">-f</code> has
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync been specified, this option may still be used; it will override
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync the value found in the file.)
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync Sets the value to be used as the DNSKEY TTL for the zone or
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync zones being analyzed when determining whether there is a
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync possibility of validation failure. When a key is rolled (that
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync is, replaced with a new key), there must be enough time
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync for the old DNSKEY RRset to have expired from resolver caches
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync before the new key is activated and begins generating
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync signatures. If that condition does not apply, a warning
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync will be generated.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync The length of the TTL can be set in seconds, or in larger units
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync of time by adding a suffix: 'mi' for minutes, 'h' for hours,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync This option is mandatory unless the <code class="option">-f</code> has
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync been used to specify a zone file, or a default key TTL was
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync <span class="command"><strong>dnssec-keygen</strong></span>. (If either of those is true,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync this option may still be used; it will override the value found
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync in the zone or key file.)
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync Sets the value to be used as the resign interval for the zone
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync or zones being analyzed when determining whether there is a
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync possibility of validation failure. This value defaults to
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync 22.5 days, which is also the default in
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync <span class="command"><strong>named</strong></span>. However, if it has been changed
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync by the <code class="option">sig-validity-interval</code> option in
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync <code class="filename">named.conf</code>, then it should also be
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync changed here.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync The length of the interval can be set in seconds, or in larger
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync Only check KSK coverage; ignore ZSK events. Cannot be
d67d8d3162b0d9cac99842fc7da74e8371453046vboxsync Only check ZSK coverage; ignore KSK events. Cannot be
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync Used for testing.
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync <span class="refentrytitle">dnssec-checkds</span>(8)
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync <span class="refentrytitle">dnssec-dsfromkey</span>(8)
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync <span class="refentrytitle">dnssec-keygen</span>(8)
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync <span class="refentrytitle">dnssec-signzone</span>(8)
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<span class="application">dnssec-checkds</span>�</td>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<td width="40%" align="right" valign="top">�<span class="application">dnssec-dsfromkey</span>
37136b5ecb07042e5ba50f86849a79d1cba5d5f1vboxsync<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>