doc/arm/man.dnssec-coverage.html

	man.dnssec-coverage.html revision 164ade1482251e1da962b42e5bf0d3aa02a11e03
689023771c563d8660e45d439a207e06e96de28fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
689023771c563d8660e45d439a207e06e96de28fMark Andrews -
689023771c563d8660e45d439a207e06e96de28fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
689023771c563d8660e45d439a207e06e96de28fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - file, You can obtain one at http://mozilla.org/MPL/2.0/.
689023771c563d8660e45d439a207e06e96de28fMark Andrews-->
689023771c563d8660e45d439a207e06e96de28fMark Andrews<html lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
689023771c563d8660e45d439a207e06e96de28fMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
689023771c563d8660e45d439a207e06e96de28fMark Andrews<title>dnssec-coverage</title>
689023771c563d8660e45d439a207e06e96de28fMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
689023771c563d8660e45d439a207e06e96de28fMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
689023771c563d8660e45d439a207e06e96de28fMark Andrews<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">Manual pages</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refentry">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <div class="refnamediv">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Name</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <span class="application">dnssec-coverage</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein     &#8212; checks future DNSKEY coverage for a zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <div class="refsynopsisdiv">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Synopsis</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <div class="cmdsynopsis"><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="command">dnssec-coverage</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [<code class="option">-k</code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [<code class="option">-z</code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein       [zone...]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <div class="refsection">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <p><span class="command"><strong>dnssec-coverage</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      verifies that the DNSSEC keys for a given zone or a set of zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      have timing metadata set properly to ensure no future lapses in DNSSEC
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      coverage.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      If <code class="option">zone</code> is specified, then keys found in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the key repository matching that zone are scanned, and an ordered
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      list is generated of the events scheduled for that key (i.e.,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      publication, activation, inactivation, deletion).  The list of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      events is walked in order of occurrence.  Warnings are generated
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      if any event is scheduled which could cause the zone to enter a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      state in which validation failures might occur: for example, if
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the number of published or active keys for a given algorithm drops
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      to zero, or if a key is deleted from the zone too soon after a new
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      key is rolled, and cached data signed by the prior key has not had
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      time to expire from resolver caches.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      If <code class="option">zone</code> is not specified, then all keys in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      key repository will be scanned, and all zones for which there are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      keys will be analyzed.  (Note: This method of reporting is only
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      accurate if all the zones that have keys in a given repository
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      share the same TTL parameters.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <div class="refsection">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id-1.14.8.8"></a><h2>OPTIONS</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <div class="variablelist"><dl class="variablelist">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Sets the directory in which keys can be found.  Defaults to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            current working directory.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            If a <code class="option">file</code> is specified, then the zone is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            read from that file; the largest TTL and the DNSKEY TTL are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            determined directly from the zone data, and the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="option">-m</code> and <code class="option">-d</code> options do
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            not need to be specified on the command line.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The length of time to check for DNSSEC coverage.  Key events
4f6469885c3d66367e3f8fb94e1f3c66115990b0Mark Andrews            scheduled further into the future than <code class="option">duration</code>
4f6469885c3d66367e3f8fb94e1f3c66115990b0Mark Andrews            will be ignored, and assumed to be correct.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The value of <code class="option">duration</code> can be set in seconds,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            or in larger units of time by adding a suffix: 'mi' for minutes,
4f6469885c3d66367e3f8fb94e1f3c66115990b0Mark Andrews            'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            'y' for years.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Sets the value to be used as the maximum TTL for the zone or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            zones being analyzed when determining whether there is a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            possibility of validation failure.  When a zone-signing key is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            deactivated, there must be enough time for the record in the
4f6469885c3d66367e3f8fb94e1f3c66115990b0Mark Andrews            zone with the longest TTL to have expired from resolver caches
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            before that key can be purged from the DNSKEY RRset.  If that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            condition does not apply, a warning will be generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The length of the TTL can be set in seconds, or in larger units
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            of time by adding a suffix: 'mi' for minutes, 'h' for hours,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            This option is not necessary if the <code class="option">-f</code> has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            been used to specify a zone file.  If <code class="option">-f</code> has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            been specified, this option may still be used; it will override
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the value found in the file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            If this option is not used and the maximum TTL cannot be retrieved
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            from a zone file, a warning is generated and a default value of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            1 week is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Sets the value to be used as the DNSKEY TTL for the zone or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            zones being analyzed when determining whether there is a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            possibility of validation failure.  When a key is rolled (that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            is, replaced with a new key), there must be enough time for the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            old DNSKEY RRset to have expired from resolver caches before
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the new key is activated and begins generating signatures.  If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            that condition does not apply, a warning will be generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The length of the TTL can be set in seconds, or in larger units
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            of time by adding a suffix: 'mi' for minutes, 'h' for hours,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            This option is not necessary if <code class="option">-f</code> has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            been used to specify a zone file from which the TTL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            of the DNSKEY RRset can be read, or if a default key TTL was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            set using ith the <code class="option">-L</code> to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <span class="command"><strong>dnssec-keygen</strong></span>.  If either of those is true,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            this option may still be used; it will override the values
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            found in the zone file or the key file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            If this option is not used and the key TTL cannot be retrieved
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            from the zone file or the key file, then a warning is generated
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            and a default value of 1 day is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Sets the value to be used as the resign interval for the zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            or zones being analyzed when determining whether there is a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            possibility of validation failure.  This value defaults to
689023771c563d8660e45d439a207e06e96de28fMark Andrews            22.5 days, which is also the default in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <span class="command"><strong>named</strong></span>.  However, if it has been changed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            by the <code class="option">sig-validity-interval</code> option in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">named.conf</code>, then it should also be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            changed here.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The length of the interval can be set in seconds, or in larger
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-k</span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Only check KSK coverage; ignore ZSK events. Cannot be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            used with <code class="option">-z</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-z</span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Only check ZSK coverage; ignore KSK events. Cannot be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            used with <code class="option">-k</code>.
689023771c563d8660e45d439a207e06e96de28fMark Andrews          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Used for testing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <div class="refsection">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id-1.14.8.9"></a><h2>SEE ALSO</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="citerefentry">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span class="refentrytitle">dnssec-checkds</span>(8)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="citerefentry">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span class="refentrytitle">dnssec-dsfromkey</span>(8)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="citerefentry">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span class="refentrytitle">dnssec-keygen</span>(8)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="citerefentry">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <span class="refentrytitle">dnssec-signzone</span>(8)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </span>
689023771c563d8660e45d439a207e06e96de28fMark Andrews    </p>
4f6469885c3d66367e3f8fb94e1f3c66115990b0Mark Andrews  </div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navfooter">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left" valign="top">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<span class="application">dnssec-checkds</span>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right" valign="top">�<span class="application">dnssec-dsfromkey</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein