man.dnssec-coverage.html revision 164ade1482251e1da962b42e5bf0d3aa02a11e03
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - This Source Code Form is subject to the terms of the Mozilla Public
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - License, v. 2.0. If a copy of the MPL was not distributed with this
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - file, You can obtain one at http://mozilla.org/MPL/2.0/.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<table width="100%" summary="Navigation header">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<th width="60%" align="center">Manual pages</th>
ae2aee96fc0dc24ac5b108d0c40e1f3b735f4ca3Sam Fraser<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <span class="application">dnssec-coverage</span>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster — checks future DNSKEY coverage for a zone
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster [<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <p><span class="command"><strong>dnssec-coverage</strong></span>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster verifies that the DNSSEC keys for a given zone or a set of zones
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster have timing metadata set properly to ensure no future lapses in DNSSEC
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster If <code class="option">zone</code> is specified, then keys found in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster the key repository matching that zone are scanned, and an ordered
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster list is generated of the events scheduled for that key (i.e.,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster publication, activation, inactivation, deletion). The list of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster events is walked in order of occurrence. Warnings are generated
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if any event is scheduled which could cause the zone to enter a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster state in which validation failures might occur: for example, if
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster the number of published or active keys for a given algorithm drops
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster to zero, or if a key is deleted from the zone too soon after a new
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster key is rolled, and cached data signed by the prior key has not had
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster time to expire from resolver caches.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster If <code class="option">zone</code> is not specified, then all keys in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster key repository will be scanned, and all zones for which there are
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster keys will be analyzed. (Note: This method of reporting is only
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster accurate if all the zones that have keys in a given repository
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster share the same TTL parameters.)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <div class="variablelist"><dl class="variablelist">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Sets the directory in which keys can be found. Defaults to the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster current working directory.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster If a <code class="option">file</code> is specified, then the zone is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster read from that file; the largest TTL and the DNSKEY TTL are
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster determined directly from the zone data, and the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <code class="option">-m</code> and <code class="option">-d</code> options do
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster not need to be specified on the command line.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The length of time to check for DNSSEC coverage. Key events
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scheduled further into the future than <code class="option">duration</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster will be ignored, and assumed to be correct.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The value of <code class="option">duration</code> can be set in seconds,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster or in larger units of time by adding a suffix: 'mi' for minutes,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster 'y' for years.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Sets the value to be used as the maximum TTL for the zone or
ae2aee96fc0dc24ac5b108d0c40e1f3b735f4ca3Sam Fraser zones being analyzed when determining whether there is a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster possibility of validation failure. When a zone-signing key is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster deactivated, there must be enough time for the record in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster zone with the longest TTL to have expired from resolver caches
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster before that key can be purged from the DNSKEY RRset. If that
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster condition does not apply, a warning will be generated.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The length of the TTL can be set in seconds, or in larger units
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster of time by adding a suffix: 'mi' for minutes, 'h' for hours,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster This option is not necessary if the <code class="option">-f</code> has
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster been used to specify a zone file. If <code class="option">-f</code> has
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster been specified, this option may still be used; it will override
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster the value found in the file.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster If this option is not used and the maximum TTL cannot be retrieved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster from a zone file, a warning is generated and a default value of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster 1 week is used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Sets the value to be used as the DNSKEY TTL for the zone or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster zones being analyzed when determining whether there is a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster possibility of validation failure. When a key is rolled (that
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster is, replaced with a new key), there must be enough time for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster old DNSKEY RRset to have expired from resolver caches before
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster the new key is activated and begins generating signatures. If
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster that condition does not apply, a warning will be generated.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The length of the TTL can be set in seconds, or in larger units
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster of time by adding a suffix: 'mi' for minutes, 'h' for hours,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster This option is not necessary if <code class="option">-f</code> has
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster been used to specify a zone file from which the TTL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster of the DNSKEY RRset can be read, or if a default key TTL was
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster set using ith the <code class="option">-L</code> to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <span class="command"><strong>dnssec-keygen</strong></span>. If either of those is true,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this option may still be used; it will override the values
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster found in the zone file or the key file.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster If this option is not used and the key TTL cannot be retrieved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster from the zone file or the key file, then a warning is generated
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster and a default value of 1 day is used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Sets the value to be used as the resign interval for the zone
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster or zones being analyzed when determining whether there is a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster possibility of validation failure. This value defaults to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster 22.5 days, which is also the default in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <span class="command"><strong>named</strong></span>. However, if it has been changed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster by the <code class="option">sig-validity-interval</code> option in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <code class="filename">named.conf</code>, then it should also be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster changed here.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The length of the interval can be set in seconds, or in larger
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Only check KSK coverage; ignore ZSK events. Cannot be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Only check ZSK coverage; ignore KSK events. Cannot be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Used for testing.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <span class="refentrytitle">dnssec-checkds</span>(8)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <span class="refentrytitle">dnssec-dsfromkey</span>(8)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <span class="refentrytitle">dnssec-keygen</span>(8)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <span class="refentrytitle">dnssec-signzone</span>(8)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<table width="100%" summary="Navigation footer">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<span class="application">dnssec-checkds</span>�</td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="40%" align="right" valign="top">�<span class="application">dnssec-dsfromkey</span>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>