man.dnssec-coverage.html revision 40f508f08bb887b14739f7b64e4d0a892586948f
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
724df78acd95dc0f313bc2b80a099f7ecd48b620Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - purpose with or without fee is hereby granted, provided that the above
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - copyright notice and this permission notice appear in all copies.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<!-- $Id$ -->
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
dbb012765c735ee0d82dedb116cdc7cf18957814Evan Hunt<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<table width="100%" summary="Navigation header">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<th width="60%" align="center">Manual pages</th>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p><span class="application">dnssec-coverage</span> — checks future DNSKEY coverage for a zone</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p><span><strong class="command">dnssec-coverage</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews verifies that the DNSSEC keys for a given zone or a set of zones
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews have timing metadata set properly to ensure no future lapses in DNSSEC
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If <code class="option">zone</code> is specified, then keys found in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the key repository matching that zone are scanned, and an ordered
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews list is generated of the events scheduled for that key (i.e.,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews publication, activation, inactivation, deletion). The list of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews events is walked in order of occurrence. Warnings are generated
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews if any event is scheduled which could cause the zone to enter a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews state in which validation failures might occur: for example, if
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the number of published or active keys for a given algorithm drops
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to zero, or if a key is deleted from the zone too soon after a new
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key is rolled, and cached data signed by the prior key has not had
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews time to expire from resolver caches.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If <code class="option">zone</code> is not specified, then all keys in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key repository will be scanned, and all zones for which there are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews keys will be analyzed. (Note: This method of reporting is only
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews accurate if all the zones that have keys in a given repository
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews share the same TTL parameters.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Sets the directory in which keys can be found. Defaults to the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews current working directory.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If a <code class="option">file</code> is specified, then the zone is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews read from that file; the largest TTL and the DNSKEY TTL are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews determined directly from the zone data, and the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">-m</code> and <code class="option">-d</code> options do
1059bc2e42e8214f8b73d3b4cd181d8394a94a6aFrancis Dupont not need to be specified on the command line.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The length of time to check for DNSSEC coverage. Key events
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews scheduled further into the future than <code class="option">duration</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be ignored, and assumed to be correct.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The value of <code class="option">duration</code> can be set in seconds,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or in larger units of time by adding a suffix: 'mi' for minutes,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 'y' for years.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Sets the value to be used as the maximum TTL for the zone or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zones being analyzed when determining whether there is a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews possibility of validation failure. When a zone-signing key is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews deactivated, there must be enough time for the record in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone with the longest TTL to have expired from resolver caches
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews before that key can be purged from the DNSKEY RRset. If that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews condition does not apply, a warning will be generated.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The length of the TTL can be set in seconds, or in larger units
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of time by adding a suffix: 'mi' for minutes, 'h' for hours,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This option is mandatory unless the <code class="option">-f</code> has
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews been used to specify a zone file. (If <code class="option">-f</code> has
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews been specified, this option may still be used; it will override
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the value found in the file.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Sets the value to be used as the DNSKEY TTL for the zone or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zones being analyzed when determining whether there is a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews possibility of validation failure. When a key is rolled (that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is, replaced with a new key), there must be enough time
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for the old DNSKEY RRset to have expired from resolver caches
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews before the new key is activated and begins generating
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signatures. If that condition does not apply, a warning
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be generated.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The length of the TTL can be set in seconds, or in larger units
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of time by adding a suffix: 'mi' for minutes, 'h' for hours,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This option is mandatory unless the <code class="option">-f</code> has
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews been used to specify a zone file, or a default key TTL was
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">dnssec-keygen</strong></span>. (If either of those is true,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews this option may still be used; it will override the value found
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the zone or key file.)
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Sets the value to be used as the resign interval for the zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or zones being analyzed when determining whether there is a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews possibility of validation failure. This value defaults to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 22.5 days, which is also the default in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">named</strong></span>. However, if it has been changed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews by the <code class="option">sig-validity-interval</code> option in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">named.conf</code>, then it should also be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews changed here.
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt The length of the interval can be set in seconds, or in larger
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt Only check KSK coverage; ignore ZSK events. Cannot be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Only check ZSK coverage; ignore KSK events. Cannot be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Specifies a path to a <span><strong class="command">named-compilezone</strong></span> binary.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Used for testing.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<table width="100%" summary="Navigation footer">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<span class="application">dnssec-checkds</span>�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="40%" align="right" valign="top">�<span class="application">dnssec-dsfromkey</span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p style="text-align: center;">BIND 9.11.0pre-alpha</p>