man.dnssec-coverage.html revision 665a24faf6b3711e4012ac02ae5f0981c093ac1e
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<p><span class="application">dnssec-coverage</span> — checks future DNSKEY coverage for a zone</p>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span><strong class="command">dnssec-coverage</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein verifies that the DNSSEC keys for a given zone or a set of zones
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User have timing metadata set properly to ensure no future lapses in DNSSEC
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If <code class="option">zone</code> is specified, then keys found in
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater the key repository matching that zone are scanned, and an ordered
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User list is generated of the events scheduled for that key (i.e.,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User publication, activation, inactivation, deletion). The list of
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User events is walked in order of occurrence. Warnings are generated
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if any event is scheduled which could cause the zone to enter a
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User state in which validation failures might occur: for example, if
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the number of published or active keys for a given algorithm drops
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to zero, or if a key is deleted from the zone too soon after a new
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User key is rolled, and cached data signed by the prior key has not had
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User time to expire from resolver caches.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User If <code class="option">zone</code> is not specified, then all keys in the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User key repository will be scanned, and all zones for which there are
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater keys will be analyzed. (Note: This method of reporting is only
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt accurate if all the zones that have keys in a given repository
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater share the same TTL parameters.)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Sets the directory in which keys can be found. Defaults to the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User current working directory.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater If a <code class="option">file</code> is specified, then the zone is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt read from that file; the largest TTL and the DNSKEY TTL are
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater determined directly from the zone data, and the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="option">-m</code> and <code class="option">-d</code> options do
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User not need to be specified on the command line.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The length of time to check for DNSSEC coverage. Key events
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User scheduled further into the future than <code class="option">duration</code>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User will be ignored, and assumed to be correct.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User The value of <code class="option">duration</code> can be set in seconds,
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User or in larger units of time by adding a suffix: 'mi' for minutes,
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User 'y' for years.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the value to be used as the maximum TTL for the zone or
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User zones being analyzed when determining whether there is a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein possibility of validation failure. When a zone-signing key is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein deactivated, there must be enough time for the record in the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User zone with the longest TTL to have expired from resolver caches
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews before that key can be purged from the DNSKEY RRset. If that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein condition does not apply, a warning will be generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The length of the TTL can be set in seconds, or in larger units
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of time by adding a suffix: 'mi' for minutes, 'h' for hours,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This option is mandatory unless the <code class="option">-f</code> has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt been used to specify a zone file. (If <code class="option">-f</code> has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt been specified, this option may still be used; it will overrde
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the value found in the file.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the value to be used as the DNSKEY TTL for the zone or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zones being analyzed when determining whether there is a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt possibility of validation failure. When a key is rolled (that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is, replaced with a new key), there must be enough time
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User for the old DNSKEY RRset to have expired from resolver caches
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User before the new key is activated and begins generating
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User signatures. If that condition does not apply, a warning
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User will be generated.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The length of the TTL can be set in seconds, or in larger units
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of time by adding a suffix: 'mi' for minutes, 'h' for hours,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This option is mandatory unless the <code class="option">-f</code> has
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User been used to specify a zone file, or a default key TTL was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span><strong class="command">dnssec-keygen</strong></span>. (If either of those is true,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this option may still be used; it will overrde the value found
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater in the zone or key file.)
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the value to be used as the resign interval for the zone
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater or zones being analyzed when determining whether there is a
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User possibility of validation failure. This value defaults to
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater 22.5 days, which is also the default in
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater <span><strong class="command">named</strong></span>. However, if it has been changed
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt by the <code class="option">sig-validity-interval</code> option in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">named.conf</code>, then it should also be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt changed here.
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater The length of the interval can be set in seconds, or in larger
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater Only check KSK coverage; ignore ZSK events. Cannot be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Only check ZSK coverage; ignore KSK events. Cannot be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies a path to a <span><strong class="command">named-compilezone</strong></span> binary.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Used for testing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<p><span class="corpauthor">Internet Systems Consortium</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews<span class="application">dnssec-checkds</span>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="right" valign="top">�<span class="application">dnssec-dsfromkey</span>