fa9e4066f08beec538e775443c5be79dd423fcabahrens<html>

fa9e4066f08beec538e775443c5be79dd423fcabahrens<head>

fa9e4066f08beec538e775443c5be79dd423fcabahrens<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

fa9e4066f08beec538e775443c5be79dd423fcabahrens<title>dnssec-coverage</title>

b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens</head>

fa9e4066f08beec538e775443c5be79dd423fcabahrens<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

fa9e4066f08beec538e775443c5be79dd423fcabahrens<div class="navheader">

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<table width="100%" summary="Navigation header">

fa9e4066f08beec538e775443c5be79dd423fcabahrens<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens<tr>

fa9e4066f08beec538e775443c5be79dd423fcabahrens<td width="20%" align="left">

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens<th width="60%" align="center">Manual pages</th>

fa9e4066f08beec538e775443c5be79dd423fcabahrens<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat</td>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat</tr>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat</table>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<hr>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat</div>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<div class="refentry" lang="en">

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<a name="man.dnssec-coverage"></a><div class="titlepage"></div>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<div class="refnamediv">

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<h2>Name</h2>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<p><span class="application">dnssec-coverage</span> &#8212; checks future DNSKEY coverage for a zone</p>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat</div>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<div class="refsynopsisdiv">

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<h2>Synopsis</h2>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat</div>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<div class="refsect1" lang="en">

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<a name="id2620899"></a><h2>DESCRIPTION</h2>

97322426b5359bb3ffd4527e1ad8b2c5f7dab832Darren J Moffat<p><span><strong class="command">dnssec-coverage</strong></span>

fa9e4066f08beec538e775443c5be79dd423fcabahrens verifies that the DNSSEC keys for a given zone or a set of zones

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens have timing metadata set properly to ensure no future lapses in DNSSEC

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens coverage.

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens </p>

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens<p>

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens If <code class="option">zone</code> is specified, then keys found in

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens the key repository matching that zone are scanned, and an ordered

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens list is generated of the events scheduled for that key (i.e.,

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens publication, activation, inactivation, deletion). The list of

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens events is walked in order of occurrence. Warnings are generated

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens if any event is scheduled which could cause the zone to enter a

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens state in which validation failures might occur: for example, if

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens the number of published or active keys for a given algorithm drops

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens to zero, or if a key is deleted from the zone too soon after a new

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens key is rolled, and cached data signed by the prior key has not had

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens time to expire from resolver caches.

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens </p>

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens<p>

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens If <code class="option">zone</code> is not specified, then all keys in the

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens key repository will be scanned, and all zones for which there are

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens keys will be analyzed. (Note: This method of reporting is only

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens accurate if all the zones that have keys in a given repository

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens share the same TTL parameters.)

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens </p>

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens</div>

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens<div class="refsect1" lang="en">

45818ee124adeaaf947698996b4f4c722afc6d1fMatthew Ahrens<a name="id2620925"></a><h2>OPTIONS</h2>

<div class="variablelist"><dl>

<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>

<dd><p>

Sets the directory in which keys can be found. Defaults to the

current working directory.

</p></dd>

<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>

<dd><p>

If a <code class="option">file</code> is specified, then the zone is

read from that file; the largest TTL and the DNSKEY TTL are

determined directly from the zone data, and the

<code class="option">-m</code> and <code class="option">-d</code> options do

not need to be specified on the command line.

</p></dd>

<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>

<dd>

<p>

The length of time to check for DNSSEC coverage. Key events

scheduled further into the future than <code class="option">duration</code>

will be ignored, and assumed to be correct.

</p>

<p>

The value of <code class="option">duration</code> can be set in seconds,

or in larger units of time by adding a suffix: 'mi' for minutes,

'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,

'y' for years.

</p>

</dd>

<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>

<dd>

<p>

Sets the value to be used as the maximum TTL for the zone or

zones being analyzed when determining whether there is a

possibility of validation failure. When a zone-signing key is

deactivated, there must be enough time for the record in the

zone with the longest TTL to have expired from resolver caches

before that key can be purged from the DNSKEY RRset. If that

condition does not apply, a warning will be generated.

</p>

<p>

The length of the TTL can be set in seconds, or in larger units

of time by adding a suffix: 'mi' for minutes, 'h' for hours,

'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

</p>

<p>

This option is mandatory unless the <code class="option">-f</code> has

been used to specify a zone file. (If <code class="option">-f</code> has

been specified, this option may still be used; it will override

the value found in the file.)

</p>

</dd>

<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>

<dd>

<p>

Sets the value to be used as the DNSKEY TTL for the zone or

zones being analyzed when determining whether there is a

possibility of validation failure. When a key is rolled (that

is, replaced with a new key), there must be enough time

for the old DNSKEY RRset to have expired from resolver caches

before the new key is activated and begins generating

signatures. If that condition does not apply, a warning

will be generated.

</p>

<p>

The length of the TTL can be set in seconds, or in larger units

of time by adding a suffix: 'mi' for minutes, 'h' for hours,

'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

</p>

<p>

This option is mandatory unless the <code class="option">-f</code> has

been used to specify a zone file, or a default key TTL was

set with the <code class="option">-L</code> to

<span><strong class="command">dnssec-keygen</strong></span>. (If either of those is true,

this option may still be used; it will override the value found

in the zone or key file.)

</p>

</dd>

<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>

<dd>

<p>

Sets the value to be used as the resign interval for the zone

or zones being analyzed when determining whether there is a

possibility of validation failure. This value defaults to

22.5 days, which is also the default in

<span><strong class="command">named</strong></span>. However, if it has been changed

by the <code class="option">sig-validity-interval</code> option in

<code class="filename">named.conf</code>, then it should also be

changed here.

</p>

<p>

The length of the interval can be set in seconds, or in larger

units of time by adding a suffix: 'mi' for minutes, 'h' for hours,

'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.

</p>

</dd>

<dt><span class="term">-k</span></dt>

<dd><p>

Only check KSK coverage; ignore ZSK events. Cannot be

used with <code class="option">-z</code>.

</p></dd>

<dt><span class="term">-z</span></dt>

<dd><p>

Only check ZSK coverage; ignore KSK events. Cannot be

used with <code class="option">-k</code>.

</p></dd>

<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>

<dd><p>

Specifies a path to a <span><strong class="command">named-compilezone</strong></span> binary.

Used for testing.

</p></dd>

</dl></div>

</div>

<div class="refsect1" lang="en">

<a name="id2621508"></a><h2>SEE ALSO</h2>

<p>

<span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2621552"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

</div>

<div class="navfooter">

<hr>

<table width="100%" summary="Navigation footer">

<tr>

<td width="40%" align="left">

<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>

<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>

<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>

</td>

</tr>

<tr>

<td width="40%" align="left" valign="top">

<span class="application">dnssec-checkds</span>�</td>

<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

<td width="40%" align="right" valign="top">�<span class="application">dnssec-dsfromkey</span>

</td>

</tr>

</table>

</div>

<p style="text-align: center;">BIND 9.11.0pre-alpha</p>

</body>

</html>