0N/A - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 0N/A - Copyright (C) 2000-2003 Internet Software Consortium. 0N/A - Permission to use, copy, modify, and/or distribute this software for any 0N/A - purpose with or without fee is hereby granted, provided that the above 0N/A - copyright notice and this permission notice appear in all copies. 0N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 0N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 0N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 0N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 0N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 0N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 0N/A - PERFORMANCE OF THIS SOFTWARE. 0N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0N/A<
title>dnssec-coverage</
title>
0N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0N/A<
link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
1182N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0N/A<
div class="navheader">
0N/A<
table width="100%" summary="Navigation header">
0N/A<
tr><
th colspan="3" align="center"><
span class="application">dnssec-coverage</
span></
th></
tr>
0N/A<
td width="20%" align="left">
0N/A<
th width="60%" align="center">Manual pages</
th>
4802N/A<
div class="refentry" lang="en">
0N/A<
div class="refnamediv">
4802N/A<
p><
span class="application">dnssec-coverage</
span> — checks future DNSKEY coverage for a zone</
p>
0N/A<
div class="refsynopsisdiv">
0N/A<
div class="cmdsynopsis"><
p><
code class="command">dnssec-coverage</
code> [<
code class="option">-K <
em class="replaceable"><
code>directory</
code></
em></
code>] [<
code class="option">-l <
em class="replaceable"><
code>length</
code></
em></
code>] [<
code class="option">-f <
em class="replaceable"><
code>file</
code></
em></
code>] [<
code class="option">-d <
em class="replaceable"><
code>DNSKEY TTL</
code></
em></
code>] [<
code class="option">-m <
em class="replaceable"><
code>max TTL</
code></
em></
code>] [<
code class="option">-r <
em class="replaceable"><
code>interval</
code></
em></
code>] [<
code class="option">-c <
em class="replaceable"><
code>compilezone path</
code></
em></
code>] [<
code class="option">-k</
code>] [<
code class="option">-z</
code>] [zone]</
p></
div>
4802N/A<
div class="refsect1" lang="en">
560N/A<
a name="id2618526"></
a><
h2>DESCRIPTION</
h2>
0N/A<
p><
span><
strong class="command">dnssec-coverage</
strong></
span>
0N/A verifies that the DNSSEC keys for a given zone or a set of zones
0N/A have timing metadata set properly to ensure no future lapses in DNSSEC
560N/A If <
code class="option">zone</
code> is specified, then keys found in
560N/A the key repository matching that zone are scanned, and an ordered
560N/A list is generated of the events scheduled for that key (
i.e.,
560N/A publication, activation, inactivation, deletion). The list of
4802N/A events is walked in order of occurrence. Warnings are generated
560N/A if any event is scheduled which could cause the zone to enter a
560N/A state in which validation failures might occur: for example, if
4802N/A the number of published or active keys for a given algorithm drops
560N/A to zero, or if a key is deleted from the zone too soon after a new
560N/A key is rolled, and cached data signed by the prior key has not had
560N/A time to expire from resolver caches.
560N/A If <
code class="option">zone</
code> is not specified, then all keys in the
560N/A key repository will be scanned, and all zones for which there are
560N/A keys will be analyzed. (Note: This method of reporting is only
560N/A accurate if all the zones that have keys in a given repository
560N/A share the same TTL parameters.)
0N/A<
div class="refsect1" lang="en">
0N/A<
a name="id2618553"></
a><
h2>OPTIONS</
h2>
0N/A<
div class="variablelist"><
dl>
1367N/A<
dt><
span class="term">-K <
em class="replaceable"><
code>directory</
code></
em></
span></
dt>
0N/A Sets the directory in which keys can be found. Defaults to the
0N/A<
dt><
span class="term">-f <
em class="replaceable"><
code>file</
code></
em></
span></
dt>
0N/A If a <
code class="option">file</
code> is specified, then the zone is
0N/A read from that file; the largest TTL and the DNSKEY TTL are
0N/A determined directly from the zone data, and the
0N/A <
code class="option">-m</
code> and <
code class="option">-d</
code> options do
0N/A not need to be specified on the command line.
4312N/A<
dt><
span class="term">-l <
em class="replaceable"><
code>duration</
code></
em></
span></
dt>
560N/A The length of time to check for DNSSEC coverage. Key events
0N/A scheduled further into the future than <
code class="option">duration</
code>
4312N/A will be ignored, and assumed to be correct.
0N/A The value of <
code class="option">duration</
code> can be set in seconds,
4312N/A or in larger units of time by adding a suffix: 'mi' for minutes,
4312N/A 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
3324N/A<
dt><
span class="term">-m <
em class="replaceable"><
code>maximum TTL</
code></
em></
span></
dt>
0N/A Sets the value to be used as the maximum TTL for the zone or
0N/A zones being analyzed when determining whether there is a
0N/A possibility of validation failure. When a zone-signing key is
0N/A deactivated, there must be enough time for the record in the
0N/A zone with the longest TTL to have expired from resolver caches
0N/A before that key can be purged from the DNSKEY RRset. If that
0N/A condition does not apply, a warning will be generated.
5382N/A The length of the TTL can be set in seconds, or in larger units
5382N/A of time by adding a suffix: 'mi' for minutes, 'h' for hours,
5382N/A 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
3324N/A This option is mandatory unless the <
code class="option">-f</
code> has
3324N/A been used to specify a zone file. (If <
code class="option">-f</
code> has
3324N/A been specified, this option may still be used; it will override
0N/A the value found in the file.)
4558N/A<
dt><
span class="term">-d <
em class="replaceable"><
code>DNSKEY TTL</
code></
em></
span></
dt>
3324N/A Sets the value to be used as the DNSKEY TTL for the zone or
0N/A zones being analyzed when determining whether there is a
0N/A possibility of validation failure. When a key is rolled (that
0N/A is, replaced with a new key), there must be enough time
4558N/A for the old DNSKEY RRset to have expired from resolver caches
4558N/A before the new key is activated and begins generating
4088N/A signatures. If that condition does not apply, a warning
4558N/A The length of the TTL can be set in seconds, or in larger units
4558N/A of time by adding a suffix: 'mi' for minutes, 'h' for hours,
4558N/A 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
4558N/A This option is mandatory unless the <
code class="option">-f</
code> has
4558N/A been used to specify a zone file, or a default key TTL was
4558N/A set with the <
code class="option">-L</
code> to
4558N/A <
span><
strong class="command">dnssec-keygen</
strong></
span>. (If either of those is true,
4558N/A this option may still be used; it will override the value found
4558N/A<
dt><
span class="term">-r <
em class="replaceable"><
code>resign interval</
code></
em></
span></
dt>
4558N/A Sets the value to be used as the resign interval for the zone
0N/A or zones being analyzed when determining whether there is a
possibility of validation failure. This value defaults to
22.5 days, which is also the default in
<
span><
strong class="command">named</
strong></
span>. However, if it has been changed
by the <
code class="option">sig-validity-interval</
code> option in
<
code class="filename">
named.conf</
code>, then it should also be
The length of the interval can be set in seconds, or in larger
units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
<
dt><
span class="term">-k</
span></
dt>
Only check KSK coverage; ignore ZSK events. Cannot be
used with <
code class="option">-z</
code>.
<
dt><
span class="term">-z</
span></
dt>
Only check ZSK coverage; ignore KSK events. Cannot be
used with <
code class="option">-k</
code>.
<
dt><
span class="term">-c <
em class="replaceable"><
code>compilezone path</
code></
em></
span></
dt>
Specifies a path to a <
span><
strong class="command">named-compilezone</
strong></
span> binary.
<
div class="refsect1" lang="en">
<
a name="id2619204"></
a><
h2>SEE ALSO</
h2>
<
span class="citerefentry"><
span class="refentrytitle">dnssec-checkds</
span>(8)</
span>,
<
span class="citerefentry"><
span class="refentrytitle">dnssec-dsfromkey</
span>(8)</
span>,
<
span class="citerefentry"><
span class="refentrytitle">dnssec-keygen</
span>(8)</
span>,
<
span class="citerefentry"><
span class="refentrytitle">dnssec-signzone</
span>(8)</
span>
<
div class="refsect1" lang="en">
<
a name="id2619248"></
a><
h2>AUTHOR</
h2>
<
p><
span class="corpauthor">Internet Systems Consortium</
span>
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center"><
a accesskey="u" href="Bv9ARM.ch13.html">Up</
a></
td>
<
td width="40%" align="left" valign="top">
<
span class="application">dnssec-checkds</
span>�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�<
span class="application">dnssec-dsfromkey</
span>
<
p style="text-align: center;">BIND 9.11.0pre-alpha</
p>