man.dnssec-coverage.html revision ef8014e56f35bb36daa5fd2c313f5e7963e97aa1
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - Permission to use, copy, modify, and/or distribute this software for any
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - purpose with or without fee is hereby granted, provided that the above
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<!-- $Id$ -->
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
9c4f33b6718407e94d50dbfb4977e16d3f83de9dDavid Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson<a accesskey="p" href="man.dnssec-checkds.html">Prev</a>�</td>
d1dc805692ff816e28849396577affa9b4890e41Andreas Gustafsson<th width="60%" align="center">Manual pages</th>
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<p><span class="application">dnssec-coverage</span> — checks future DNSKEY coverage for a zone</p>
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>length</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [<code class="option">-k</code>] [<code class="option">-z</code>] [zone]</p></div>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<p><span><strong class="command">dnssec-coverage</strong></span>
b2a6ebf1bd4dad1410afba9012a61d87090f03adDamien Neil verifies that the DNSSEC keys for a given zone or a set of zones
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil have timing metadata set properly to ensure no future lapses in DNSSEC
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil If <code class="option">zone</code> is specified, then keys found in
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil the key repository matching that zone are scanned, and an ordered
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil list is generated of the events scheduled for that key (i.e.,
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington publication, activation, inactivation, deletion). The list of
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington events is walked in order of occurrence. Warnings are generated
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil if any event is scheduled which could cause the zone to enter a
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil state in which validation failures might occur: for example, if
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil the number of published or active keys for a given algorithm drops
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil to zero, or if a key is deleted from the zone too soon after a new
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil key is rolled, and cached data signed by the prior key has not had
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff time to expire from resolver caches.
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff If <code class="option">zone</code> is not specified, then all keys in the
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley key repository will be scanned, and all zones for which there are
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson keys will be analyzed. (Note: This method of reporting is only
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley accurate if all the zones that have keys in a given repository
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil share the same TTL parameters.)
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley Sets the directory in which keys can be found. Defaults to the
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley current working directory.
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil If a <code class="option">file</code> is specified, then the zone is
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil read from that file; the largest TTL and the DNSKEY TTL are
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil determined directly from the zone data, and the
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley <code class="option">-m</code> and <code class="option">-d</code> options do
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley not need to be specified on the command line.
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil The length of time to check for DNSSEC coverage. Key events
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil scheduled further into the future than <code class="option">duration</code>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil will be ignored, and assumed to be correct.
e4b9761b0ef03597c35d1ef1d86e12514c621f90Michael Graff The value of <code class="option">duration</code> can be set in seconds,
f671a5c51cc59e266620c0c4026b054908fdd80cBob Halley or in larger units of time by adding a suffix: 'mi' for minutes,
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil 'y' for years.
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley Sets the value to be used as the maximum TTL for the zone or
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley zones being analyzed when determining whether there is a
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley possibility of validation failure. When a zone-signing key is
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil deactivated, there must be enough time for the record in the
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley zone with the longest TTL to have expired from resolver caches
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington before that key can be purged from the DNSKEY RRset. If that
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington condition does not apply, a warning will be generated.
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington The length of the TTL can be set in seconds, or in larger units
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington of time by adding a suffix: 'mi' for minutes, 'h' for hours,
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil This option is mandatory unless the <code class="option">-f</code> has
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil been used to specify a zone file. (If <code class="option">-f</code> has
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil been specified, this option may still be used; it will override
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil the value found in the file.)
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff Sets the value to be used as the DNSKEY TTL for the zone or
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff zones being analyzed when determining whether there is a
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff possibility of validation failure. When a key is rolled (that
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington is, replaced with a new key), there must be enough time
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington for the old DNSKEY RRset to have expired from resolver caches
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley before the new key is activated and begins generating