doc/arm/man.dnssec-keymgr.html

	man.dnssec-keymgr.html revision 32098293b78922a5fbd10906afa28624820d3756
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<!--
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix -
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - This Source Code Form is subject to the terms of the Mozilla Public
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz - License, v. 2.0. If a copy of the MPL was not distributed with this
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz - file, You can obtain one at http://mozilla.org/MPL/2.0/.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix-->
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<html lang="en">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<head>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<title>dnssec-keymgr</title>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
47badd0035ae8c9135c51444f3770b17ae504ddaAlex Valavanis</head>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<div class="navheader">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<table width="100%" summary="Navigation header">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<tr><th colspan="3" align="center"><span class="application">dnssec-keymgr</span></th></tr>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<tr>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<td width="20%" align="left">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
5a0c9c0d523287747d281c61c78cb529b1118778Alex Valavanis<th width="60%" align="center">Manual pages</th>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz</td>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz</tr>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix</table>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<hr>
e711b02fbbe0b7d07102ebdd63b05027d6f8af47Maximilian Albert</div>
e711b02fbbe0b7d07102ebdd63b05027d6f8af47Maximilian Albert<div class="refentry">
e711b02fbbe0b7d07102ebdd63b05027d6f8af47Maximilian Albert<a name="man.dnssec-keymgr"></a><div class="titlepage"></div>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert  <div class="refnamediv">
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<h2>Name</h2>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert    <span class="application">dnssec-keymgr</span>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert     &#8212; Ensures correct DNSKEY coverage for a zone based on a defined policy
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert  </p>
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel</div>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix  <div class="refsynopsisdiv">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<h2>Synopsis</h2>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    <div class="cmdsynopsis"><p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <code class="command">dnssec-keymgr</code>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-c <em class="replaceable"><code>file</code></em></code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-f</code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-k</code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-q</code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-v</code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-z</code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-g <em class="replaceable"><code>path</code></em></code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-r <em class="replaceable"><code>path</code></em></code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [<code class="option">-s <em class="replaceable"><code>path</code></em></code>]
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix       [zone...]
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel    </p></div>
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel  </div>
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel  <div class="refsection">
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel<a name="id-1.14.13.7"></a><h2>DESCRIPTION</h2>
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel    <p>
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel      <span class="command"><strong>dnssec-keymgr</strong></span> is a high level Python wrapper
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel      to facilitate the key rollover process for zones handled by
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel      BIND. It uses the BIND commands for manipulating DNSSEC key
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel      metadata: <span class="command"><strong>dnssec-keygen</strong></span> and
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel      <span class="command"><strong>dnssec-settime</strong></span>.
54ad9fc9cd6da88557d0dcd6c17eb47c7bbb5551Markus Engel    </p>
7ab987fc3c5f568cfe40eccfe8a4f4ecc8c0006cMarkus Engel    <p>
7ab987fc3c5f568cfe40eccfe8a4f4ecc8c0006cMarkus Engel      DNSSEC policy can be read from a configuration file (default
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel      <code class="filename">/etc/dnssec-policy.conf</code>), from which the key
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel      parameters, publication and rollover schedule, and desired
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert      coverage duration for any given zone can be determined.  This
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      file may be used to define individual DNSSEC policies on a
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      per-zone basis, or to set a default policy used for all zones.
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel    </p>
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel    <p>
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel      When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel      keys for one or more zones, comparing their timing metadata against
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel      the policies for those zones.  If key settings do not conform to the
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel      DNSSEC policy (for example, because the policy has been changed),
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel      they are automatically corrected.
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel    </p>
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel    <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      A zone policy can specify a duration for which we want to
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      ensure the key correctness (<code class="option">coverage</code>).  It can
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      also specify a rollover period (<code class="option">roll-period</code>).
51dc158adbe2c9d1df3c941cbf78b90944d1afc2Markus Engel      If policy indicates that a key should roll over before the
51dc158adbe2c9d1df3c941cbf78b90944d1afc2Markus Engel      coverage period ends, then a successor key will automatically be
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel      created and added to the end of the key series.
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel    </p>
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel    <p>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz      If zones are specified on the command line,
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz      <span class="command"><strong>dnssec-keymgr</strong></span> will examine only those zones.
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz      If a specified zone does not already have keys in place, then
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz      keys will be generated for it according to policy.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      If zones are <span class="emphasis"><em>not</em></span> specified on the command
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      line, then <span class="command"><strong>dnssec-keymgr</strong></span> will search the
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      key directory (either the current working directory or the directory
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      set by the <code class="option">-K</code> option), and check the keys for
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      all the zones represented in the directory.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    <p>
51dc158adbe2c9d1df3c941cbf78b90944d1afc2Markus Engel      It is expected that this tool will be run automatically and
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel      unattended (for example, by <span class="command"><strong>cron</strong></span>).
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel    </p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert  </div>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert
60282e8335d7b6ae7020613bb22c7c69a6909fbbJon A. Cruz  <div class="refsection">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<a name="id-1.14.13.8"></a><h2>OPTIONS</h2>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    <div class="variablelist"><dl class="variablelist">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            If <code class="option">-c</code> is specified, then the DNSSEC
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            policy is read from <code class="option">file</code>.  (If not
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            specified, then the policy is read from
51dc158adbe2c9d1df3c941cbf78b90944d1afc2Markus Engel            <code class="filename">/etc/dnssec-policy.conf</code>; if that file
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel            doesn't exist, a built-in global default policy is used.)
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel          </p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert        </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-f</span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            Force: allow updating of key events even if they are
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            already in the past. This is not recommended for use with
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert            zones in which keys have already been published. However,
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            if a set of keys has been generated all of which have
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            publication and activation dates in the past, but the
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            keys have not been published in a zone as yet, then this
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            option can be used to clean them up and turn them into a
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            proper series of keys with appropriate rollover intervals.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          </p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert        </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            Used for testing.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            See also the <code class="option">-s</code> option.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert          </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-h</span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            and exit.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert          </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          <p>
51dc158adbe2c9d1df3c941cbf78b90944d1afc2Markus Engel            Sets the directory in which keys can be found.  Defaults to the
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            current working directory.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-k</span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            Only apply policies to KSK keys.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            See also the <code class="option">-z</code> option.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-q</span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            and <span class="command"><strong>dnssec-settime</strong></span>.
51dc158adbe2c9d1df3c941cbf78b90944d1afc2Markus Engel          </p>
ab026a45b1869d884ee3f0af690c3879b76425e8JucaBlues        </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            Specifies a path to a file containing random data.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary
51dc158adbe2c9d1df3c941cbf78b90944d1afc2Markus Engel            using its <code class="option">-r</code> option.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          </p>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz        </dd>
07b7f1aaaf1087716e784a50cf574a059f7018d3Jon A. Cruz<dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          <p>
aa90355b5205dca29912b439ac9fde6ffa4d8989cilix            Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert            Used for testing.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert            See also the <code class="option">-g</code> option.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert          </p>
aa90355b5205dca29912b439ac9fde6ffa4d8989cilix        </dd>
2b635337710b879262acf4906dd85ee99b69f474Abhishek Sharma Public<dt><span class="term">-v</span></dt>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<dd>
2b635337710b879262acf4906dd85ee99b69f474Abhishek Sharma Public          <p>
2b635337710b879262acf4906dd85ee99b69f474Abhishek Sharma Public        Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert          </p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert        </dd>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<dt><span class="term">-z</span></dt>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<dd>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert          <p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert            Only apply policies to ZSK keys.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert            See also the <code class="option">-k</code> option.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert          </p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert        </dd>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert</dl></div>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert  </div>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert  <div class="refsection">
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<a name="id-1.14.13.9"></a><h2>POLICY CONFIGURATION</h2>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert    <p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert      The <code class="filename">dnssec-policy.conf</code> file can specify three kinds
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert      of policies:
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert    </p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<li class="listitem">
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert    <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <span class="emphasis"><em>Policy classes</em></span>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      (<code class="option">policy <em class="replaceable"><code>name</code></em> { ... };</code>)
60282e8335d7b6ae7020613bb22c7c69a6909fbbJon A. Cruz      can be inherited by zone policies or other policy classes; these
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      can be used to create sets of different security profiles. For
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      example, a policy class <strong class="userinput"><code>normal</code></strong> might specify
60282e8335d7b6ae7020613bb22c7c69a6909fbbJon A. Cruz      1024-bit key sizes, but a class <strong class="userinput"><code>extra</code></strong> might
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      specify 2048 bits instead; <strong class="userinput"><code>extra</code></strong> would be
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      used for zones that had unusually high security needs.
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz    </p>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz      </li>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz<li class="listitem">
07b7f1aaaf1087716e784a50cf574a059f7018d3Jon A. Cruz    <p>
793350428bfc8e69ecfe65fa638afe4acb1acdd9cilix      Algorithm policies:
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz      (<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )
793350428bfc8e69ecfe65fa638afe4acb1acdd9cilix      override default per-algorithm settings.  For example, by default,
793350428bfc8e69ecfe65fa638afe4acb1acdd9cilix      RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz      can be modified using <span class="command"><strong>algorithm-policy</strong></span>, and the
793350428bfc8e69ecfe65fa638afe4acb1acdd9cilix      new key sizes would then be used for any key of type RSASHA256.
793350428bfc8e69ecfe65fa638afe4acb1acdd9cilix    </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </li>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<li class="listitem">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    <p>
51dc158adbe2c9d1df3c941cbf78b90944d1afc2Markus Engel      Zone policies:
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel      (<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )
f4dbc5a10ebf95900d1ef56d74aad0474e159370Markus Engel      set policy for a single zone by name. A zone policy can inherit
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert      a policy class by including a <code class="option">policy</code> option.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </p>
a46424e0405b8e0eb958a49328effd2327660e4ecilix      </li>
850cbc29823aa92a03e97caba1e3102b53d7c833cilix</ul></div>
850cbc29823aa92a03e97caba1e3102b53d7c833cilix    <p>
850cbc29823aa92a03e97caba1e3102b53d7c833cilix      Options that can be specified in policies:
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    <div class="variablelist"><dl class="variablelist">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert      <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        The key algorithm. If no policy is defined, the default is
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            RSASHA256.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert      </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        The length of time to ensure that keys will be correct; no action
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert            will be taken to create new keys to be activated after this time.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            This can be represented as a number of seconds, or as a duration using
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        human-readable units (examples: "1y" or "6 months").
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        A default value for this option can be set in algorithm policies
51dc158adbe2c9d1df3c941cbf78b90944d1afc2Markus Engel        as well as in policy classes or zone policies.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            If no policy is configured, the default is six months.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
c4ae5c46c1d9c171f96e47e81f2f0f5f0e189547cilix          <p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert        Specifies the directory in which keys should be stored.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix          </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        Specifies the number of bits to use in creating keys.
c4ae5c46c1d9c171f96e47e81f2f0f5f0e189547cilix        Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
c4ae5c46c1d9c171f96e47e81f2f0f5f0e189547cilix        A default value for this option can be set in algorithm policies
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        as well as in policy classes or zone policies. If no policy is
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            configured, the default is 1024 bits for DSA keys and 2048 for
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            RSA.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </p>
c4ae5c46c1d9c171f96e47e81f2f0f5f0e189547cilix    </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        The key TTL. If no policy is defined, the default is one hour.
c4ae5c46c1d9c171f96e47e81f2f0f5f0e189547cilix      </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </dd>
c4ae5c46c1d9c171f96e47e81f2f0f5f0e189547cilix<dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        How long after inactivation a key should be deleted from the zone.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        Note: If <code class="option">roll-period</code> is not set, this value is
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert        ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        duration. A default value for this option can be set in algorithm
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        policies as well as in policy classes or zone policies. The default
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        is one month.
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert      </p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert    </dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        How long before activation a key should be published.  Note: If
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert            <code class="option">roll-period</code> is not set, this value is ignored.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        A default value for this option can be set in algorithm policies
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        as well as in policy classes or zone policies.  The default is
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix            one month.
60282e8335d7b6ae7020613bb22c7c69a6909fbbJon A. Cruz      </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </dd>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        How frequently keys should be rolled over.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        A default value for this option can be set in algorithm policies
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        as well as in policy classes or zone policies.  If no policy is
71dea9c6fbd2fd6d73cce6f1ed96151d51ada58fcilix            configured, the default is one year for ZSK's. KSK's do not
71dea9c6fbd2fd6d73cce6f1ed96151d51ada58fcilix            roll over by default.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </dd>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz<dd>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        Not yet implemented.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </dd>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert</dl></div>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix  </div>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix  <div class="refsection">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<a name="id-1.14.13.10"></a><h2>REMAINING WORK</h2>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<li class="listitem">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert        Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        and <code class="option">-D sync</code> options to
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        <span class="command"><strong>dnssec-keygen</strong></span> and
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        <span class="command"><strong>dnssec-settime</strong></span>.  Check the parent zone
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert        (as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's
c4ae5c46c1d9c171f96e47e81f2f0f5f0e189547cilix        safe for the key to roll.
c4ae5c46c1d9c171f96e47e81f2f0f5f0e189547cilix      </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </li>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<li class="listitem">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix        Allow configuration of standby keys and use of the REVOKE bit,
60282e8335d7b6ae7020613bb22c7c69a6909fbbJon A. Cruz        for keys that use RFC 5011 semantics.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </li>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix</ul></div>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert  </div>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix  <div class="refsection">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<a name="id-1.14.13.11"></a><h2>SEE ALSO</h2>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    <p>
d37634d73670180f99a3e0ea583621373d90ec4fJohan Engelen      <span class="citerefentry">
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert    <span class="refentrytitle">dnssec-coverage</span>(8)
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </span>,
60282e8335d7b6ae7020613bb22c7c69a6909fbbJon A. Cruz      <span class="citerefentry">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    <span class="refentrytitle">dnssec-keygen</span>(8)
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </span>,
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      <span class="citerefentry">
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert    <span class="refentrytitle">dnssec-settime</span>(8)
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </span>,
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert      <span class="citerefentry">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    <span class="refentrytitle">dnssec-checkds</span>(8)
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix      </span>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix    </p>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix  </div>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert</div>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<div class="navfooter">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<hr>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<table width="100%" summary="Navigation footer">
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<tr>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<td width="40%" align="left">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix</td>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix</tr>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<tr>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<td width="40%" align="left" valign="top">
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<span class="application">dnssec-keygen</span>�</td>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert<td width="40%" align="right" valign="top">�<span class="application">dnssec-revoke</span>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert</td>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix</tr>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix</table>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix</div>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2b1</p>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert</body>
fce046713c4cb905f38bf489cc4a73af425f3037Maximilian Albert</html>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix