d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<html lang="en">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<head>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<title>dnssec-keymgr</title>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</head>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<div class="navheader">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<table width="100%" summary="Navigation header">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<tr><th colspan="3" align="center"><span class="application">dnssec-keymgr</span></th></tr>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<tr>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<td width="20%" align="left">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<th width="60%" align="center">Manual pages</th>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</td>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</tr>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</table>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<hr>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</div>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<div class="refentry">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<a name="man.dnssec-keymgr"></a><div class="titlepage"></div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refnamediv">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<h2>Name</h2>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="application">dnssec-keymgr</span>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User &#8212; Ensures correct DNSKEY coverage for a zone based on a defined policy

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsynopsisdiv">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<h2>Synopsis</h2>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="cmdsynopsis"><p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="command">dnssec-keymgr</code>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-c <em class="replaceable"><code>file</code></em></code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-f</code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-k</code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-q</code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-v</code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-z</code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-g <em class="replaceable"><code>path</code></em></code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-r <em class="replaceable"><code>path</code></em></code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-s <em class="replaceable"><code>path</code></em></code>]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [zone...]

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p></div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">

7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.13.7"></a><h2>DESCRIPTION</h2>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt <span class="command"><strong>dnssec-keymgr</strong></span> is a high level Python wrapper

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt to facilitate the key rollover process for zones handled by

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt BIND. It uses the BIND commands for manipulating DNSSEC key

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt metadata: <span class="command"><strong>dnssec-keygen</strong></span> and

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt <span class="command"><strong>dnssec-settime</strong></span>.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt DNSSEC policy can be read from a configuration file (default

7e71f05d8643aca84914437c900cb716444507e4Tinderbox User <code class="filename">/etc/dnssec-policy.conf</code>), from which the key

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt parameters, publication and rollover schedule, and desired

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt coverage duration for any given zone can be determined. This

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt file may be used to define individual DNSSEC policies on a

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt per-zone basis, or to set a default policy used for all zones.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt When <span class="command"><strong>dnssec-keymgr</strong></span> runs, it examines the DNSSEC

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt keys for one or more zones, comparing their timing metadata against

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt the policies for those zones. If key settings do not conform to the

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt DNSSEC policy (for example, because the policy has been changed),

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt they are automatically corrected.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt A zone policy can specify a duration for which we want to

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt ensure the key correctness (<code class="option">coverage</code>). It can

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt also specify a rollover period (<code class="option">roll-period</code>).

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt If policy indicates that a key should roll over before the

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt coverage period ends, then a successor key will automatically be

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt created and added to the end of the key series.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt If zones are specified on the command line,

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt <span class="command"><strong>dnssec-keymgr</strong></span> will examine only those zones.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt If a specified zone does not already have keys in place, then

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt keys will be generated for it according to policy.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt If zones are <span class="emphasis"><em>not</em></span> specified on the command

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt line, then <span class="command"><strong>dnssec-keymgr</strong></span> will search the

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt key directory (either the current working directory or the directory

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt set by the <code class="option">-K</code> option), and check the keys for

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt all the zones represented in the directory.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt It is expected that this tool will be run automatically and

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt unattended (for example, by <span class="command"><strong>cron</strong></span>).

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">

7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.13.8"></a><h2>OPTIONS</h2>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-c <em class="replaceable"><code>file</code></em></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User If <code class="option">-c</code> is specified, then the DNSSEC

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User policy is read from <code class="option">file</code>. (If not

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User specified, then the policy is read from

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <code class="filename">/etc/dnssec-policy.conf</code>; if that file

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User doesn't exist, a built-in global default policy is used.)

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-f</span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Force: allow updating of key events even if they are

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User already in the past. This is not recommended for use with

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User zones in which keys have already been published. However,

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User if a set of keys has been generated all of which have

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User publication and activation dates in the past, but the

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User keys have not been published in a zone as yet, then this

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User option can be used to clean them up and turn them into a

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User proper series of keys with appropriate rollover intervals.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-g <em class="replaceable"><code>keygen-path</code></em></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Specifies a path to a <span class="command"><strong>dnssec-keygen</strong></span> binary.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Used for testing.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User See also the <code class="option">-s</code> option.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-h</span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Print the <span class="command"><strong>dnssec-keymgr</strong></span> help summary

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User and exit.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Sets the directory in which keys can be found. Defaults to the

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User current working directory.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-k</span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Only apply policies to KSK keys.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User See also the <code class="option">-z</code> option.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-q</span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Quiet: suppress printing of <span class="command"><strong>dnssec-keygen</strong></span>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User and <span class="command"><strong>dnssec-settime</strong></span>.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Specifies a path to a file containing random data.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User This is passed to the <span class="command"><strong>dnssec-keygen</strong></span> binary

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User using its <code class="option">-r</code> option.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-s <em class="replaceable"><code>settime-path</code></em></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Specifies a path to a <span class="command"><strong>dnssec-settime</strong></span> binary.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Used for testing.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User See also the <code class="option">-g</code> option.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-v</span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Print the <span class="command"><strong>dnssec-keymgr</strong></span> version and exit.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term">-z</span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Only apply policies to ZSK keys.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User See also the <code class="option">-k</code> option.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</dl></div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">

7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.13.9"></a><h2>POLICY CONFIGURATION</h2>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

7e71f05d8643aca84914437c900cb716444507e4Tinderbox User The <code class="filename">dnssec-policy.conf</code> file can specify three kinds

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt of policies:

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt <span class="emphasis"><em>Policy classes</em></span>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt (<code class="option">policy <em class="replaceable"><code>name</code></em> { ... };</code>)

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt can be inherited by zone policies or other policy classes; these

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt can be used to create sets of different security profiles. For

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt example, a policy class <strong class="userinput"><code>normal</code></strong> might specify

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt 1024-bit key sizes, but a class <strong class="userinput"><code>extra</code></strong> might

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt specify 2048 bits instead; <strong class="userinput"><code>extra</code></strong> would be

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt used for zones that had unusually high security needs.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </li>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Algorithm policies:

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt (<code class="option">algorithm-policy <em class="replaceable"><code>algorithm</code></em> { ... };</code> )

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt override default per-algorithm settings. For example, by default,

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt can be modified using <span class="command"><strong>algorithm-policy</strong></span>, and the

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt new key sizes would then be used for any key of type RSASHA256.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </li>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Zone policies:

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt (<code class="option">zone <em class="replaceable"><code>name</code></em> { ... };</code> )

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt set policy for a single zone by name. A zone policy can inherit

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt a policy class by including a <code class="option">policy</code> option.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Zone names beginning with digits (i.e., 0-9) must be quoted.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </li>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</ul></div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Options that can be specified in policies:

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term"><span class="command"><strong>algorithm</strong></span></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt The key algorithm. If no policy is defined, the default is

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User RSASHA256.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term"><span class="command"><strong>coverage</strong></span></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt The length of time to ensure that keys will be correct; no action

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User will be taken to create new keys to be activated after this time.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User This can be represented as a number of seconds, or as a duration using

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt human-readable units (examples: "1y" or "6 months").

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt A default value for this option can be set in algorithm policies

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt as well as in policy classes or zone policies.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User If no policy is configured, the default is six months.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Specifies the directory in which keys should be stored.

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term"><span class="command"><strong>key-size</strong></span></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Specifies the number of bits to use in creating keys.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Takes two arguments: keytype (eihter "zsk" or "ksk") and size.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt A default value for this option can be set in algorithm policies

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt as well as in policy classes or zone policies. If no policy is

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User configured, the default is 1024 bits for DSA keys and 2048 for

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User RSA.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term"><span class="command"><strong>keyttl</strong></span></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt The key TTL. If no policy is defined, the default is one hour.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term"><span class="command"><strong>post-publish</strong></span></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt How long after inactivation a key should be deleted from the zone.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Note: If <code class="option">roll-period</code> is not set, this value is

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt duration. A default value for this option can be set in algorithm

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt policies as well as in policy classes or zone policies. The default

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt is one month.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term"><span class="command"><strong>pre-publish</strong></span></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt How long before activation a key should be published. Note: If

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <code class="option">roll-period</code> is not set, this value is ignored.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Takes two arguments: keytype (either "zsk" or "ksk") and a duration.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt A default value for this option can be set in algorithm policies

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt as well as in policy classes or zone policies. The default is

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User one month.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term"><span class="command"><strong>roll-period</strong></span></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt How frequently keys should be rolled over.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt A default value for this option can be set in algorithm policies

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt as well as in policy classes or zone policies. If no policy is

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User configured, the default is one year for ZSK's. KSK's do not

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User roll over by default.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<dt><span class="term"><span class="command"><strong>standby</strong></span></span></dt>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt Not yet implemented.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</dl></div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">

7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.13.10"></a><h2>REMAINING WORK</h2>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Enable scheduling of KSK rollovers using the <code class="option">-P sync</code>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User and <code class="option">-D sync</code> options to

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <span class="command"><strong>dnssec-keygen</strong></span> and

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <span class="command"><strong>dnssec-settime</strong></span>. Check the parent zone

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User (as in <span class="command"><strong>dnssec-checkds</strong></span>) to determine when it's

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User safe for the key to roll.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </li>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Allow configuration of standby keys and use of the REVOKE bit,

bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User for keys that use RFC 5011 semantics.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </li>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</ul></div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">

7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.13.11"></a><h2>SEE ALSO</h2>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="citerefentry">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-coverage</span>(8)

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </span>,

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="citerefentry">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-keygen</span>(8)

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </span>,

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="citerefentry">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-settime</span>(8)

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </span>,

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="citerefentry">

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-checkds</span>(8)

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </span>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt </p>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</div>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<div class="navfooter">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<hr>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<table width="100%" summary="Navigation footer">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<tr>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<td width="40%" align="left">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</td>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</tr>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<tr>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<td width="40%" align="left" valign="top">

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<span class="application">dnssec-keygen</span>�</td>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt<td width="40%" align="right" valign="top">�<span class="application">dnssec-revoke</span>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</td>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</tr>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</table>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</div>

0b89eee6167201843c9a46b7e7c63cb1e4e09ba3Tinderbox User<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2</p>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</body>

28a4d32b05736e13299fb10c6c0addfa88c3cf87Evan Hunt</html>