82N/A - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC") 82N/A - This Source Code Form is subject to the terms of the Mozilla Public 82N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 82N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
82N/A<
title>dnssec-keymgr</
title>
82N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
82N/A<
link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
82N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
82N/A<
div class="navheader">
553N/A<
table width="100%" summary="Navigation header">
553N/A<
tr><
th colspan="3" align="center"><
span class="application">dnssec-keymgr</
span></
th></
tr>
82N/A<
td width="20%" align="left">
82N/A<
th width="60%" align="center">Manual pages</
th>
82N/A<
div class="refentry">
82N/A <
div class="refnamediv">
82N/A <
span class="application">dnssec-keymgr</
span>
82N/A — Ensures correct DNSKEY coverage for a zone based on a defined policy
82N/A <
div class="refsynopsisdiv">
82N/A <
div class="cmdsynopsis"><
p>
82N/A <
code class="command">dnssec-keymgr</
code>
82N/A [<
code class="option">-K <
em class="replaceable"><
code>directory</
code></
em></
code>]
82N/A [<
code class="option">-c <
em class="replaceable"><
code>file</
code></
em></
code>]
82N/A [<
code class="option">-f</
code>]
82N/A [<
code class="option">-k</
code>]
82N/A [<
code class="option">-q</
code>]
82N/A [<
code class="option">-v</
code>]
82N/A [<
code class="option">-z</
code>]
332N/A [<
code class="option">-g <
em class="replaceable"><
code>path</
code></
em></
code>]
580N/A [<
code class="option">-r <
em class="replaceable"><
code>path</
code></
em></
code>]
332N/A [<
code class="option">-s <
em class="replaceable"><
code>path</
code></
em></
code>]
82N/A <
div class="refsection">
82N/A<
a name="id-1.14.13.7"></
a><
h2>DESCRIPTION</
h2>
82N/A <
span class="command"><
strong>dnssec-keymgr</
strong></
span> is a high level Python wrapper
82N/A to facilitate the key rollover process for zones handled by
135N/A BIND. It uses the BIND commands for manipulating DNSSEC key
82N/A metadata: <
span class="command"><
strong>dnssec-keygen</
strong></
span> and
220N/A <
span class="command"><
strong>dnssec-settime</
strong></
span>.
82N/A DNSSEC policy can be read from a configuration file (default
82N/A parameters, publication and rollover schedule, and desired
82N/A coverage duration for any given zone can be determined. This
135N/A file may be used to define individual DNSSEC policies on a
82N/A per-zone basis, or to set a default policy used for all zones.
82N/A When <
span class="command"><
strong>dnssec-keymgr</
strong></
span> runs, it examines the DNSSEC
82N/A keys for one or more zones, comparing their timing metadata against
237N/A the policies for those zones. If key settings do not conform to the
135N/A DNSSEC policy (for example, because the policy has been changed),
135N/A they are automatically corrected.
82N/A A zone policy can specify a duration for which we want to
82N/A ensure the key correctness (<
code class="option">coverage</
code>). It can
82N/A also specify a rollover period (<
code class="option">roll-period</
code>).
82N/A If policy indicates that a key should roll over before the
82N/A coverage period ends, then a successor key will automatically be
82N/A created and added to the end of the key series.
82N/A If zones are specified on the command line,
220N/A <
span class="command"><
strong>dnssec-keymgr</
strong></
span> will examine only those zones.
220N/A If a specified zone does not already have keys in place, then
220N/A keys will be generated for it according to policy.
220N/A If zones are <
span class="emphasis"><
em>not</
em></
span> specified on the command
220N/A line, then <
span class="command"><
strong>dnssec-keymgr</
strong></
span> will search the
688N/A key directory (either the current working directory or the directory
688N/A set by the <
code class="option">-K</
code> option), and check the keys for
688N/A all the zones represented in the directory.
688N/A It is expected that this tool will be run automatically and
688N/A unattended (for example, by <
span class="command"><
strong>cron</
strong></
span>).
688N/A <
div class="refsection">
688N/A<
a name="id-1.14.13.8"></
a><
h2>OPTIONS</
h2>
688N/A <
div class="variablelist"><
dl class="variablelist">
220N/A<
dt><
span class="term">-c <
em class="replaceable"><
code>file</
code></
em></
span></
dt>
688N/A If <
code class="option">-c</
code> is specified, then the DNSSEC
220N/A policy is read from <
code class="option">file</
code>. (If not
688N/A specified, then the policy is read from
136N/A doesn't exist, a built-in global default policy is used.)
220N/A<
dt><
span class="term">-f</
span></
dt>
220N/A Force: allow updating of key events even if they are
220N/A already in the past. This is not recommended for use with
220N/A zones in which keys have already been published. However,
220N/A if a set of keys has been generated all of which have
220N/A publication and activation dates in the past, but the
220N/A keys have not been published in a zone as yet, then this
220N/A option can be used to clean them up and turn them into a
220N/A proper series of keys with appropriate rollover intervals.
220N/A<
dt><
span class="term">-g <
em class="replaceable"><
code>keygen-path</
code></
em></
span></
dt>
82N/A Specifies a path to a <
span class="command"><
strong>dnssec-keygen</
strong></
span> binary.
82N/A See also the <
code class="option">-s</
code> option.
82N/A<
dt><
span class="term">-h</
span></
dt>
82N/A Print the <
span class="command"><
strong>dnssec-keymgr</
strong></
span> help summary
82N/A<
dt><
span class="term">-K <
em class="replaceable"><
code>directory</
code></
em></
span></
dt>
82N/A Sets the directory in which keys can be found. Defaults to the
82N/A current working directory.
82N/A<
dt><
span class="term">-k</
span></
dt>
82N/A Only apply policies to KSK keys.
82N/A See also the <
code class="option">-z</
code> option.
82N/A<
dt><
span class="term">-q</
span></
dt>
82N/A Quiet: suppress printing of <
span class="command"><
strong>dnssec-keygen</
strong></
span>
82N/A and <
span class="command"><
strong>dnssec-settime</
strong></
span>.
82N/A<
dt><
span class="term">-r <
em class="replaceable"><
code>randomdev</
code></
em></
span></
dt>
82N/A Specifies a path to a file containing random data.
611N/A This is passed to the <
span class="command"><
strong>dnssec-keygen</
strong></
span> binary
611N/A using its <
code class="option">-r</
code> option.
82N/A<
dt><
span class="term">-s <
em class="replaceable"><
code>settime-path</
code></
em></
span></
dt>
82N/A Specifies a path to a <
span class="command"><
strong>dnssec-settime</
strong></
span> binary.
82N/A See also the <
code class="option">-g</
code> option.
220N/A<
dt><
span class="term">-v</
span></
dt>
220N/A Print the <
span class="command"><
strong>dnssec-keymgr</
strong></
span> version and exit.
220N/A<
dt><
span class="term">-z</
span></
dt>
82N/A Only apply policies to ZSK keys.
82N/A See also the <
code class="option">-k</
code> option.
220N/A <
div class="refsection">
220N/A<
a name="id-1.14.13.9"></
a><
h2>POLICY CONFIGURATION</
h2>
220N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
220N/A <
span class="emphasis"><
em>Policy classes</
em></
span>
220N/A (<
code class="option">policy <
em class="replaceable"><
code>name</
code></
em> { ... };</
code>)
220N/A can be inherited by zone policies or other policy classes; these
220N/A can be used to create sets of different security profiles. For
220N/A example, a policy class <
strong class="userinput"><
code>normal</
code></
strong> might specify
220N/A 1024-bit key sizes, but a class <
strong class="userinput"><
code>extra</
code></
strong> might
220N/A specify 2048 bits instead; <
strong class="userinput"><
code>extra</
code></
strong> would be
928N/A used for zones that had unusually high security needs.
928N/A (<
code class="option">algorithm-policy <
em class="replaceable"><
code>algorithm</
code></
em> { ... };</
code> )
928N/A override default per-algorithm settings. For example, by default,
220N/A RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
611N/A can be modified using <
span class="command"><
strong>algorithm-policy</
strong></
span>, and the
611N/A new key sizes would then be used for any key of type RSASHA256.
220N/A (<
code class="option">zone <
em class="replaceable"><
code>name</
code></
em> { ... };</
code> )
220N/A set policy for a single zone by name. A zone policy can inherit
220N/A a policy class by including a <
code class="option">policy</
code> option.
220N/A Options that can be specified in policies:
220N/A <
div class="variablelist"><
dl class="variablelist">
220N/A<
dt><
span class="term"><
span class="command"><
strong>algorithm</
strong></
span></
span></
dt>
220N/A The key algorithm. If no policy is defined, the default is
220N/A<
dt><
span class="term"><
span class="command"><
strong>coverage</
strong></
span></
span></
dt>
220N/A The length of time to ensure that keys will be correct; no action
220N/A will be taken to create new keys to be activated after this time.
220N/A This can be represented as a number of seconds, or as a duration using
220N/A human-readable units (examples: "1y" or "6 months").
220N/A A default value for this option can be set in algorithm policies
220N/A as well as in policy classes or zone policies.
220N/A If no policy is configured, the default is six months.
220N/A<
dt><
span class="term"><
span class="command"><
strong>directory</
strong></
span></
span></
dt>
220N/A Specifies the directory in which keys should be stored.
928N/A<
dt><
span class="term"><
span class="command"><
strong>key-size</
strong></
span></
span></
dt>
928N/A Specifies the number of bits to use in creating keys.
928N/A Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
928N/A A default value for this option can be set in algorithm policies
928N/A as well as in policy classes or zone policies. If no policy is
928N/A configured, the default is 1024 bits for DSA keys and 2048 for
928N/A<
dt><
span class="term"><
span class="command"><
strong>keyttl</
strong></
span></
span></
dt>
220N/A The key TTL. If no policy is defined, the default is one hour.
928N/A<
dt><
span class="term"><
span class="command"><
strong>post-publish</
strong></
span></
span></
dt>
928N/A How long after inactivation a key should be deleted from the zone.
928N/A Note: If <
code class="option">roll-period</
code> is not set, this value is
928N/A ignored. Takes two arguments: keytype (eihter "zsk" or "ksk") and a
928N/A duration. A default value for this option can be set in algorithm
928N/A policies as well as in policy classes or zone policies. The default
928N/A<
dt><
span class="term"><
span class="command"><
strong>pre-publish</
strong></
span></
span></
dt>
220N/A How long before activation a key should be published. Note: If
220N/A <
code class="option">roll-period</
code> is not set, this value is ignored.
220N/A Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
220N/A A default value for this option can be set in algorithm policies
220N/A as well as in policy classes or zone policies. The default is
220N/A<
dt><
span class="term"><
span class="command"><
strong>roll-period</
strong></
span></
span></
dt>
220N/A How frequently keys should be rolled over.
220N/A Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
220N/A A default value for this option can be set in algorithm policies
220N/A as well as in policy classes or zone policies. If no policy is
220N/A configured, the default is one year for ZSK's. KSK's do not
220N/A<
dt><
span class="term"><
span class="command"><
strong>standby</
strong></
span></
span></
dt>
220N/A <
div class="refsection">
220N/A<
a name="id-1.14.13.10"></
a><
h2>REMAINING WORK</
h2>
220N/A <
div class="itemizedlist"><
ul class="itemizedlist" style="list-style-type: disc; ">
220N/A Enable scheduling of KSK rollovers using the <
code class="option">-P sync</
code>
220N/A and <
code class="option">-D sync</
code> options to
220N/A <
span class="command"><
strong>dnssec-keygen</
strong></
span> and
220N/A <
span class="command"><
strong>dnssec-settime</
strong></
span>. Check the parent zone
220N/A (as in <
span class="command"><
strong>dnssec-checkds</
strong></
span>) to determine when it's
220N/A safe for the key to roll.
220N/A Allow configuration of standby keys and use of the REVOKE bit,
220N/A for keys that use RFC 5011 semantics.
220N/A <
div class="refsection">
220N/A<
a name="id-1.14.13.11"></
a><
h2>SEE ALSO</
h2>
220N/A <
span class="citerefentry">
220N/A <
span class="refentrytitle">dnssec-coverage</
span>(8)
220N/A <
span class="citerefentry">
220N/A <
span class="refentrytitle">dnssec-keygen</
span>(8)
220N/A <
span class="citerefentry">
220N/A <
span class="refentrytitle">dnssec-settime</
span>(8)
220N/A <
span class="citerefentry">
220N/A <
span class="refentrytitle">dnssec-checkds</
span>(8)
220N/A<
table width="100%" summary="Navigation footer">
220N/A<
td width="40%" align="left">
220N/A<
td width="40%" align="left" valign="top">
220N/A<
span class="application">dnssec-keygen</
span>�</
td>
220N/A<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
220N/A<
td width="40%" align="right" valign="top">�<
span class="application">dnssec-revoke</
span>