<!-- Creator : groff version 1.20.1 -->
<!-- CreationDate: Tue Aug 4 21:33:40 2009 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
<html>
<head>
p { margin-top: 0; margin-bottom: 0; vertical-align: top }
pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
h1 { text-align: center }
</style>
<title>dnssec-zkt</title>
</head>
<body>
<h1 align="center">dnssec-zkt</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSYS">SYNOPSYS</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br>
<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
<a href="#FILES">FILES</a><br>
<a href="#BUGS">BUGS</a><br>
<a href="#AUTHORS">AUTHORS</a><br>
<a href="#COPYRIGHT">COPYRIGHT</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>
<hr>
<h2>NAME
<a name="NAME"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">dnssec-zkt
— Secure DNS zone key tool</p>
<h2>SYNOPSYS
<a name="SYNOPSYS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt</b>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−l</b> <i>list</i>]
[<b>−adefhkLrptz</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
−C</b><label> [<b>−V|--view</b>
<i>view</i>] [<b>−c</b> <i>file</i>]
[<b>−krpz</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
dnssec-zkt −−create=</b><label>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−krpz</b>]
[{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
−</b>{<b>P</b>|<b>A</b>|<b>D</b>|<b>R</b>}<b><keytag></b>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
dnssec-zkt −−published=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
dnssec-zkt −−active=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
dnssec-zkt −−depreciate=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
dnssec-zkt −−rename=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
−−destroy=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
−T</b> [<b>−V|--view</b> <i>view</i>]
[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
[<b>−hr</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>]
<b><br>
dnssec-zkt −−list-trustedkeys</b>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−l</b> <i>list</i>]
[<b>−hr</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
−K</b> [<b>−V|--view</b> <i>view</i>]
[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
[<b>−hkzr</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
dnssec-zkt −−list-dnskeys</b>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−l</b> <i>list</i>]
[<b>−hkzr</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
−Z</b> [<b>−V|--view</b> <i>view</i>]
[<b>−c</b> <i>file</i>] <b><br>
dnssec-zkt −−zone-config</b>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
−9 | −−ksk-rollover <br>
dnssec-zkt −1 | −−ksk-roll-phase1</b>
[<b>−c</b> <i>file</i>] <b><br>
dnssec-zkt −2 | −−ksk-roll-phase2</b>
[<b>−c</b> <i>file</i>] <b><br>
dnssec-zkt −3 | −−ksk-roll-phase3</b>
[<b>−c</b> <i>file</i>] <b><br>
dnssec-zkt −0 | −−ksk-roll-stat</b>
[<b>−c</b> <i>file</i>]</p>
<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">The
<i>dnssec-zkt</i> command is a wrapper around
<i>dnssec-keygen(8)</i> to assist in dnssec zone key
management.</p>
<p style="margin-left:11%; margin-top: 1em">In the common
usage the command prints out information about all dnssec
(zone) keys found in the given (or predefined default)
directory. It is also possible to specify keyfiles (K*.key)
as arguments. With option <b>−r</b> subdirectories
will be searched recursively, and all dnssec keys found will
be listed sorted by domain name, key type and generation
time. In that mode the use of the <b>−p</b> option may
be helpful to find the location of the keyfile in the
directory tree.</p>
<p style="margin-left:11%; margin-top: 1em">Other forms of
the command print out keys in a format suitable for a
trusted-key section or as a DNSKEY resource record.</p>
<p style="margin-left:11%; margin-top: 1em">The command is
also useful in dns key management. It offers monitoring of
key lifetime and modification of key status.</p>
<h2>GENERAL OPTIONS
<a name="GENERAL OPTIONS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>−V</b>
<i>view</i><b>, −−view=</b><i>view</i></p>
<p style="margin-left:22%;">Try to read the default
configuration out of a file named
<i>dnssec-<view>.conf .</i> Instead of specifying the
−V or --view option every time, it is also possible to
create a hard or softlink to the executable file to give it
an additional name like <i>dnssec-zkt-<view> .</i></p>
<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
−−config=</b><i>file</i></p>
<p style="margin-left:22%;">Read default values from the
specified config file. Otherwise the default config file is
read or build in defaults will be used.</p>
<p style="margin-left:11%;"><b>−O</b>
<i>optstr</i><b>,
−−config-option=</b><i>optstr</i></p>
<p style="margin-left:22%;">Set any config file option via
the commandline. Several config file options could be
specified at the argument string but have to be delimited by
semicolon (or newline).</p>
<p style="margin-left:11%;"><b>−l</b> <i>list</i></p>
<p style="margin-left:22%;">Print out information solely
about domains given in the comma or space separated list.
Take care of, that every domain name has a trailing dot.</p>
<p style="margin-left:11%;"><b>−d</b>,
<b>−−directory</b></p>
<p style="margin-left:22%;">Skip directory arguments. This
will be useful in combination with wildcard arguments to
prevent dnsssec-zkt to list all keys found in
subdirectories. For example "dnssec-zkt -d *" will
print out a list of all keys only found in the current
directory. Maybe it is easier to use "dnssec-zkt
." instead (without -r set). The option works similar
to the −d option of <i>ls(1)</i>.</p>
<p style="margin-left:11%;"><b>−L</b>,
<b>−−left-justify</b></p>
<p style="margin-left:22%;">Print out the domain name left
justified.</p>
<p style="margin-left:11%;"><b>−k</b>,
<b>−−ksk</b></p>
<p style="margin-left:22%;">Select and print key signing
keys only (default depends on command mode).</p>
<p style="margin-left:11%;"><b>−z</b>,
<b>−−zsk</b></p>
<p style="margin-left:22%;">Select and print zone signing
keys only (default depends on command mode).</p>
<p style="margin-left:11%;"><b>−r</b>,
<b>−−recursive</b></p>
<p style="margin-left:22%;">Recursive mode (default is
off). <br>
Also settable in the dnssec.conf file (Parameter:
Recursive).</p>
<p style="margin-left:11%;"><b>−p</b>,
<b>−−path</b></p>
<p style="margin-left:22%;">Print pathname in listing mode.
In -C mode, don’t create the new key in the same
directory as (already existing) keys with the same
label.</p>
<p style="margin-left:11%;"><b>−a</b>,
<b>−−age</b></p>
<p style="margin-left:22%;">Print age of key in weeks,
days, hours, minutes and seconds (default is off). <br>
Also settable in the dnssec.conf file (Parameter:
PrintAge).</p>
<p style="margin-left:11%;"><b>−f</b>,
<b>−−lifetime</b></p>
<p style="margin-left:22%;">Print the key lifetime.</p>
<p style="margin-left:11%;"><b>−F</b>,
<b>−−setlifetime</b></p>
<p style="margin-left:22%;">Set the key lifetime of all the
selected keys. Use option -k, -z, -l or the file and dir
argument for key selection.</p>
<p style="margin-left:11%;"><b>−e</b>,
<b>−−exptime</b></p>
<p style="margin-left:22%;">Print the key expiration
time.</p>
<p style="margin-left:11%;"><b>−t</b>,
<b>−−time</b></p>
<p style="margin-left:22%;">Print the key generation time
(default is on). <br>
Also settable in the dnssec.conf file (Parameter:
PrintTime).</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p><b>−h</b></p></td>
<td width="8%"></td>
<td width="78%">
<p>No header or trusted-key section header and trailer in
-T mode</p></td></tr>
</table>
<h2>COMMAND OPTIONS
<a name="COMMAND OPTIONS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>−H</b>,
<b>−−help</b></p>
<p style="margin-left:22%;">Print out the online help.</p>
<p style="margin-left:11%;"><b>−T</b>,
<b>−−list-trustedkeys</b></p>
<p style="margin-left:22%;">List all key signing keys as a
<p style="margin-left:11%;"><b>−K</b>,
<b>−−list-dnskeys</b></p>
<p style="margin-left:22%;">List the public part of all the
keys in DNSKEY resource record format. Use <b>−h</b>
to suppress comment lines.</p>
<p style="margin-left:11%;"><b>−C</b> <i>zone</i><b>,
−−create=</b><i>zone</i></p>
<p style="margin-left:22%;">Create a new zone signing key
for the given zone. Add option <b>−k</b> to create a
key signing key. The key algorithm and key length will be
examined from built-in default values or from the parameter
The keyfile will be created in the current directory if the
<b>−p</b> option is specified.</p>
<p style="margin-left:11%;"><b>−R</b>
<i>keyid</i><b>, −−revoke=</b><i>keyid</i></p>
<p style="margin-left:22%;">Revoke the key signing key with
the given keyid. A revoked key has bit 8 in the flags filed
set (see RFC5011). The keyid is the numeric keytag with an
optionally added zone name separated by a colon.</p>
<p style="margin-left:11%;"><b>−−rename="</b><i>keyid</i></p>
<p style="margin-left:22%;">Rename the key files of the key
with the given keyid (Look at key file names starting with
an lower ’k’). The keyid is the numeric keytag
with an optionally added zone name separated by a colon.</p>
<p style="margin-left:11%;"><b>−−destroy=</b><i>keyid</i></p>
<p style="margin-left:22%;">Deletes the key with the given
keyid. The keyid is the numeric keytag with an optionally
added zone name separated by a colon. Beware that this
deletes both private and public keyfiles, thus the key is
unrecoverable lost.</p>
<p style="margin-left:11%;"><b>−P|A|D</b>
<i>keyid,</i> <b>−−published=</b><i>keyid,</i>
<b>−−active=</b><i>keyid,</i>
<b>−−depreciated=</b><i>keyid</i></p>
<p style="margin-left:22%;">Change the status of the given
dnssec key to published (<b>−P</b>), active
(<b>−A</b>) or depreciated (<b>−D</b>). The
<i>keyid</i> is the numeric keytag with an optionally added
zone name separated by a colon. Setting the status to
"published" or "depreciate" will change
the filename of the private key file to
".published" or ".depreciated"
respectivly. This prevents the usage of the key as a signing
key by the use of <i>dnssec-signzone(8)</i>. The time of
status change will be stored in the ’mtime’
field of the corresponding ".key" file. Key
activation via option <b>−A</b> will restore the
original timestamp and file name (".private").</p>
<p style="margin-left:11%;"><b>−Z</b>,
<b>−−zone-config</b></p>
<p style="margin-left:22%;">Write all config parameters to
stdout. The output is suitable as a template for the
of the above command. Pay attention not to overwrite an
existing file.</p>
<p style="margin-left:11%;"><b>−−ksk-roll-phase[123]</b>
<p style="margin-left:22%;">Initiate a key signing key
rollover of the specified domain. This feature is currently
in experimental status and is mainly for the use in an
hierachical environment. Use --ksk-rollover for a little
more detailed description.</p>
<h2>SAMPLE USAGE
<a name="SAMPLE USAGE"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
−r .</b></p>
<p style="margin-left:22%;">Print out a list of all zone
keys found below the current directory.</p>
<p style="margin-left:11%;"><b>dnssec-zkt −Z −c
""</b></p>
<p style="margin-left:22%;">Print out the compiled in
default parameters.</p>
<p style="margin-left:11%;"><b>dnssec-zkt −C
<p style="margin-left:22%;">Create a new key signing key
for the zone "example.net". Store the key in the
same directory below "zonedir" where the other
"example.net" keys live.</p>
<p style="margin-left:11%;"><b>dnssec-zkt −T
<p style="margin-left:22%;">Print out a trusted-key section
containing the key signing keys of
"example.net".</p>
<p style="margin-left:11%;"><b>dnssec-zkt −D 123245
−r .</b></p>
<p style="margin-left:22%;">Depreciate the key with tag
"12345" below the current directory,</p>
<p style="margin-left:11%;"><b>dnssec-zkt --view
intern</b></p>
<p style="margin-left:22%;">Print out a list of all zone
keys found below the directory where all the zones of view
intern live. There should be a seperate dnssec config file
affect of this.</p>
<p style="margin-left:11%;"><b>dnssec-zkt-intern</b></p>
<p style="margin-left:22%;">Same as above. The binary file
<i>dnssec-zkt</i> has another link, named
<i>dnssec-zkt-intern</i> made, and <i>dnssec-zkt</i>
examines argv[0] to find a view whose zones it proceeds to
process.</p>
<h2>ENVIRONMENT VARIABLES
<a name="ENVIRONMENT VARIABLES"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
<p style="margin-left:22%;">Specifies the name of the
default global configuration files.</p>
<h2>FILES
<a name="FILES"></a>
</h2>
<p style="margin-left:22%;">Built-in default global
configuration file. The name of the default global config
file is settable via the environment variable
ZKT_CONFFILE.</p>
<p style="margin-left:22%;">View specific global
configuration file.</p>
<p style="margin-left:22%;">Local configuration file (only
used in <b>−C</b> mode).</p>
<h2>BUGS
<a name="BUGS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Some of the
general options will not be meaningful in all of the command
modes. <br>
The option <b>−l</b> and the ksk rollover options
insist on domain names ending with a dot.</p>
<h2>AUTHORS
<a name="AUTHORS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
Mans Nilsson</p>
<h2>COPYRIGHT
<a name="COPYRIGHT"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Copyright (c)
2005 − 2008 by Holger Zuleger. Licensed under the BSD
Licences. There is NO warranty; not even for MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.</p>
<h2>SEE ALSO
<a name="SEE ALSO"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
dnssec-signzone(8), rndc(8), named.conf(5),
dnssec-signer(8), <br>
RFC4641 "DNSSEC Operational Practices" by Miek
Gieben and Olaf Kolkman, <br>
DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
<hr>
</body>
</html>