<!-- Creator : groff version 1.20.1 -->
<!-- CreationDate: Tue Mar 23 23:47:31 2010 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
<html>
<head>
p { margin-top: 0; margin-bottom: 0; vertical-align: top }
pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
h1 { text-align: center }
</style>
<title>zkt−keyman</title>
</head>
<body>
<h1 align="center">zkt−keyman</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSYS">SYNOPSYS</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br>
<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
<a href="#FILES">FILES</a><br>
<a href="#BUGS">BUGS</a><br>
<a href="#AUTHORS">AUTHORS</a><br>
<a href="#COPYRIGHT">COPYRIGHT</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>
<hr>
<h2>NAME
<a name="NAME"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">zkt−keyman
— A DNSSEC key management tool</p>
<h2>SYNOPSYS
<a name="SYNOPSYS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
−C</b><label> [<b>−V|--view</b>
<i>view</i>] [<b>−c</b> <i>file</i>]
[<b>−krpz</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
zkt−keyman −−create=</b><label>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−krpz</b>]
[{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
−</b>{<b>P</b>|<b>A</b>|<b>D</b>|<b>R</b>}<b><keytag></b>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
zkt−keyman −−published=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
zkt−keyman −−active=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
zkt−keyman −−depreciate=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>] <b><br>
zkt−keyman −−rename=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
−−destroy=</b><keytag>
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
<i>...</i>]</p>
<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
−9 | −−ksk-rollover <br>
zkt−keyman −1 |
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] <b><br>
zkt−keyman −2 |
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] <b><br>
zkt−keyman −3 |
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] <b><br>
zkt−keyman −0 | −−ksk-roll-stat</b>
[<b>−c</b> <i>file</i>]</p>
<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">The
<i>zkt−keyman</i> command is a wrapper around
<i>dnssec-keygen(8)</i> to assist in dnssec zone key
management.</p>
<p style="margin-left:11%; margin-top: 1em">The command is
useful in dns key management. It is suitable for
modification of key status.</p>
<h2>GENERAL OPTIONS
<a name="GENERAL OPTIONS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>−V</b>
<i>view</i><b>, −−view=</b><i>view</i></p>
<p style="margin-left:22%;">Try to read the default
configuration out of a file named
<i>dnssec-<view>.conf .</i> Instead of specifying the
−V or --view option every time, it is also possible to
create a hard or softlink to the executable file to give it
an additional name like
<i>zkt−keyman−<view> .</i></p>
<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
−−config=</b><i>file</i></p>
<p style="margin-left:22%;">Read default values from the
specified config file. Otherwise the default config file is
read or build in defaults will be used.</p>
<p style="margin-left:11%;"><b>−O</b>
<i>optstr</i><b>,
−−config-option=</b><i>optstr</i></p>
<p style="margin-left:22%;">Set any config file option via
the commandline. Several config file options could be
specified at the argument string but have to be delimited by
semicolon (or newline).</p>
<p style="margin-left:11%;"><b>−d</b>,
<b>−−directory</b></p>
<p style="margin-left:22%;">Skip directory arguments. This
will be useful in combination with wildcard arguments to
prevent dnsssec-zkt to list all keys found in
subdirectories. For example "zkt−keyman -d
*" will print out a list of all keys only found in the
current directory. Maybe it is easier to use
"zkt−keyman ." instead (without -r set). The
option works similar to the −d option of
<i>ls(1)</i>.</p>
<p style="margin-left:11%;"><b>−k</b>,
<b>−−ksk</b></p>
<p style="margin-left:22%;">Select key signing keys only
(default depends on command mode).</p>
<p style="margin-left:11%;"><b>−z</b>,
<b>−−zsk</b></p>
<p style="margin-left:22%;">Select zone signing keys only
(default depends on command mode).</p>
<p style="margin-left:11%;"><b>−r</b>,
<b>−−recursive</b></p>
<p style="margin-left:22%;">Recursive mode (default is
off). <br>
Also settable in the dnssec.conf file (Parameter:
Recursive).</p>
<p style="margin-left:11%;"><b>−F</b>,
<b>−−setlifetime</b></p>
<p style="margin-left:22%;">Set the key lifetime of all the
selected keys. Use option -k, -z, -l or the file and dir
argument for key selection.</p>
<h2>COMMAND OPTIONS
<a name="COMMAND OPTIONS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>−h</b>,
<b>−−help</b></p>
<p style="margin-left:22%;">Print out the online help.</p>
<p style="margin-left:11%;"><b>−C</b> <i>zone</i><b>,
−−create=</b><i>zone</i></p>
<p style="margin-left:22%;">Create a new zone signing key
for the given zone. Add option <b>−k</b> to create a
key signing key. The key algorithm and key length will be
examined from built-in default values or from the parameter
The keyfile will be created in the current directory if the
<b>−p</b> option is specified.</p>
<p style="margin-left:11%;"><b>−R</b>
<i>keyid</i><b>, −−revoke=</b><i>keyid</i></p>
<p style="margin-left:22%;">Revoke the key signing key with
the given keyid. A revoked key has bit 8 in the flags filed
set (see RFC5011). The keyid is the numeric keytag with an
optionally added zone name separated by a colon.</p>
<p style="margin-left:11%;"><b>−−rename="</b><i>keyid</i></p>
<p style="margin-left:22%;">Rename the key files of the key
with the given keyid (Look at key file names starting with
an lower ’k’). The keyid is the numeric keytag
with an optionally added zone name separated by a colon.</p>
<p style="margin-left:11%;"><b>−−destroy=</b><i>keyid</i></p>
<p style="margin-left:22%;">Deletes the key with the given
keyid. The keyid is the numeric keytag with an optionally
added zone name separated by a colon. Beware that this
deletes both private and public keyfiles, thus the key is
unrecoverable lost.</p>
<p style="margin-left:11%;"><b>−P|A|D</b>
<i>keyid,</i> <b>−−published=</b><i>keyid,</i>
<b>−−active=</b><i>keyid,</i>
<b>−−depreciated=</b><i>keyid</i></p>
<p style="margin-left:22%;">Change the status of the given
dnssec key to published (<b>−P</b>), active
(<b>−A</b>) or depreciated (<b>−D</b>). The
<i>keyid</i> is the numeric keytag with an optionally added
zone name separated by a colon. Setting the status to
"published" or "depreciate" will change
the filename of the private key file to
".published" or ".depreciated"
respectivly. This prevents the usage of the key as a signing
key by the use of <i>dnssec-signzone(8)</i>. The time of
status change will be stored in the ’mtime’
field of the corresponding ".key" file. Key
activation via option <b>−A</b> will restore the
original timestamp and file name (".private").</p>
<p style="margin-left:11%;"><b>−−ksk-roll-phase[123]</b>
<p style="margin-left:22%;">Initiate a key signing key
rollover of the specified domain. This feature is currently
in experimental status and is mainly for the use in an
hierachical environment. Use --ksk-rollover for a little
more detailed description.</p>
<h2>SAMPLE USAGE
<a name="SAMPLE USAGE"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>zkt-keyman
<p style="margin-left:22%;">Create a new key signing key
for the zone "example.net". Store the key in the
same directory below "zonedir" where the other
"example.net" keys live.</p>
<p style="margin-left:11%;"><b>zkt-keyman −D 123245
−r .</b></p>
<p style="margin-left:22%;">Depreciate the key with tag
"12345" below the current directory,</p>
<p style="margin-left:11%;"><b>zkt-keyman --view intern
<p style="margin-left:22%;">Create a new zone key for the
internal zone example.net.</p>
<p style="margin-left:11%;"><b>zkt-keyman-intern</b></p>
<p style="margin-left:22%;">Same as above. The binary file
<i>zkt−keyman</i> has another link, named
<i>zkt-keyman-intern</i> made, and <i>zkt−keyman</i>
examines argv[0] to find a view whose zones it proceeds to
process.</p>
<h2>ENVIRONMENT VARIABLES
<a name="ENVIRONMENT VARIABLES"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
<p style="margin-left:22%;">Specifies the name of the
default global configuration files.</p>
<h2>FILES
<a name="FILES"></a>
</h2>
<p style="margin-left:22%;">Built-in default global
configuration file. The name of the default global config
file is settable via the environment variable
ZKT_CONFFILE.</p>
<p style="margin-left:22%;">View specific global
configuration file.</p>
<p style="margin-left:22%;">Local configuration file (only
used in <b>−C</b> mode).</p>
<h2>BUGS
<a name="BUGS"></a>
</h2>
<h2>AUTHORS
<a name="AUTHORS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Holger
Zuleger</p>
<h2>COPYRIGHT
<a name="COPYRIGHT"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Copyright (c)
2005 − 2008 by Holger Zuleger. Licensed under the BSD
Licences. There is NO warranty; not even for MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.</p>
<h2>SEE ALSO
<a name="SEE ALSO"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8),
zkt-ls(8), zkt-signer(8) <br>
RFC4641 "DNSSEC Operational Practices" by Miek
Gieben and Olaf Kolkman, <br>
DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
<hr>
</body>
</html>