\" turn off hyphenation if n .nh
zkt-ls \(em list dnskeys zkt-ls -H zkt-ls [ -V|--view "view" ] [ -c "file" ] [ -l "list" ] [ -adefhkLprtz ] [{ keyfile | dir } "" ... ] zkt-ls -T [ -V|--view "view" ] [ -c "file" ] [ -l "list" ] [ -dhrz ] [{ keyfile | dir } "" ... ]

zkt-ls --list-trustedkeys [ -V|--view "view" ] [ -c "file" ] [ -l "list" ] [ -dhrz ] [{ keyfile | dir } "" ... ] zkt-ls -K [ -V|--view "view" ] [ -c "file" ] [ -l "list" ] [ -dhkrz ] [{ keyfile | dir } "" ... ]

zkt-ls --list-dnskeys [ -V|--view "view" ] [ -c "file" ] [ -l "list" ] [ -dhkrz ] [{ keyfile | dir } "" ... ]

The zkt-ls command list all dnssec zone keys found in the given or predefined default directory. It is also possible to specify keyfiles (K*.key) as arguments. With option -r subdirectories will be searched recursively and all dnssec keys found are listed, sorted by domain name, key type and generation time. In that mode the use of option -p may be helpful to find the location of the keyfile in the directory tree.

Other forms of the command, print out keys in a format suitable for a trusted-key section ( -T ) or as a DNSKEY ( -K ) resource record.

-V " view" ", --view=" view Try to read the default configuration out of a file named dnssec-<view>.conf . Instead of specifying the -V or --view option every time, it is also possible to create a hard or softlink to the executable file to give it an additional name like zkt-ls-<view> .

-c " file" ", --config=" file Read default values from the specified config file. Otherwise the default config file is read or build in defaults will be used.

-O " optstr" ", --config-option=" optstr Set any config file option via the commandline. Several config file options could be specified at the argument string but have to be delimited by semicolon (or newline).

-l " list" ", --label=" list Print out information solely about domains given in the comma or space separated list. Take care of, that every domain name has a trailing dot.

-d ", " --directory Skip directory arguments. This will be useful in combination with wildcard arguments to prevent dnsssec-zkt to list all keys found in subdirectories. For example "zkt-ls -d *" will print out a list of all keys only found in the current directory. Maybe it is easier to use "zkt-ls ." instead (without -r set). The option works similar to the -d option of ls(1) .

-L ", " --left-justify Print out the domain name left justified.

-k ", " --ksk Select and print key signing keys only (default depends on command mode).

-z ", " --zsk Select and print zone signing keys only (default depends on command mode).

-r ", " --recursive Recursive mode (default is off).

Also settable in the dnssec.conf file (Parameter: Recursive).

-p ", " --path Print pathname in listing mode. In -C mode, don't create the new key in the same directory as (already existing) keys with the same label.

-a ", " --age Print age of key in weeks, days, hours, minutes and seconds (default is off).

Also settable in the dnssec.conf file (Parameter: PrintAge).

-f ", " --lifetime Print the key lifetime.

-e ", " --exptime Print the key expiration time.

-t ", " --time Print the key generation time (default is on).

Also settable in the dnssec.conf file (Parameter: PrintTime).

-h No header or trusted-key section header and trailer in -T mode

-H ", " --help Print out the online help.

-T ", " --list-trustedkeys List all key signing keys as a named.conf trusted-key section. Use -h to supress the section header/trailer.

-K ", " --list-dnskeys List the public part of all the keys in DNSKEY resource record format. Use -h to suppress comment lines.

.fam C "zkt-ls -r . .fam T Print out a list of all zone keys found below the current directory.

.fam C "zkt-ls -Z -c """" .fam T Print out the compiled in default parameters.

.fam C "zkt-ls -T ./zonedir/example.net .fam T Print out a trusted-key section containing the key signing keys of "example.net".

.fam C "zkt-ls --view intern .fam T Print out a list of all zone keys found below the directory where all the zones of view intern live. There should be a seperate dnssec config file dnssec-intern.conf with a directory option to take affect of this.

.fam C "zkt-ls-intern .fam T Same as above. The binary file zkt-ls has another link, named zkt-ls-intern made, and zkt-ls examines argv[0] to find a view whose zones it proceeds to process.

ZKT_CONFFILE Specifies the name of the default global configuration files.

/var/named/dnssec.conf Built-in default global configuration file. The name of the default global config file is settable via the environment variable ZKT_CONFFILE.

/var/named/dnssec-<view>.conf View specific global configuration file.

./dnssec.conf Local configuration file (only used in -C mode).

Some of the general options will not be meaningful in all of the command modes.

The option -l and the ksk rollover options insist on domain names ending with a dot.

Holger Zuleger Copyright (c) 2005 - 2010 by Holger Zuleger. Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. --------------------------------------------------
dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-keyman(8), zkt-signer(8)

RFC4641 "DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,

DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC

(http://www.nlnetlabs.nl/dnssec_howto/)