man.dnssec-coverage.html 11.3 KB
Newer Older
1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
Tinderbox User's avatar
Tinderbox User committed
2
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
Tinderbox User's avatar
Tinderbox User committed
4
 - 
Tinderbox User's avatar
Tinderbox User committed
5 6 7
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Tinderbox User's avatar
Tinderbox User committed
8
-->
9
<html lang="en">
Tinderbox User's avatar
Tinderbox User committed
10 11 12
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-coverage</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Evan Hunt's avatar
Evan Hunt committed
14
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
Tinderbox User's avatar
Tinderbox User committed
15
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
Tinderbox User's avatar
Tinderbox User committed
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
<link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.dnssec-checkds.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
Tinderbox User's avatar
Tinderbox User committed
33
<div class="refentry">
Tinderbox User's avatar
Tinderbox User committed
34
<a name="man.dnssec-coverage"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
35 36 37 38 39 40
  
  

  

  <div class="refnamediv">
Tinderbox User's avatar
Tinderbox User committed
41
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
42 43 44 45
<p>
    <span class="application">dnssec-coverage</span>
     &#8212; checks future DNSKEY coverage for a zone
  </p>
Tinderbox User's avatar
Tinderbox User committed
46
</div>
Tinderbox User's avatar
Tinderbox User committed
47 48 49 50

  

  <div class="refsynopsisdiv">
Tinderbox User's avatar
Tinderbox User committed
51
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67
    <div class="cmdsynopsis"><p>
      <code class="command">dnssec-coverage</code> 
       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
       [<code class="option">-l <em class="replaceable"><code>length</code></em></code>]
       [<code class="option">-f <em class="replaceable"><code>file</code></em></code>]
       [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>]
       [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>]
       [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>]
       [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>]
       [<code class="option">-k</code>]
       [<code class="option">-z</code>]
       [zone...]
    </p></div>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
68
<a name="id-1.14.8.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
69 70

    <p><span class="command"><strong>dnssec-coverage</strong></span>
Tinderbox User's avatar
Tinderbox User committed
71 72 73 74
      verifies that the DNSSEC keys for a given zone or a set of zones
      have timing metadata set properly to ensure no future lapses in DNSSEC
      coverage.
    </p>
Tinderbox User's avatar
Tinderbox User committed
75
    <p>
Tinderbox User's avatar
Tinderbox User committed
76 77 78 79 80 81 82 83 84 85 86 87
      If <code class="option">zone</code> is specified, then keys found in
      the key repository matching that zone are scanned, and an ordered
      list is generated of the events scheduled for that key (i.e.,
      publication, activation, inactivation, deletion).  The list of
      events is walked in order of occurrence.  Warnings are generated
      if any event is scheduled which could cause the zone to enter a
      state in which validation failures might occur: for example, if
      the number of published or active keys for a given algorithm drops
      to zero, or if a key is deleted from the zone too soon after a new
      key is rolled, and cached data signed by the prior key has not had
      time to expire from resolver caches.
    </p>
Tinderbox User's avatar
Tinderbox User committed
88
    <p>
Tinderbox User's avatar
Tinderbox User committed
89 90 91 92 93 94
      If <code class="option">zone</code> is not specified, then all keys in the
      key repository will be scanned, and all zones for which there are
      keys will be analyzed.  (Note: This method of reporting is only
      accurate if all the zones that have keys in a given repository
      share the same TTL parameters.)
    </p>
Tinderbox User's avatar
Tinderbox User committed
95 96 97
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
98
<a name="id-1.14.8.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
99 100 101


    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
102
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
103 104
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
105 106
            Sets the directory in which keys can be found.  Defaults to the
            current working directory.
Tinderbox User's avatar
Tinderbox User committed
107 108
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
109
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
110 111
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
112 113 114 115 116
            If a <code class="option">file</code> is specified, then the zone is
            read from that file; the largest TTL and the DNSKEY TTL are
            determined directly from the zone data, and the
            <code class="option">-m</code> and <code class="option">-d</code> options do
            not need to be specified on the command line.
Tinderbox User's avatar
Tinderbox User committed
117 118
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
119 120
<dt><span class="term">-l <em class="replaceable"><code>duration</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
121
          <p>
Tinderbox User's avatar
Tinderbox User committed
122 123
            The length of time to check for DNSSEC coverage.  Key events
            scheduled further into the future than <code class="option">duration</code>
Tinderbox User's avatar
Tinderbox User committed
124
            will be ignored, and assumed to be correct.
Tinderbox User's avatar
Tinderbox User committed
125
          </p>
Tinderbox User's avatar
Tinderbox User committed
126
          <p>
Tinderbox User's avatar
Tinderbox User committed
127 128 129 130 131
            The value of <code class="option">duration</code> can be set in seconds,
            or in larger units of time by adding a suffix: 'mi' for minutes,
            'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months,
            'y' for years.
          </p>
Tinderbox User's avatar
Tinderbox User committed
132
        </dd>
Tinderbox User's avatar
Tinderbox User committed
133 134
<dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
135
          <p>
Tinderbox User's avatar
Tinderbox User committed
136 137 138 139 140 141 142 143
            Sets the value to be used as the maximum TTL for the zone or
            zones being analyzed when determining whether there is a
            possibility of validation failure.  When a zone-signing key is
            deactivated, there must be enough time for the record in the
            zone with the longest TTL to have expired from resolver caches
            before that key can be purged from the DNSKEY RRset.  If that
            condition does not apply, a warning will be generated.
          </p>
Tinderbox User's avatar
Tinderbox User committed
144
          <p>
Tinderbox User's avatar
Tinderbox User committed
145 146 147 148
            The length of the TTL can be set in seconds, or in larger units
            of time by adding a suffix: 'mi' for minutes, 'h' for hours,
            'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
          </p>
Tinderbox User's avatar
Tinderbox User committed
149
          <p>
Tinderbox User's avatar
Tinderbox User committed
150 151
            This option is not necessary if the <code class="option">-f</code> has
            been used to specify a zone file.  If <code class="option">-f</code> has
Tinderbox User's avatar
Tinderbox User committed
152
            been specified, this option may still be used; it will override
Tinderbox User's avatar
Tinderbox User committed
153 154
            the value found in the file.
          </p>
Tinderbox User's avatar
Tinderbox User committed
155
          <p>
Tinderbox User's avatar
Tinderbox User committed
156 157 158
            If this option is not used and the maximum TTL cannot be retrieved
            from a zone file, a warning is generated and a default value of
            1 week is used.
Tinderbox User's avatar
Tinderbox User committed
159
          </p>
Tinderbox User's avatar
Tinderbox User committed
160
        </dd>
Tinderbox User's avatar
Tinderbox User committed
161 162
<dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
163
          <p>
Tinderbox User's avatar
Tinderbox User committed
164 165 166
            Sets the value to be used as the DNSKEY TTL for the zone or
            zones being analyzed when determining whether there is a
            possibility of validation failure.  When a key is rolled (that
Tinderbox User's avatar
Tinderbox User committed
167 168 169 170
            is, replaced with a new key), there must be enough time for the
            old DNSKEY RRset to have expired from resolver caches before
            the new key is activated and begins generating signatures.  If
            that condition does not apply, a warning will be generated.
Tinderbox User's avatar
Tinderbox User committed
171
          </p>
Tinderbox User's avatar
Tinderbox User committed
172
          <p>
Tinderbox User's avatar
Tinderbox User committed
173 174 175 176
            The length of the TTL can be set in seconds, or in larger units
            of time by adding a suffix: 'mi' for minutes, 'h' for hours,
            'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
          </p>
Tinderbox User's avatar
Tinderbox User committed
177
          <p>
Tinderbox User's avatar
Tinderbox User committed
178 179 180 181 182 183 184 185
            This option is not necessary if <code class="option">-f</code> has
            been used to specify a zone file from which the TTL
            of the DNSKEY RRset can be read, or if a default key TTL was
            set using ith the <code class="option">-L</code> to
            <span class="command"><strong>dnssec-keygen</strong></span>.  If either of those is true,
            this option may still be used; it will override the values
            found in the zone file or the key file.
          </p>
Tinderbox User's avatar
Tinderbox User committed
186
          <p>
Tinderbox User's avatar
Tinderbox User committed
187 188 189
            If this option is not used and the key TTL cannot be retrieved
            from the zone file or the key file, then a warning is generated
            and a default value of 1 day is used.
Tinderbox User's avatar
Tinderbox User committed
190
          </p>
Tinderbox User's avatar
Tinderbox User committed
191
        </dd>
Tinderbox User's avatar
Tinderbox User committed
192 193
<dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
194
          <p>
Tinderbox User's avatar
Tinderbox User committed
195 196 197 198
            Sets the value to be used as the resign interval for the zone
            or zones being analyzed when determining whether there is a
            possibility of validation failure.  This value defaults to
            22.5 days, which is also the default in
Evan Hunt's avatar
Evan Hunt committed
199
            <span class="command"><strong>named</strong></span>.  However, if it has been changed
Tinderbox User's avatar
Tinderbox User committed
200 201 202 203
            by the <code class="option">sig-validity-interval</code> option in
            <code class="filename">named.conf</code>, then it should also be
            changed here.
          </p>
Tinderbox User's avatar
Tinderbox User committed
204
          <p>
Tinderbox User's avatar
Tinderbox User committed
205 206 207 208
            The length of the interval can be set in seconds, or in larger
            units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
            'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
          </p>
Tinderbox User's avatar
Tinderbox User committed
209
        </dd>
Tinderbox User's avatar
Tinderbox User committed
210
<dt><span class="term">-k</span></dt>
Tinderbox User's avatar
Tinderbox User committed
211 212
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
213 214
	    Only check KSK coverage; ignore ZSK events. Cannot be
            used with <code class="option">-z</code>.
Tinderbox User's avatar
Tinderbox User committed
215 216
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
217
<dt><span class="term">-z</span></dt>
Tinderbox User's avatar
Tinderbox User committed
218 219
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
220 221
	    Only check ZSK coverage; ignore KSK events. Cannot be
            used with <code class="option">-k</code>.
Tinderbox User's avatar
Tinderbox User committed
222 223
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
224
<dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
225 226
<dd>
          <p>
Evan Hunt's avatar
Evan Hunt committed
227
            Specifies a path to a <span class="command"><strong>named-compilezone</strong></span> binary.
Tinderbox User's avatar
Tinderbox User committed
228
            Used for testing.
Tinderbox User's avatar
Tinderbox User committed
229 230
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
231
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
232 233 234
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
235
<a name="id-1.14.8.9"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
236 237 238 239 240 241 242 243 244 245 246 247 248 249

    <p>
      <span class="citerefentry">
        <span class="refentrytitle">dnssec-checkds</span>(8)
      </span>,
      <span class="citerefentry">
        <span class="refentrytitle">dnssec-dsfromkey</span>(8)
      </span>,
      <span class="citerefentry">
        <span class="refentrytitle">dnssec-keygen</span>(8)
      </span>,
      <span class="citerefentry">
        <span class="refentrytitle">dnssec-signzone</span>(8)
      </span>
Tinderbox User's avatar
Tinderbox User committed
250
    </p>
Tinderbox User's avatar
Tinderbox User committed
251 252
  </div>

Tinderbox User's avatar
Tinderbox User committed
253 254 255 256 257 258 259
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-checkds.html">Prev</a> </td>
Tinderbox User's avatar
Tinderbox User committed
260
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
Tinderbox User's avatar
Tinderbox User committed
261 262 263 264 265 266 267 268 269 270 271 272
<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-checkds</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">dnssec-dsfromkey</span>
</td>
</tr>
</table>
</div>
Tinderbox User's avatar
Tinderbox User committed
273
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.21 (Extended Support Version)</p>
Tinderbox User's avatar
Tinderbox User committed
274 275
</body>
</html>