other versions
- jessie 1:9.9.5.dfsg-9+deb8u15
- stretch 1:9.10.3.dfsg.P4-12.3+deb9u4
- testing 1:9.11.5.P1+dfsg-2
- stretch-backports 1:9.11.5.P4+dfsg-1~bpo9+1
- unstable 1:9.11.5.P4+dfsg-1
- experimental 1:9.13.3-1
| DNSSEC-COVERAGE(8) | BIND9 | DNSSEC-COVERAGE(8) |
NAME¶
dnssec-coverage - checks future DNSKEY coverage for a zoneSYNOPSIS¶
dnssec-coverage
[-K directory] [
-f file] [
-d DNSKEY TTL] [
-m max TTL]
[-r interval] [
-c compilezone path] [zone]
DESCRIPTION¶
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage. If zone is specified, then keys found in the key repository matching that zone are scanned, and an ordered list is generated of the events scheduled for that key (i.e., publication, activation, inactivation, deletion). The list of events is walked in order of occurrence. Warnings are generated if any event is scheduled which could cause the zone to enter a state in which validation failures might occur: for example, if the number of published or active keys for a given algorithm drops to zero, or if a key is deleted from the zone too soon after a new key is rolled, and cached data signed by the prior key has not had time to expire from resolver caches. If zone is not specified, then all keys in the key repository will be scanned, and all zones for which there are keys will be analyzed. (Note: This method of reporting is only accurate if all the zones that have keys in a given repository share the same TTL parameters.)OPTIONS¶
-f fileIf a file is specified, then the zone is read from
that file; the largest TTL and the DNSKEY TTL are determined directly from the
zone data, and the -m and -d options do not need to be specified
on the command line.
-K directory
Sets the directory in which keys can be found. Defaults
to the current working directory.
-m maximum TTL
Sets the value to be used as the maximum TTL for the zone
or zones being analyzed when determining whether there is a possibility of
validation failure. When a zone-signing key is deactivated, there must be
enough time for the record in the zone with the longest TTL to have expired
from resolver caches before that key can be purged from the DNSKEY RRset. If
that condition does not apply, a warning will be generated.
The length of the TTL can be set in seconds, or in larger units of time by
adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks,
'mo' for months, 'y' for years.
This option is mandatory unless the -f has been used to specify a zone
file. (If -f has been specified, this option may still be used; it will
overrde the value found in the file.)
-d DNSKEY TTL
Sets the value to be used as the DNSKEY TTL for the zone
or zones being analyzed when determining whether there is a possibility of
validation failure. When a key is rolled (that is, replaced with a new key),
there must be enough time for the old DNSKEY RRset to have expired from
resolver caches before the new key is activated and begins generating
signatures. If that condition does not apply, a warning will be generated.
The length of the TTL can be set in seconds, or in larger units of time by
adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks,
'mo' for months, 'y' for years.
This option is mandatory unless the -f has been used to specify a zone
file, or a default key TTL was set with the -L to dnssec-keygen.
(If either of those is true, this option may still be used; it will overrde
the value found in the zone or key file.)
-r resign interval
Sets the value to be used as the resign interval for the
zone or zones being analyzed when determining whether there is a possibility
of validation failure. This value defaults to 22.5 days, which is also the
default in named. However, if it has been changed by the
sig-validity-interval option in named.conf, then it should also
be changed here.
The length of the interval can be set in seconds, or in larger units of time by
adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for days, 'w' for weeks,
'mo' for months, 'y' for years.
-c compilezone path
Specifies a path to a named-compilezone binary.
Used for testing.
SEE ALSO¶
dnssec-checkds(8), dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-signzone(8)AUTHOR¶
Internet Systems ConsortiumCOPYRIGHT¶
Copyright © 2013 Internet Systems Consortium, Inc. ("ISC")| April 16, 2012 | BIND9 |