FIXKRF(1p) User Contributed Perl Documentation FIXKRF(1p)NAME
fixkrf - Fixes DNSSEC-Tools keyrec files whose encryption key files have been moved
SYNOPSIS
fixkrf [options] <keyrec-file> <dir 1> ... <dir N>
DESCRIPTION
fixkrf checks a specified keyrec file to ensure that the referenced encryption key files exist where listed. If a key is not where the
keyrec specifies it should be, then fixkrf will search the given directories for those keys and adjust the keyrec to match reality. If a
key of a particular filename is found in multiple places, a warning will be printed and the keyrec file will not be changed for that key.
OPTIONS -list
Display output about missing keys, but don't fix the keyrec file.
-verbose
Display output about found keys as well as missing keys.
-Version
Display version information for fixkrf and DNSSEC-Tools.
-help
Display a usage message.
COPYRIGHT
Copyright 2004-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO cleankrf(8), genkrf(8), lskrf(8), zonesigner(8)Net::DNS::SEC::Tools::keyrec.pm(3)file-keyrec.pm(5)perl v5.14.2 2012-06-21 FIXKRF(1p)
Check Out this Related Man Page
GENKRF(1p) User Contributed Perl Documentation GENKRF(1p)NAME
genkrf - Generate a keyrec file from Key Signing Key (KSK) and/or Zone Signing Key (ZSK) files
SYNOPSIS
genkrf [options] <zone-file> [<signed-zone-file>]
DESCRIPTION
genkrf generates a keyrec file from KSK and/or ZSK files. It generates new KSK and ZSK keys if needed.
The name of the keyrec file to be generated is given by the -krfile option. If this option is not specified, zone-name.krf is used as the
name of the keyrec file. If the keyrec file already exists, it will be overwritten with new keyrec definitions.
The zone-file argument is required. It specifies the name of the zone file from which the signed zone file was created. The optional
signed-zone-file argument specifies the name of the signed zone file. If it is not given, then it defaults to zone-file.signed. The
signed zone file field is, in effect, a dummy field as the zone file is not actually signed.
OPTIONS
genkrf has a number of options that assist in creation of the keyrec file. These options will be set to the first value found from this
search path:
command line options
DNSSEC-Tools configuration file
DNSSEC-Tools defaults
See tooloptions.pm(3) for more details. Exceptions to this are given in the option descriptions.
The genkrf options are described below.
General genkrf Options
-zone zone-name
This option specifies the name of the zone. If it is not given then zone-file will be used as the name of the zone.
-krfile keyrec-file
This option specifies the name of the keyrec file to be generated. If it is not given, then zone-name.krf will be used.
-algorithm algorithm
This option specifies the algorithm used to generate encryption keys.
-endtime endtime
This option specifies the time that the signature on the zone expires, measured in seconds.
-random random-device
Source of randomness used to generate the zone's keys. See the man page for dnssec-signzone for the valid format of this field.
-verbose
Display additional messages during processing. If this option is given at least once, then a message will be displayed indicating the
successful generation of the keyrec file. If it is given twice, then the values of all options will also be displayed.
-Version
Displays the version information for genkrf and the DNSSEC-Tools package.
-help
Display a usage message.
KSK-related Options
-kskcur KSK-name
This option specifies the Current KSK's key file being used to sign the zone. If this option is not given, a new KSK will be created.
-kskcount KSK-count
This option specifies the number of KSK keys that will be generated. If this option is not given, the default given in the DNSSEC-
Tools configuration file will be used.
-kskdir KSK-directory
This option specifies the absolute or relative path of the directory where the KSK resides. If this option is not given, it defaults
to the current directory ".".
-ksklength KSK-length
This option specifies the length of the KSK encryption key.
-ksklife KSK-lifespan
This option specifies the lifespan of the KSK encryption key. This lifespan is not inherent to the key itself. It is only used to
determine when the KSK must be rolled over.
ZSK-related Options
-zskcur ZSK-name
This option specifies the current ZSK being used to sign the zone. If this option is not given, a new ZSK will be created.
-zskpub ZSK-name
This option specifies the published ZSK for the zone. If this option is not given, a new ZSK will be created.
-zskcount ZSK-count
This option specifies the number of current and published ZSK keys that will be generated. If this option is not given, the default
given in the DNSSEC-Tools configuration file will be used.
-zskdir ZSK-directory
This option specifies the absolute or relative path of the directory where the ZSKs reside. If this option is not given, it defaults
to the current directory ".".
-zsklength ZSK-length
This option specifies the length of the ZSK encryption key.
-zsklife ZSK-lifespan
This option specifies the lifespan of the ZSK encryption key. This lifespan is not inherent to the key itself. It is only used to
determine when the ZSK must be rolled over.
COPYRIGHT
Copyright 2005-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO dnssec-keygen(8), dnssec-signzone(8), zonesigner(8)Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3)conf(5), keyrec(5)perl v5.14.2 2012-06-21 GENKRF(1p)