cleankrf(1p) [debian man page]
CLEANKRF(1p) User Contributed Perl Documentation CLEANKRF(1p) NAME
cleankrf - Clean a DNSSEC-Tools keyrec files of old data SYNOPSIS
cleankrf [options] <keyrec-files> DESCRIPTION
cleankrf cleans old data out of a set of DNSSEC-Tools keyrec files. The old data are obsolete signing sets, orphaned keys, and obsolete keys. Obsolete signing sets are set keyrecs unreferenced by a zone keyrec. Revoked signing sets are considered obsolete by cleankrf. Orphaned keys are KSK and ZSK key keyrecs unreferenced by a set keyrec. Obsolete keys are key keyrecs with a keyrec_type of kskobs or zskobs. cleankrf's exit code is the count of orphaned and obsolete keyrecs found. OPTIONS
-count Display a final count of old keyrecs found in the keyrec files. This option allows the count to be displayed even if the -quiet option is given. -list The key keyrecs are checked for old keyrecs, but they are not removed from the keyrec file. The names of the old keyrecs are displayed. -rm Delete the key files, both .key and .private, from orphaned and expired keyrecs. -quiet Display no output. -verbose Display output about referenced keys and unreferenced keys. -Version Displays the version information for cleankrf and the DNSSEC-Tools package. -help Display a usage message. COPYRIGHT
Copyright 2004-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details. AUTHOR
Wayne Morrison, tewok@tislabs.com SEE ALSO
fixkrf(8), lskrf(8), zonesigner(8) Net::DNS::SEC::Tools::keyrec.pm(3) file-keyrec.pm(5) perl v5.14.2 2012-06-21 CLEANKRF(1p)
Check Out this Related Man Page
KEYMOD(1p) User Contributed Perl Documentation KEYMOD(1p) NAME
keymod - Modifies key parameters in a DNSSEC-Tools keyrec file SYNOPSIS
keymod [options] keyrec1 ... keyrecN DESCRIPTION
keymod modifies the key parameters in a keyrec file that are used to generate cryptographics keys used to sign zones. The new parameters will be used by zonesigner when generating new keys. It has no effect on existing keys. zonesigner will use the new parameter for a zone the next time it generates a key that requires that parameter. This means that, for example, a new ZSK length will not be used during the next invocation of zonesigner if that invocation will be performing KSK-rollover actions. The following fields may be modified: kskcount - count of KSK keys ksklength - length of KSK keys ksklife - lifetime of KSK keys random - random number generator device file revperiod - revocation period for KSK keys zskcount - count of ZSK keys zsklength - length of ZSK keys zsklife - lifetime of ZSK keys New key/value fields will be added to a zone keyrec file to inform zonesigner that new values should be used. The key portion of the added fields will begin with "new_". For example, a new KSK length of 2048 will be written to the keyrec file as: new_ksklength 2048 All zone records in the specified keyrec file will be modified, unless the -zone option is given. In that case, only the named zone will be modified. If a zone keyrec already contains a new key/value field, then the value will be modified on subsequent runs of keymod. OPTIONS
keymod recognizes the following options. Multiple options may be combined in a single keymod execution. All numeric values must be positive or zero. If a new key/value field should be deleted from a zone keyrec, then a zero or empty string value should be specified for the appropriate option. -zone zonename The zone keyrec whose name matches zonename is selected as the only keyrec that will be modified. If this name is not given, then all zone keyrec records will be modified. -ksklength ksklength The ksklength field will be modified in the selected keyrec records to the given value. This is a numeric field whose values depend on the cryptographic algorithm to be used to generate keys for the zone. -kskcount kskcount The kskcount field will be modified in the selected keyrec records to the given value. This is a numeric field. -ksklife ksklife The ksklife field will be modified in the selected keyrec records to the given value. This is a numeric field. -random random The random field will be modified in the selected keyrec records to the given value. This is a text field that will be passed to the key generator. -revperiod revperiod The revperiod field will be modified in the selected keyrec records to the given value. This is a numeric field. -zskcount zskcount The zskcount field will be modified in the selected keyrec records to the given value. This is a numeric field. -zsklength zsklength The zsklength field will be modified in the selected keyrec records to the given value. This is a numeric field whose values depend on the cryptographic algorithm to be used to generate keys for the zone. -zsklife zsklife The zsklife field will be modified in the selected keyrec records to the given value. This is a numeric field. -nocheck If this option is given, the krfcheck command will not be run on the modified keyrec file. -verbose Display information about every modification made to the keyrec file. -Version Displays the version information for keymod and the DNSSEC-Tools package. -help Display a usage message. COPYRIGHT
Copyright 2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details. AUTHOR
Wayne Morrison, tewok@tislabs.com SEE ALSO
zonesigner(8), krfcheck(8) Net::DNS::SEC::Tools::keyrec.pm(3) file-keyrec(5) perl v5.14.2 2012-06-21 KEYMOD(1p)