FIXKRF(1p) User Contributed Perl Documentation FIXKRF(1p)NAME
fixkrf - Fixes DNSSEC-Tools keyrec files whose encryption key files have been moved
SYNOPSIS
fixkrf [options] <keyrec-file> <dir 1> ... <dir N>
DESCRIPTION
fixkrf checks a specified keyrec file to ensure that the referenced encryption key files exist where listed. If a key is not where the
keyrec specifies it should be, then fixkrf will search the given directories for those keys and adjust the keyrec to match reality. If a
key of a particular filename is found in multiple places, a warning will be printed and the keyrec file will not be changed for that key.
OPTIONS -list
Display output about missing keys, but don't fix the keyrec file.
-verbose
Display output about found keys as well as missing keys.
-Version
Display version information for fixkrf and DNSSEC-Tools.
-help
Display a usage message.
COPYRIGHT
Copyright 2004-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO cleankrf(8), genkrf(8), lskrf(8), zonesigner(8)Net::DNS::SEC::Tools::keyrec.pm(3)file-keyrec.pm(5)perl v5.14.2 2012-06-21 FIXKRF(1p)
Check Out this Related Man Page
KRFCHECK(1p) User Contributed Perl Documentation KRFCHECK(1p)NAME
krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistencies
SYNOPSIS
krfcheck [-zone | -set | -key] [-count] [-quiet]
[-verbose] [-Version] [-help] keyrec-file
DESCRIPTION
This script checks a keyrec file for problems, potential problems, and inconsistencies.
Recognized problems include:
o no zones defined
The keyrec file does not contain any zone keyrecs.
o no sets defined
The keyrec file does not contain any set keyrecs.
o no keys defined
The keyrec file does not contain any key keyrecs.
o unknown zone keyrecs
A set keyrec or a key keyrec references a non-existent zone keyrec.
o missing key from zone keyrec
A zone keyrec does not have both a KSK key and a ZSK key.
o missing key from set keyrec
A key listed in a set keyrec does not have a key keyrec.
o expired zone keyrecs
A zone has expired.
o mislabeled key
A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite.
o invalid zone data values
A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file,
existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and
date string match.
o invalid key data values
A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key
length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match.
Recognized potential problems include:
o imminent zone expiration
A zone will expire within one week.
o odd zone-signing date
A zone's recorded signing date is later than the current system clock.
o orphaned keys
A key keyrec is unreferenced by any set keyrec.
o missing key directories
A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.
Recognized inconsistencies include:
o key-specific fields in a zone keyrec
A zone keyrec contains key-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec
fields.
o zone-specific fields in a key keyrec
A key keyrec contains zone-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec
fields.
o mismatched zone timestamp
A zone's seconds-count timestamp does not match its textual timestamp.
o mismatched set timestamp
A set's seconds-count timestamp does not match its textual timestamp.
o mismatched key timestamp
A key's seconds-count timestamp does not match its textual timestamp.
OPTIONS -zone
Only perform checks of zone keyrecs. This option may not be combined with the -set or -key options.
-set
Only perform checks of set keyrecs. This option may not be combined with the -zone or -key options.
-key
Only perform checks of key keyrecs. This option may not be combined with the -set or -zone options.
-count
Display a final count of errors.
-quiet
Do not display messages. This option supersedes the setting of the -verbose option.
-verbose
Display many messages. This option is subordinate to the -quiet option.
-Version
Displays the version information for krfcheck and the DNSSEC-Tools package.
-help
Display a usage message.
COPYRIGHT
Copyright 2004-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)Net::DNS::SEC::Tools::keyrec.pm(3)file-keyrec(5)perl v5.14.2 2012-06-21 KRFCHECK(1p)