Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

fixkrf(1p) [debian man page]

FIXKRF(1p)						User Contributed Perl Documentation						FIXKRF(1p)

NAME

       fixkrf - Fixes DNSSEC-Tools keyrec files whose encryption key files have been moved

SYNOPSIS

	 fixkrf [options] <keyrec-file> <dir 1> ... <dir N>

DESCRIPTION

       fixkrf checks a specified keyrec file to ensure that the referenced encryption key files exist where listed.  If a key is not where the
       keyrec specifies it should be, then fixkrf will search the given directories for those keys and adjust the keyrec to match reality.  If a
       key of a particular filename is found in multiple places, a warning will be printed and the keyrec file will not be changed for that key.

OPTIONS

       -list
	   Display output about missing keys, but don't fix the keyrec file.

       -verbose
	   Display output about found keys as well as missing keys.

       -Version
	   Display version information for fixkrf and DNSSEC-Tools.

       -help
	   Display a usage message.

COPYRIGHT

       Copyright 2004-2012 SPARTA, Inc.  All rights reserved.  See the COPYING file included with the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@tislabs.com

SEE ALSO

       cleankrf(8), genkrf(8), lskrf(8), zonesigner(8)

       Net::DNS::SEC::Tools::keyrec.pm(3)

       file-keyrec.pm(5)

perl v5.14.2							    2012-06-21								FIXKRF(1p)

Check Out this Related Man Page

KRFCHECK(1p)						User Contributed Perl Documentation					      KRFCHECK(1p)

NAME

       krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistencies

SYNOPSIS

	 krfcheck [-zone | -set | -key] [-count] [-quiet]
		  [-verbose] [-Version] [-help] keyrec-file

DESCRIPTION

       This script checks a keyrec file for problems, potential problems, and inconsistencies.

       Recognized problems include:

       o   no zones defined

	   The keyrec file does not contain any zone keyrecs.

       o   no sets defined

	   The keyrec file does not contain any set keyrecs.

       o   no keys defined

	   The keyrec file does not contain any key keyrecs.

       o   unknown zone keyrecs

	   A set keyrec or a key keyrec references a non-existent zone keyrec.

       o   missing key from zone keyrec

	   A zone keyrec does not have both a KSK key and a ZSK key.

       o   missing key from set keyrec

	   A key listed in a set keyrec does not have a key keyrec.

       o   expired zone keyrecs

	   A zone has expired.

       o   mislabeled key

	   A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite.

       o   invalid zone data values

	   A zone's keyrec data are checked to ensure that they are valid.  The following conditions are checked:  existence of the zone file,
	   existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and
	   date string match.

       o   invalid key data values

	   A key's keyrec data are checked to ensure that they are valid.  The following conditions are checked:  valid encryption algorithm, key
	   length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match.

       Recognized potential problems include:

       o   imminent zone expiration

	   A zone will expire within one week.

       o   odd zone-signing date

	   A zone's recorded signing date is later than the current system clock.

       o   orphaned keys

	   A key keyrec is unreferenced by any set keyrec.

       o   missing key directories

	   A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.

       Recognized inconsistencies include:

       o   key-specific fields in a zone keyrec

	   A zone keyrec contains key-specific entries.  To allow for site-specific extensibility, krfcheck does not check for undefined keyrec
	   fields.

       o   zone-specific fields in a key keyrec

	   A key keyrec contains zone-specific entries.  To allow for site-specific extensibility, krfcheck does not check for undefined keyrec
	   fields.

       o   mismatched zone timestamp

	   A zone's seconds-count timestamp does not match its textual timestamp.

       o   mismatched set timestamp

	   A set's seconds-count timestamp does not match its textual timestamp.

       o   mismatched key timestamp

	   A key's seconds-count timestamp does not match its textual timestamp.

OPTIONS

       -zone
	   Only perform checks of zone keyrecs.  This option may not be combined with the -set or -key options.

       -set
	   Only perform checks of set keyrecs.	This option may not be combined with the -zone or -key options.

       -key
	   Only perform checks of key keyrecs.	This option may not be combined with the -set or -zone options.

       -count
	   Display a final count of errors.

       -quiet
	   Do not display messages.  This option supersedes the setting of the -verbose option.

       -verbose
	   Display many messages.  This option is subordinate to the -quiet option.

       -Version
	   Displays the version information for krfcheck and the DNSSEC-Tools package.

       -help
	   Display a usage message.

COPYRIGHT

       Copyright 2004-2012 SPARTA, Inc.  All rights reserved.  See the COPYING file included with the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@tislabs.com

SEE ALSO

       cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)

       Net::DNS::SEC::Tools::keyrec.pm(3)

       file-keyrec(5)

perl v5.14.2							    2012-06-21							      KRFCHECK(1p)
Man Page