keyarch(1p) [debian man page]
KEYARCH(1p) User Contributed Perl Documentation KEYARCH(1p) NAME
keyarch - DNSSEC-Tools daemon to archive old KSK and ZSK keys SYNOPSIS
keyarch [options] <keyrec_file | rollrec_file> DESCRIPTION
The keyarch program archives old KSK and ZSK keys. Keys are considered old if they are revoked or obsolete. Keys marked as either kskrev or zskrev are revoked; keys marked as either kskobs or zskobs are obsolete. Archived keys are prefixed with the seconds-since-epoch as a means of distinguishing a zone's keys that have the same five digit number. If the required file argument is a keyrec file, then expired keys listed in that file are archived. If the file argument is a rollrec file, the keyrec files of the zones in that file are checked for expired keys. If the -zone option is given, then only revoked and obsolete keys belonging to the specified zone will be archived. The archive directory is either zone-specific (listed in the zone's keyrec record in the zone's keyrec file) or the default archive directory given in the DNSSEC-Tools configuration file. The count of archived keys is given as the program's exit code. Error exit codes are negative. OPTIONS
The following options are recognized: -zone zone_file Name of the zone whose KSKs will be archived. If this is not given, then all the zones defined in the rollrec file will be checked. -kskonly Only archive KSK keys. -zskonly Only archive ZSK keys. -dtconfig config_file Name of an alternate DNSSEC-Tools configuration file to be processed. If specified, this configuration file is used in place of the normal DNSSEC-Tools configuration file not in addition to it. Also, it will be handled prior to keyrec files, rollrec files, and command-line options. -quiet No output will be given. -verbose Verbose output will be given. -help Display a usage message. -Version Displays the version information for keyarch and the DNSSEC-Tools package. EXIT VALUES
On success, keyarch's exit code is the number of keys archived. keyarch has a 0 exit code if the help message is given. keyarch has a negative exit code if an error is encountered. COPYRIGHT
Copyright 2007-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details. AUTHOR
Wayne Morrison, tewok@tislabs.com SEE ALSO
rollerd(8), zonesigner(8) Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::dnssectools.pm(3), Net::DNS::SEC::Tools::defaults.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3), Net::DNS::SEC::Tools::rollrec.pm(3) keyrec(5), rollrec(5) perl v5.14.2 2012-06-21 KEYARCH(1p)
Check Out this Related Man Page
defaults(3pm) User Contributed Perl Documentation defaults(3pm) NAME
Net::DNS::SEC::Tools::defaults - DNSSEC-Tools default values. SYNOPSIS
use Net::DNS::SEC::Tools::defaults; %defs = dnssec_tools_alldefaults(); $defalg = dnssec_tools_default("algorithm"); $cz_path = dnssec_tools_default("zonecheck"); $ksklife = dnssec_tools_default("ksklife"); @default_names = dnssec_tools_defnames(); DESCRIPTION
This module maintains a set of default values used by DNSSEC-Tools programs. This allows these defaults to be centralized in a single place and prevents them from being spread around multiple programs. INTERFACES
dnssec_tools_alldefaults() This interface returns a copy of all the DNSSEC-Tools defaults in a hash table. dnssec_tools_default(default) This interface returns the value of a DNSSEC-Tools default. The interface is passed default, which is the name of a default to look up. The value of this default is returned to the caller. dnssec_tools_defnames() This interface returns the names of all the DNSSEC-Tools defaults. No default values are returned, but the default names returned by dnssec_tools_defnames() may then be passed to dnssec_tools_default(). DEFAULT FIELDS
The following are the defaults defined for DNSSEC-Tools. admin-email This default holds the default email address for the DNSSEC-Tools administrator. archivedir This default holds the default directory in which keys will be archived. algorithm This default holds the default encryption algorithm. enddate This default holds the default zone life, in seconds. entropy_msg This default indicates whether or not zonesigner should display an entropy message. keygen This default holds the path to the key-generation program. keygen-opts This default hold a set of options for the key-generation program. kskcount This default holds the default number of KSK keys to generate for a zone. ksklength This default holds the default length of a KSK key. ksklife This default holds the default lifespan of a KSK key. This is only used for determining when to rollover the KSK key. Keys otherwise have no concept of a lifespan. This is measured in seconds. lifespan-max This default is the maximum lifespan of a key. lifespan-min This default is the minimum lifespan of a key. log_tz This default is the timezone to be used in log-message timestamps. mailer-server The mail server that will be contacted by dt_adminmail(). This is passed to Mail::Send. mailer-type The type of mailer that will be contacted by dt_adminmail(). This is passed to Mail::Mailer (by way of Mail::Send.) Any values recognized by Mail::Mailer may be used here. prog_ksk1 ... prog_ksk7 These defaults hold the default phase commands to be executed by rollerd for each phase of KSK rollover. The default keyword indicates that the normal phase processing should be performed. Multiple commands may be given, but they must be separated by bangs. The default keyword may be combined with other commands. prog_normal These defaults hold the default phase commands to be executed by rollerd when a zone is not in a rollover state. The default keyword indicates that the normal phase processing should be performed. Multiple commands may be given, but they must be separated by bangs. The default keyword may be combined with other commands. prog_zsk1 ... prog_zsk7 These defaults hold the default phase commands to be executed by rollerd for each phase of ZSK rollover. The default keyword indicates that the normal phase processing should be performed. Multiple commands may be given, but they must be separated by bangs. The default keyword may be combined with other commands. random This default holds the default random number generator device. revperiod This default holds the default revocation period of a KSK key. This is the minimum period of time a revoked KSK is required to remain in the signing set so that it is properly observed by resolvers. This is measured in seconds. rndc This default is the default path of the BIND rndc program. roll_loadzone This default is flag indicates if rollerd should have the DNS daemon reload its zones. roll_logfile This default is the path to rollerd's log file. roll_loglevel This default is the default logging level for rollerd. roll_sleeptime This default holds the default sleep time used by the rollerd rollover daemon. savekeys This default indicates whether or not keys should be deleted when they are no longer in use. tacontact This is merely a placeholder for the contact information. There is no useful default value for this. tadnsvalconffile This default specifies the path of the dnsval configuration file. tanamedconffile This default specifies the path of the named configuration file. taresolvconf This default specifies the path to the DNS resolv.conf file. tasleeptime This default holds the default value for how long the daemon should sleep. tasmtpserver This default specifies the name of the SMTP server. tatmpdir This default specifies the location of trustman's temporary directory. usegui This default indicates whether or not the DNSSEC-Tools GUI should be used for option entry. zone_errors This default holds the maximum number of consecutive errors a particular zone may have before it is changed to be a skip zone. zonecheck This default holds the path to the zone-verification program. zonecheck-opts This default hold a set of options for the zone-verification program. This default is set to "-i local". This value has been found to greatly improve the amount of time it takes named-checkzone to run. zonesign This default holds the path to the zone-signing program. zonesign-opts This default hold a set of options for the zone-signing program. zskcount This default holds the default number of ZSK keys to generate for a zone. zsklength This default holds the default length of the ZSK key. zsklife This default holds the default lifespan of the ZSK key. This is only used for determining when to rollover the ZSK key. Keys otherwise have no concept of a lifespan. This is measured in seconds. DNSSEC-TOOLS PROGRAM FIELDS The following are the defaults holding the paths to the DNSSEC-Tools programs. blinkenlights This default holds the path to the DNSSEC-Tools blinkenlights program. cleanarch This default holds the path to the DNSSEC-Tools cleanarch program. cleankrf This default holds the path to the DNSSEC-Tools cleankrf program. dtconf This default holds the path to the DNSSEC-Tools dtconf program. dtconfchk This default holds the path to the DNSSEC-Tools dtconfchk program. dtdefs This default holds the path to the DNSSEC-Tools dtdefs program. dtinitconf This default holds the path to the DNSSEC-Tools dtinitconf program. expchk This default holds the path to the DNSSEC-Tools expchk program. fixkrf This default holds the path to the DNSSEC-Tools fixkrf program. genkrf This default holds the path to the DNSSEC-Tools genkrf program. getdnskeys This default holds the path to the DNSSEC-Tools getdnskeys program. keyarch This default holds the path to the DNSSEC-Tools keyarch program. krfcheck This default holds the path to the DNSSEC-Tools krfcheck program. lskrf This default holds the path to the DNSSEC-Tools lskrf program. lsroll This default holds the path to the DNSSEC-Tools lsroll program. rollchk This default holds the path to the DNSSEC-Tools rollchk program. rollctl This default holds the path to the DNSSEC-Tools rollctl program. rollerd This default holds the path to the DNSSEC-Tools rollerd program. rollinit This default holds the path to the DNSSEC-Tools rollinit program. rolllog This default holds the path to the DNSSEC-Tools rolllog program. rollrec-editor This default holds the path to the DNSSEC-Tools rollrec-editor program. rollset This default holds the path to the DNSSEC-Tools rollset program. signset-editor This default holds the path to the DNSSEC-Tools signset-editor program. tachk This default holds the path to the DNSSEC-Tools tachk program. timetrans This default holds the path to the DNSSEC-Tools timetrans program. trustman This default holds the path to the DNSSEC-Tools trustman program. zonesigner This default holds the path to the DNSSEC-Tools zonesigner program. COPYRIGHT
Copyright 2006-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details. AUTHOR
Wayne Morrison, tewok@tislabs.com perl v5.14.2 2012-06-28 defaults(3pm)