GETDNSKEYS(1p) User Contributed Perl Documentation GETDNSKEYS(1p)NAME
getdnskeys - Manage lists of DNSKEYs from DNS zones
SYNOPSIS
getdnskeys [-i file] [-o file] [-k] [-T] [-t] [-v] [zones]
DESCRIPTION
getdnskeys manages lists of DNSKEYs from DNS zones. It may be used to retrieve and compare DNSKEYs. The output from getdnskeys may be
included (directly or indirectly) in a named.conf file.
OPTIONS
getdnskeys takes the following options:
-i path
Reads path as a named.conf with which to compare key lists.
-k Only looks for Key Signing Keys (KSKs); all other keys are ignored.
-o file
Writes the results to file.
-T Checks the current trusted key list from named.conf.
-t Encloses output in needed named.conf syntax markers.
-v Turns on verbose mode for additional output.
-Version
Displays the version information for getdnskeys and the DNSSEC-Tools package.
-h Gives a help message.
EXAMPLES
This getdnskeys will retrieve the KSK for example.com:
getdnskeys -o /etc/named.trustkeys.conf -k -v -t example.com
This getdnskeys will check saved keys against a live set of keys:
getdnskeys -i /etc/named.trustkeys.conf -T -k -v -t
This getdnskeys will automatically update a set of saved keys:
getdnskeys -i /etc/named.trustkeys.conf -k -t -T -v
-o /etc/named.trustkeys.conf
SECURITY ISSUES
Currently this does not validate new keys placed in the file in any way, nor does it validate change over keys which have been added.
It also does not handle revocation of keys.
It should prompt you before adding a new key so that you can always run the auto-update feature.
perl v5.14.2 2012-06-21 GETDNSKEYS(1p)
Check Out this Related Man Page
KEYARCH(1p) User Contributed Perl Documentation KEYARCH(1p)NAME
keyarch - DNSSEC-Tools daemon to archive old KSK and ZSK keys
SYNOPSIS
keyarch [options] <keyrec_file | rollrec_file>
DESCRIPTION
The keyarch program archives old KSK and ZSK keys. Keys are considered old if they are revoked or obsolete. Keys marked as either kskrev
or zskrev are revoked; keys marked as either kskobs or zskobs are obsolete. Archived keys are prefixed with the seconds-since-epoch as a
means of distinguishing a zone's keys that have the same five digit number.
If the required file argument is a keyrec file, then expired keys listed in that file are archived. If the file argument is a rollrec
file, the keyrec files of the zones in that file are checked for expired keys.
If the -zone option is given, then only revoked and obsolete keys belonging to the specified zone will be archived.
The archive directory is either zone-specific (listed in the zone's keyrec record in the zone's keyrec file) or the default archive
directory given in the DNSSEC-Tools configuration file.
The count of archived keys is given as the program's exit code. Error exit codes are negative.
OPTIONS
The following options are recognized:
-zone zone_file
Name of the zone whose KSKs will be archived. If this is not given, then all the zones defined in the rollrec file will be checked.
-kskonly
Only archive KSK keys.
-zskonly
Only archive ZSK keys.
-dtconfig config_file
Name of an alternate DNSSEC-Tools configuration file to be processed. If specified, this configuration file is used in place of the
normal DNSSEC-Tools configuration file not in addition to it. Also, it will be handled prior to keyrec files, rollrec files, and
command-line options.
-quiet
No output will be given.
-verbose
Verbose output will be given.
-help
Display a usage message.
-Version
Displays the version information for keyarch and the DNSSEC-Tools package.
EXIT VALUES
On success, keyarch's exit code is the number of keys archived.
keyarch has a 0 exit code if the help message is given.
keyarch has a negative exit code if an error is encountered.
COPYRIGHT
Copyright 2007-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO rollerd(8), zonesigner(8)Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::dnssectools.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
Net::DNS::SEC::Tools::keyrec.pm(3), Net::DNS::SEC::Tools::rollrec.pm(3)keyrec(5), rollrec(5)perl v5.14.2 2012-06-21 KEYARCH(1p)