KRFCHECK(1p) User Contributed Perl Documentation KRFCHECK(1p)
NAME
krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistencies
SYNOPSIS
krfcheck [-zone | -set | -key] [-count] [-quiet]
[-verbose] [-Version] [-help] keyrec-file
DESCRIPTION
This script checks a keyrec file for problems, potential problems, and inconsistencies.
Recognized problems include:
o no zones defined
The keyrec file does not contain any zone keyrecs.
o no sets defined
The keyrec file does not contain any set keyrecs.
o no keys defined
The keyrec file does not contain any key keyrecs.
o unknown zone keyrecs
A set keyrec or a key keyrec references a non-existent zone keyrec.
o missing key from zone keyrec
A zone keyrec does not have both a KSK key and a ZSK key.
o missing key from set keyrec
A key listed in a set keyrec does not have a key keyrec.
o expired zone keyrecs
A zone has expired.
o mislabeled key
A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite.
o invalid zone data values
A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file,
existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and
date string match.
o invalid key data values
A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key
length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match.
Recognized potential problems include:
o imminent zone expiration
A zone will expire within one week.
o odd zone-signing date
A zone's recorded signing date is later than the current system clock.
o orphaned keys
A key keyrec is unreferenced by any set keyrec.
o missing key directories
A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.
Recognized inconsistencies include:
o key-specific fields in a zone keyrec
A zone keyrec contains key-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec
fields.
o zone-specific fields in a key keyrec
A key keyrec contains zone-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec
fields.
o mismatched zone timestamp
A zone's seconds-count timestamp does not match its textual timestamp.
o mismatched set timestamp
A set's seconds-count timestamp does not match its textual timestamp.
o mismatched key timestamp
A key's seconds-count timestamp does not match its textual timestamp.
OPTIONS
-zone
Only perform checks of zone keyrecs. This option may not be combined with the -set or -key options.
-set
Only perform checks of set keyrecs. This option may not be combined with the -zone or -key options.
-key
Only perform checks of key keyrecs. This option may not be combined with the -set or -zone options.
-count
Display a final count of errors.
-quiet
Do not display messages. This option supersedes the setting of the -verbose option.
-verbose
Display many messages. This option is subordinate to the -quiet option.
-Version
Displays the version information for krfcheck and the DNSSEC-Tools package.
-help
Display a usage message.
COPYRIGHT
Copyright 2004-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO
cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)
Net::DNS::SEC::Tools::keyrec.pm(3)
file-keyrec(5)
perl v5.14.2 2012-06-21 KRFCHECK(1p)