Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

krfcheck(1p) [debian man page]

KRFCHECK(1p)						User Contributed Perl Documentation					      KRFCHECK(1p)

NAME
krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistencies SYNOPSIS
krfcheck [-zone | -set | -key] [-count] [-quiet] [-verbose] [-Version] [-help] keyrec-file DESCRIPTION
This script checks a keyrec file for problems, potential problems, and inconsistencies. Recognized problems include: o no zones defined The keyrec file does not contain any zone keyrecs. o no sets defined The keyrec file does not contain any set keyrecs. o no keys defined The keyrec file does not contain any key keyrecs. o unknown zone keyrecs A set keyrec or a key keyrec references a non-existent zone keyrec. o missing key from zone keyrec A zone keyrec does not have both a KSK key and a ZSK key. o missing key from set keyrec A key listed in a set keyrec does not have a key keyrec. o expired zone keyrecs A zone has expired. o mislabeled key A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite. o invalid zone data values A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file, existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and date string match. o invalid key data values A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match. Recognized potential problems include: o imminent zone expiration A zone will expire within one week. o odd zone-signing date A zone's recorded signing date is later than the current system clock. o orphaned keys A key keyrec is unreferenced by any set keyrec. o missing key directories A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist. Recognized inconsistencies include: o key-specific fields in a zone keyrec A zone keyrec contains key-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields. o zone-specific fields in a key keyrec A key keyrec contains zone-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields. o mismatched zone timestamp A zone's seconds-count timestamp does not match its textual timestamp. o mismatched set timestamp A set's seconds-count timestamp does not match its textual timestamp. o mismatched key timestamp A key's seconds-count timestamp does not match its textual timestamp. OPTIONS
-zone Only perform checks of zone keyrecs. This option may not be combined with the -set or -key options. -set Only perform checks of set keyrecs. This option may not be combined with the -zone or -key options. -key Only perform checks of key keyrecs. This option may not be combined with the -set or -zone options. -count Display a final count of errors. -quiet Do not display messages. This option supersedes the setting of the -verbose option. -verbose Display many messages. This option is subordinate to the -quiet option. -Version Displays the version information for krfcheck and the DNSSEC-Tools package. -help Display a usage message. COPYRIGHT
Copyright 2004-2012 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details. AUTHOR
Wayne Morrison, tewok@tislabs.com SEE ALSO
cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8) Net::DNS::SEC::Tools::keyrec.pm(3) file-keyrec(5) perl v5.14.2 2012-06-21 KRFCHECK(1p)
Man Page

Featured Tech Videos