krfcheck(1) - Linux man page
Name
krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistencies
Synopsis
krfcheck [-zone | -set | -key] [-count] [-quiet]
[-verbose] [-Version] [-help] keyrec-file
Description
This script checks a keyrec file for problems, potential problems, and inconsistencies.
Recognized problems include:
- • no zones defined
- The keyrec file does not contain any zone keyrecs.
- • no sets defined
- The keyrec file does not contain any set keyrecs.
- • no keys defined
- The keyrec file does not contain any key keyrecs.
- • unknown zone keyrecs
- A set keyrec or a key keyrec references a non-existent zone keyrec.
- • missing key from zone keyrec
- A zone keyrec does not have both a KSK key and a ZSK key.
- • missing key from set keyrec
- A key listed in a set keyrec does not have a key keyrec.
- • expired zone keyrecs
- A zone has expired.
- • mislabeled key
- A key is labeled as a KSK (or ZSK ) and its owner zone has it labeled as the opposite.
- • invalid zone data values
- A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file, existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and date string match.
- • invalid key data values
- A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match.
- Recognized potential problems include:
- • imminent zone expiration
- A zone will expire within one week.
- • odd zone-signing date
- A zone's recorded signing date is later than the current system clock.
- • orphaned keys
- A key keyrec is unreferenced by any set keyrec.
- • missing key directories
- A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.
- Recognized inconsistencies include:
- • key-specific fields in a zone keyrec
- A zone keyrec contains key-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.
- • zone-specific fields in a key keyrec
- A key keyrec contains zone-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.
- • mismatched zone timestamp
- A zone's seconds-count timestamp does not match its textual timestamp.
- • mismatched set timestamp
- A set's seconds-count timestamp does not match its textual timestamp.
- • mismatched key timestamp
- A key's seconds-count timestamp does not match its textual timestamp.
- The keyrec file does not contain any zone keyrecs.
Options
-zone
- Only perform checks of zone keyrecs. This option may not be combined with the -set or -key options.
- -set
- Only perform checks of set keyrecs. This option may not be combined with the -zone or -key options.
- -key
- Only perform checks of key keyrecs. This option may not be combined with the -set or -zone options.
- -count
- Display a final count of errors.
- -quiet
- Do not display messages. This option supersedes the setting of the -verbose option.
- -verbose
- Display many messages. This option is subordinate to the -quiet option.
- -Version
- Displays the version information for krfcheck and the DNSSEC-Tools package.
- -help
- Display a usage message.
Copyright
Copyright 2004-2012 SPARTA , Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
Author
Wayne Morrison, tewok@tislabs.com
See Also
cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)
Net::DNS::SEC::Tools::keyrec.pm(3)
file-keyrec(5)