1 .TH dnssec-zkt 8 "August 1, 2009" "ZKT 0.99b" ""
2 \" turn off hyphenation
6 dnssec-zkt \(em Secure DNS zone key tool
18 .RI [{ keyfile | dir }
28 .RI [{ keyfile | dir }
32 .BR \-\-create= <label>
38 .RI [{ keyfile | dir }
42 .BR \- { P | A | D | R } <keytag>
48 .RI [{ keyfile | dir }
52 .BR \-\-published= <keytag>
58 .RI [{ keyfile | dir }
62 .BR \-\-active= <keytag>
68 .RI [{ keyfile | dir }
72 .BR \-\-depreciate= <keytag>
78 .RI [{ keyfile | dir }
82 .BR \-\-rename= <keytag>
88 .RI [{ keyfile | dir }
92 .BR \-\-destroy= <keytag>
98 .RI [{ keyfile | dir }
110 .RI [{ keyfile | dir }
114 .B \-\-list-trustedkeys
122 .RI [{ keyfile | dir }
134 .RI [{ keyfile | dir }
146 .RI [{ keyfile | dir }
164 .B \-9 | \-\-ksk-rollover
167 .B \-1 | \-\-ksk-roll-phase1
175 .B \-2 | \-\-ksk-roll-phase2
183 .B \-3 | \-\-ksk-roll-phase3
191 .B \-0 | \-\-ksk-roll-stat
203 command is a wrapper around
205 to assist in dnssec zone key management.
207 In the common usage the command prints out information about
208 all dnssec (zone) keys found in the given (or predefined default) directory.
209 It is also possible to specify keyfiles (K*.key) as arguments.
212 subdirectories will be searched recursively, and all dnssec keys found
213 will be listed sorted by domain name, key type and generation time.
214 In that mode the use of the
216 option may be helpful to find the location of the keyfile in the directory tree.
218 Other forms of the command print out keys in a format suitable for
219 a trusted-key section or as a DNSKEY resource record.
221 The command is also useful in dns key management.
222 It offers monitoring of key lifetime and modification of key status.
226 .BI \-V " view" ", \-\-view=" view
227 Try to read the default configuration out of a file named
228 .I dnssec-<view>.conf .
229 Instead of specifying the \-V or --view option every time,
230 it is also possible to create a hard or softlink to the
231 executable file to give it an additional name like
232 .I dnssec-zkt-<view> .
234 .BI \-c " file" ", \-\-config=" file
235 Read default values from the specified config file.
236 Otherwise the default config file is read or build in defaults
239 .BI \-O " optstr" ", \-\-config-option=" optstr
240 Set any config file option via the commandline.
241 Several config file options could be specified at the argument string
242 but have to be delimited by semicolon (or newline).
245 Print out information solely about domains given in the comma or space separated
247 Take care of, that every domain name has a trailing dot.
249 .BR \-d ", " \-\-directory
250 Skip directory arguments.
251 This will be useful in combination with wildcard arguments
252 to prevent dnsssec-zkt to list all keys found in subdirectories.
253 For example "dnssec-zkt -d *" will print out a list of all keys only found in
254 the current directory.
255 Maybe it is easier to use "dnssec-zkt ." instead (without -r set).
256 The option works similar to the \-d option of
259 .BR \-L ", " \-\-left-justify
260 Print out the domain name left justified.
263 Select and print key signing keys only (default depends on command mode).
266 Select and print zone signing keys only (default depends on command mode).
268 .BR \-r ", " \-\-recursive
269 Recursive mode (default is off).
271 Also settable in the dnssec.conf file (Parameter: Recursive).
273 .BR \-p ", " \-\-path
274 Print pathname in listing mode.
275 In -C mode, don't create the new key in the same directory as (already existing)
276 keys with the same label.
279 Print age of key in weeks, days, hours, minutes and seconds (default is off).
281 Also settable in the dnssec.conf file (Parameter: PrintAge).
283 .BR \-f ", " \-\-lifetime
284 Print the key lifetime.
286 .BR \-F ", " \-\-setlifetime
287 Set the key lifetime of all the selected keys.
288 Use option -k, -z, -l or the file and dir argument for key selection.
290 .BR \-e ", " \-\-exptime
291 Print the key expiration time.
293 .BR \-t ", " \-\-time
294 Print the key generation time (default is on).
296 Also settable in the dnssec.conf file (Parameter: PrintTime).
299 No header or trusted-key section header and trailer in -T mode
304 .BR \-H ", " \-\-help
305 Print out the online help.
307 .BR \-T ", " \-\-list-trustedkeys
308 List all key signing keys as a
313 to supress the section header/trailer.
315 .BR \-K ", " \-\-list-dnskeys
316 List the public part of all the keys in DNSKEY resource record format.
319 to suppress comment lines.
321 .BI \-C " zone" ", \-\-create=" zone
322 Create a new zone signing key for the given zone.
325 to create a key signing key.
326 The key algorithm and key length will be examined from built-in default values
327 or from the parameter settings in the
331 The keyfile will be created in the current directory if
336 .BI \-R " keyid" ", \-\-revoke=" keyid
337 Revoke the key signing key with the given keyid.
338 A revoked key has bit 8 in the flags filed set (see RFC5011).
339 The keyid is the numeric keytag with an optionally added zone name separated by a colon.
341 .BI \-\-rename=" keyid
342 Rename the key files of the key with the given keyid
343 (Look at key file names starting with an lower 'k').
344 The keyid is the numeric keytag with an optionally added zone name separated by a colon.
346 .BI \-\-destroy= keyid
347 Deletes the key with the given keyid.
348 The keyid is the numeric keytag with an optionally added zone name separated by a colon.
349 Beware that this deletes both private and public keyfiles, thus the key is
352 .BI \-P|A|D " keyid," " \-\-published=" keyid, " \-\-active=" keyid, " \-\-depreciated=" keyid
353 Change the status of the given dnssec key to
362 is the numeric keytag with an optionally added zone name separated by a colon.
363 Setting the status to "published" or "depreciate" will change the filename
364 of the private key file to ".published" or ".depreciated" respectivly.
365 This prevents the usage of the key as a signing key by the use of
366 .IR dnssec-signzone(8) .
367 The time of status change will be stored in the 'mtime' field of the corresponding
369 Key activation via option
371 will restore the original timestamp and file name (".private").
373 .BR \-Z ", " \-\-zone-config
374 Write all config parameters to stdout.
375 The output is suitable as a template for the
377 file, so the easiest way to create a
379 file is to redirect the standard output of the above command.
380 Pay attention not to overwrite an existing file.
382 .BI \-\-ksk-roll-phase[123] " do.ma.in."
383 Initiate a key signing key rollover of the specified domain.
384 This feature is currently in experimental status and is mainly for the use
385 in an hierachical environment.
386 Use --ksk-rollover for a little more detailed description.
394 Print out a list of all zone keys found below the current directory.
397 .B "dnssec-zkt \-Z \-c """"
399 Print out the compiled in default parameters.
402 .B "dnssec-zkt \-C example.net \-k \-r ./zonedir
404 Create a new key signing key for the zone "example.net".
405 Store the key in the same directory below "zonedir" where the other
406 "example.net" keys live.
409 .B "dnssec-zkt \-T ./zonedir/example.net
411 Print out a trusted-key section containing the key signing keys of "example.net".
414 .B "dnssec-zkt \-D 123245 \-r .
416 Depreciate the key with tag "12345" below the current directory,
419 .B "dnssec-zkt --view intern
421 Print out a list of all zone keys found below the directory where all
422 the zones of view intern live.
423 There should be a seperate dnssec config file
424 .I dnssec-intern.conf
425 with a directory option to take affect of this.
428 .B "dnssec-zkt-intern
433 has another link, named
437 examines argv[0] to find a view whose zones it proceeds to process.
439 .SH ENVIRONMENT VARIABLES
442 Specifies the name of the default global configuration files.
446 .I /var/named/dnssec.conf
447 Built-in default global configuration file.
448 The name of the default global config file is settable via
449 the environment variable ZKT_CONFFILE.
451 .I /var/named/dnssec-<view>.conf
452 View specific global configuration file.
455 Local configuration file (only used in
461 Some of the general options will not be meaningful in all of the command modes.
465 and the ksk rollover options
466 insist on domain names ending with a dot.
470 Holger Zuleger, Mans Nilsson
473 Copyright (c) 2005 \- 2008 by Holger Zuleger.
474 Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
475 FITNESS FOR A PARTICULAR PURPOSE.
476 .\"--------------------------------------------------
478 dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), dnssec-signer(8),
481 "DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
483 DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
485 (http://www.nlnetlabs.nl/dnssec_howto/)