+++ /dev/null
-<!-- Creator : groff version 1.20.1 -->
-<!-- CreationDate: Tue Aug 4 21:33:40 2009 -->
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
-"http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<meta name="generator" content="groff -Thtml, see www.gnu.org">
-<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
-<meta name="Content-Style" content="text/css">
-<style type="text/css">
- p { margin-top: 0; margin-bottom: 0; vertical-align: top }
- pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
- table { margin-top: 0; margin-bottom: 0; vertical-align: top }
- h1 { text-align: center }
-</style>
-<title>dnssec-zkt</title>
-
-</head>
-<body>
-
-<h1 align="center">dnssec-zkt</h1>
-
-<a href="#NAME">NAME</a><br>
-<a href="#SYNOPSYS">SYNOPSYS</a><br>
-<a href="#DESCRIPTION">DESCRIPTION</a><br>
-<a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br>
-<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
-<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
-<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
-<a href="#FILES">FILES</a><br>
-<a href="#BUGS">BUGS</a><br>
-<a href="#AUTHORS">AUTHORS</a><br>
-<a href="#COPYRIGHT">COPYRIGHT</a><br>
-<a href="#SEE ALSO">SEE ALSO</a><br>
-
-<hr>
-
-
-<h2>NAME
-<a name="NAME"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">dnssec-zkt
-— Secure DNS zone key tool</p>
-
-<h2>SYNOPSYS
-<a name="SYNOPSYS"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt</b>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−adefhkLrptz</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−C</b><label> [<b>−V|--view</b>
-<i>view</i>] [<b>−c</b> <i>file</i>]
-[<b>−krpz</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>] <b><br>
-dnssec-zkt −−create=</b><label>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−krpz</b>]
-[{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−</b>{<b>P</b>|<b>A</b>|<b>D</b>|<b>R</b>}<b><keytag></b>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>] <b><br>
-dnssec-zkt −−published=</b><keytag>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>] <b><br>
-dnssec-zkt −−active=</b><keytag>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>] <b><br>
-dnssec-zkt −−depreciate=</b><keytag>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>] <b><br>
-dnssec-zkt −−rename=</b><keytag>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−−destroy=</b><keytag>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−T</b> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−hr</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>]
-<b><br>
-dnssec-zkt −−list-trustedkeys</b>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−hr</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−K</b> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−hkzr</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>] <b><br>
-dnssec-zkt −−list-dnskeys</b>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−l</b> <i>list</i>]
-[<b>−hkzr</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−Z</b> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] <b><br>
-dnssec-zkt −−zone-config</b>
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−9 | −−ksk-rollover <br>
-dnssec-zkt −1 | −−ksk-roll-phase1</b>
-<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] <b><br>
-dnssec-zkt −2 | −−ksk-roll-phase2</b>
-<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] <b><br>
-dnssec-zkt −3 | −−ksk-roll-phase3</b>
-<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>] <b><br>
-dnssec-zkt −0 | −−ksk-roll-stat</b>
-<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
-[<b>−c</b> <i>file</i>]</p>
-
-<h2>DESCRIPTION
-<a name="DESCRIPTION"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">The
-<i>dnssec-zkt</i> command is a wrapper around
-<i>dnssec-keygen(8)</i> to assist in dnssec zone key
-management.</p>
-
-<p style="margin-left:11%; margin-top: 1em">In the common
-usage the command prints out information about all dnssec
-(zone) keys found in the given (or predefined default)
-directory. It is also possible to specify keyfiles (K*.key)
-as arguments. With option <b>−r</b> subdirectories
-will be searched recursively, and all dnssec keys found will
-be listed sorted by domain name, key type and generation
-time. In that mode the use of the <b>−p</b> option may
-be helpful to find the location of the keyfile in the
-directory tree.</p>
-
-<p style="margin-left:11%; margin-top: 1em">Other forms of
-the command print out keys in a format suitable for a
-trusted-key section or as a DNSKEY resource record.</p>
-
-<p style="margin-left:11%; margin-top: 1em">The command is
-also useful in dns key management. It offers monitoring of
-key lifetime and modification of key status.</p>
-
-<h2>GENERAL OPTIONS
-<a name="GENERAL OPTIONS"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><b>−V</b>
-<i>view</i><b>, −−view=</b><i>view</i></p>
-
-<p style="margin-left:22%;">Try to read the default
-configuration out of a file named
-<i>dnssec-<view>.conf .</i> Instead of specifying the
-−V or --view option every time, it is also possible to
-create a hard or softlink to the executable file to give it
-an additional name like <i>dnssec-zkt-<view> .</i></p>
-
-<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
-−−config=</b><i>file</i></p>
-
-<p style="margin-left:22%;">Read default values from the
-specified config file. Otherwise the default config file is
-read or build in defaults will be used.</p>
-
-<p style="margin-left:11%;"><b>−O</b>
-<i>optstr</i><b>,
-−−config-option=</b><i>optstr</i></p>
-
-<p style="margin-left:22%;">Set any config file option via
-the commandline. Several config file options could be
-specified at the argument string but have to be delimited by
-semicolon (or newline).</p>
-
-<p style="margin-left:11%;"><b>−l</b> <i>list</i></p>
-
-<p style="margin-left:22%;">Print out information solely
-about domains given in the comma or space separated list.
-Take care of, that every domain name has a trailing dot.</p>
-
-<p style="margin-left:11%;"><b>−d</b>,
-<b>−−directory</b></p>
-
-<p style="margin-left:22%;">Skip directory arguments. This
-will be useful in combination with wildcard arguments to
-prevent dnsssec-zkt to list all keys found in
-subdirectories. For example "dnssec-zkt -d *" will
-print out a list of all keys only found in the current
-directory. Maybe it is easier to use "dnssec-zkt
-." instead (without -r set). The option works similar
-to the −d option of <i>ls(1)</i>.</p>
-
-<p style="margin-left:11%;"><b>−L</b>,
-<b>−−left-justify</b></p>
-
-<p style="margin-left:22%;">Print out the domain name left
-justified.</p>
-
-<p style="margin-left:11%;"><b>−k</b>,
-<b>−−ksk</b></p>
-
-<p style="margin-left:22%;">Select and print key signing
-keys only (default depends on command mode).</p>
-
-<p style="margin-left:11%;"><b>−z</b>,
-<b>−−zsk</b></p>
-
-<p style="margin-left:22%;">Select and print zone signing
-keys only (default depends on command mode).</p>
-
-<p style="margin-left:11%;"><b>−r</b>,
-<b>−−recursive</b></p>
-
-<p style="margin-left:22%;">Recursive mode (default is
-off). <br>
-Also settable in the dnssec.conf file (Parameter:
-Recursive).</p>
-
-<p style="margin-left:11%;"><b>−p</b>,
-<b>−−path</b></p>
-
-<p style="margin-left:22%;">Print pathname in listing mode.
-In -C mode, don’t create the new key in the same
-directory as (already existing) keys with the same
-label.</p>
-
-<p style="margin-left:11%;"><b>−a</b>,
-<b>−−age</b></p>
-
-<p style="margin-left:22%;">Print age of key in weeks,
-days, hours, minutes and seconds (default is off). <br>
-Also settable in the dnssec.conf file (Parameter:
-PrintAge).</p>
-
-<p style="margin-left:11%;"><b>−f</b>,
-<b>−−lifetime</b></p>
-
-<p style="margin-left:22%;">Print the key lifetime.</p>
-
-<p style="margin-left:11%;"><b>−F</b>,
-<b>−−setlifetime</b></p>
-
-<p style="margin-left:22%;">Set the key lifetime of all the
-selected keys. Use option -k, -z, -l or the file and dir
-argument for key selection.</p>
-
-<p style="margin-left:11%;"><b>−e</b>,
-<b>−−exptime</b></p>
-
-<p style="margin-left:22%;">Print the key expiration
-time.</p>
-
-<p style="margin-left:11%;"><b>−t</b>,
-<b>−−time</b></p>
-
-<p style="margin-left:22%;">Print the key generation time
-(default is on). <br>
-Also settable in the dnssec.conf file (Parameter:
-PrintTime).</p>
-
-<table width="100%" border="0" rules="none" frame="void"
- cellspacing="0" cellpadding="0">
-<tr valign="top" align="left">
-<td width="11%"></td>
-<td width="3%">
-
-
-<p><b>−h</b></p></td>
-<td width="8%"></td>
-<td width="78%">
-
-
-<p>No header or trusted-key section header and trailer in
--T mode</p></td></tr>
-</table>
-
-<h2>COMMAND OPTIONS
-<a name="COMMAND OPTIONS"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><b>−H</b>,
-<b>−−help</b></p>
-
-<p style="margin-left:22%;">Print out the online help.</p>
-
-<p style="margin-left:11%;"><b>−T</b>,
-<b>−−list-trustedkeys</b></p>
-
-<p style="margin-left:22%;">List all key signing keys as a
-<i>named.conf</i> trusted-key section. Use <b>−h</b>
-to supress the section header/trailer.</p>
-
-<p style="margin-left:11%;"><b>−K</b>,
-<b>−−list-dnskeys</b></p>
-
-<p style="margin-left:22%;">List the public part of all the
-keys in DNSKEY resource record format. Use <b>−h</b>
-to suppress comment lines.</p>
-
-<p style="margin-left:11%;"><b>−C</b> <i>zone</i><b>,
-−−create=</b><i>zone</i></p>
-
-<p style="margin-left:22%;">Create a new zone signing key
-for the given zone. Add option <b>−k</b> to create a
-key signing key. The key algorithm and key length will be
-examined from built-in default values or from the parameter
-settings in the <i>dnssec.conf</i> file. <br>
-The keyfile will be created in the current directory if the
-<b>−p</b> option is specified.</p>
-
-<p style="margin-left:11%;"><b>−R</b>
-<i>keyid</i><b>, −−revoke=</b><i>keyid</i></p>
-
-<p style="margin-left:22%;">Revoke the key signing key with
-the given keyid. A revoked key has bit 8 in the flags filed
-set (see RFC5011). The keyid is the numeric keytag with an
-optionally added zone name separated by a colon.</p>
-
-
-<p style="margin-left:11%;"><b>−−rename="</b><i>keyid</i></p>
-
-<p style="margin-left:22%;">Rename the key files of the key
-with the given keyid (Look at key file names starting with
-an lower ’k’). The keyid is the numeric keytag
-with an optionally added zone name separated by a colon.</p>
-
-
-<p style="margin-left:11%;"><b>−−destroy=</b><i>keyid</i></p>
-
-<p style="margin-left:22%;">Deletes the key with the given
-keyid. The keyid is the numeric keytag with an optionally
-added zone name separated by a colon. Beware that this
-deletes both private and public keyfiles, thus the key is
-unrecoverable lost.</p>
-
-<p style="margin-left:11%;"><b>−P|A|D</b>
-<i>keyid,</i> <b>−−published=</b><i>keyid,</i>
-<b>−−active=</b><i>keyid,</i>
-<b>−−depreciated=</b><i>keyid</i></p>
-
-<p style="margin-left:22%;">Change the status of the given
-dnssec key to published (<b>−P</b>), active
-(<b>−A</b>) or depreciated (<b>−D</b>). The
-<i>keyid</i> is the numeric keytag with an optionally added
-zone name separated by a colon. Setting the status to
-"published" or "depreciate" will change
-the filename of the private key file to
-".published" or ".depreciated"
-respectivly. This prevents the usage of the key as a signing
-key by the use of <i>dnssec-signzone(8)</i>. The time of
-status change will be stored in the ’mtime’
-field of the corresponding ".key" file. Key
-activation via option <b>−A</b> will restore the
-original timestamp and file name (".private").</p>
-
-<p style="margin-left:11%;"><b>−Z</b>,
-<b>−−zone-config</b></p>
-
-<p style="margin-left:22%;">Write all config parameters to
-stdout. The output is suitable as a template for the
-<i>dnssec.conf</i> file, so the easiest way to create a
-<i>dnssec.conf</i> file is to redirect the standard output
-of the above command. Pay attention not to overwrite an
-existing file.</p>
-
-
-<p style="margin-left:11%;"><b>−−ksk-roll-phase[123]</b>
-<i>do.ma.in.</i></p>
-
-<p style="margin-left:22%;">Initiate a key signing key
-rollover of the specified domain. This feature is currently
-in experimental status and is mainly for the use in an
-hierachical environment. Use --ksk-rollover for a little
-more detailed description.</p>
-
-<h2>SAMPLE USAGE
-<a name="SAMPLE USAGE"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-−r .</b></p>
-
-<p style="margin-left:22%;">Print out a list of all zone
-keys found below the current directory.</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt −Z −c
-""</b></p>
-
-<p style="margin-left:22%;">Print out the compiled in
-default parameters.</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt −C
-example.net −k −r ./zonedir</b></p>
-
-<p style="margin-left:22%;">Create a new key signing key
-for the zone "example.net". Store the key in the
-same directory below "zonedir" where the other
-"example.net" keys live.</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt −T
-./zonedir/example.net</b></p>
-
-<p style="margin-left:22%;">Print out a trusted-key section
-containing the key signing keys of
-"example.net".</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt −D 123245
-−r .</b></p>
-
-<p style="margin-left:22%;">Depreciate the key with tag
-"12345" below the current directory,</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt --view
-intern</b></p>
-
-<p style="margin-left:22%;">Print out a list of all zone
-keys found below the directory where all the zones of view
-intern live. There should be a seperate dnssec config file
-<i>dnssec-intern.conf</i> with a directory option to take
-affect of this.</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt-intern</b></p>
-
-<p style="margin-left:22%;">Same as above. The binary file
-<i>dnssec-zkt</i> has another link, named
-<i>dnssec-zkt-intern</i> made, and <i>dnssec-zkt</i>
-examines argv[0] to find a view whose zones it proceeds to
-process.</p>
-
-<h2>ENVIRONMENT VARIABLES
-<a name="ENVIRONMENT VARIABLES"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
-
-<p style="margin-left:22%;">Specifies the name of the
-default global configuration files.</p>
-
-<h2>FILES
-<a name="FILES"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
-
-<p style="margin-left:22%;">Built-in default global
-configuration file. The name of the default global config
-file is settable via the environment variable
-ZKT_CONFFILE.</p>
-
-
-<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p>
-
-<p style="margin-left:22%;">View specific global
-configuration file.</p>
-
-<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
-
-<p style="margin-left:22%;">Local configuration file (only
-used in <b>−C</b> mode).</p>
-
-<h2>BUGS
-<a name="BUGS"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Some of the
-general options will not be meaningful in all of the command
-modes. <br>
-The option <b>−l</b> and the ksk rollover options
-insist on domain names ending with a dot.</p>
-
-<h2>AUTHORS
-<a name="AUTHORS"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
-Mans Nilsson</p>
-
-<h2>COPYRIGHT
-<a name="COPYRIGHT"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Copyright (c)
-2005 − 2008 by Holger Zuleger. Licensed under the BSD
-Licences. There is NO warranty; not even for MERCHANTABILITY
-or FITNESS FOR A PARTICULAR PURPOSE.</p>
-
-<h2>SEE ALSO
-<a name="SEE ALSO"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
-dnssec-signzone(8), rndc(8), named.conf(5),
-dnssec-signer(8), <br>
-RFC4641 "DNSSEC Operational Practices" by Miek
-Gieben and Olaf Kolkman, <br>
-DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
- (http://www.nlnetlabs.nl/dnssec_howto/)</p>
-<hr>
-</body>
-</html>