1DNSSEC-COVERAGE(8) BIND9 DNSSEC-COVERAGE(8)
2
6 dnssec-coverage - checks future DNSKEY coverage for a zone
7
9 dnssec-coverage [-K directory] [-f file] [-d DNSKEY TTL] [-m max TTL]
10 [-r interval] [-c compilezone path] [zone]
11
13 dnssec-coverage verifies that the DNSSEC keys for a given zone or a set
14 of zones have timing metadata set properly to ensure no future lapses
15 in DNSSEC coverage.
16 If zone is specified, then keys found in the key repository matching
18 that zone are scanned, and an ordered list is generated of the events
19 scheduled for that key (i.e., publication, activation, inactivation,
20 deletion). The list of events is walked in order of occurrence.
21 Warnings are generated if any event is scheduled which could cause the
22 zone to enter a state in which validation failures might occur: for
23 example, if the number of published or active keys for a given
24 algorithm drops to zero, or if a key is deleted from the zone too soon
25 after a new key is rolled, and cached data signed by the prior key has
26 not had time to expire from resolver caches.
27 If zone is not specified, then all keys in the key repository will be
29 scanned, and all zones for which there are keys will be analyzed.
30 (Note: This method of reporting is only accurate if all the zones that
31 have keys in a given repository share the same TTL parameters.)
32
34 -f file
35 If a file is specified, then the zone is read from that file; the
36 largest TTL and the DNSKEY TTL are determined directly from the
37 zone data, and the -m and -d options do not need to be specified on
38 the command line.
39 -K directory
41 Sets the directory in which keys can be found. Defaults to the
42 current working directory.
43 -m maximum TTL
45 Sets the value to be used as the maximum TTL for the zone or zones
46 being analyzed when determining whether there is a possibility of
47 validation failure. When a zone-signing key is deactivated, there
48 must be enough time for the record in the zone with the longest TTL
49 to have expired from resolver caches before that key can be purged
50 from the DNSKEY RRset. If that condition does not apply, a warning
51 will be generated.
52 The length of the TTL can be set in seconds, or in larger units of
54 time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for
55 days, 'w' for weeks, 'mo' for months, 'y' for years.
56 This option is mandatory unless the -f has been used to specify a
58 zone file. (If -f has been specified, this option may still be
59 used; it will overrde the value found in the file.)
60 -d DNSKEY TTL
62 Sets the value to be used as the DNSKEY TTL for the zone or zones
63 being analyzed when determining whether there is a possibility of
64 validation failure. When a key is rolled (that is, replaced with a
65 new key), there must be enough time for the old DNSKEY RRset to
66 have expired from resolver caches before the new key is activated
67 and begins generating signatures. If that condition does not apply,
68 a warning will be generated.
69 The length of the TTL can be set in seconds, or in larger units of
71 time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for
72 days, 'w' for weeks, 'mo' for months, 'y' for years.
73 This option is mandatory unless the -f has been used to specify a
75 zone file, or a default key TTL was set with the -L to
76 dnssec-keygen. (If either of those is true, this option may still
77 be used; it will overrde the value found in the zone or key file.)
78 -r resign interval
80 Sets the value to be used as the resign interval for the zone or
81 zones being analyzed when determining whether there is a
82 possibility of validation failure. This value defaults to 22.5
83 days, which is also the default in named. However, if it has been
84 changed by the sig-validity-interval option in named.conf, then it
85 should also be changed here.
86 The length of the interval can be set in seconds, or in larger
88 units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
89 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
90 -c compilezone path
92 Specifies a path to a named-compilezone binary. Used for testing.
93
95 dnssec-checkds(8), dnssec-dsfromkey(8), dnssec-keygen(8),
96 dnssec-signzone(8)
97
99 Internet Systems Consortium
100
102 Copyright © 2013 Internet Systems Consortium, Inc. ("ISC")
103BIND9 April 16, 2012 DNSSEC-COVERAGE(8)