1LSKRF(1) User Contributed Perl Documentation LSKRF(1)
2
6 lskrf - List the keyrecs in a DNSSEC-Tools keyrec file
7
9 lskrf [options] <keyrec-files>
10
12 lskrf lists the contents of the specified keyrec files. All keyrec
13 files are loaded before the output is displayed. If any keyrecs have
14 duplicated names, whether within one file or across multiple files, the
15 later keyrec will be the one whose data are displayed.
16 lskrf has three base output formats. In ascending levels of detail,
18 these formats are terse output, default format, and long format. Terse
19 output is given when the -terse option is specified; long output is
20 given when the -long option is specified.
21 The output displayed for each record in a keyrec file depends on the
23 selected records, the selected attributes, and the selected output
24 format. Each option in these option groups is described in detail in
25 the OPTIONS section; the three basic output formats are described in
26 the OUTPUT FORMATS section.
27
29 keyrec files hold three types of keyrec records: zone records, signing
30 set records, and key records. Each type of keyrec record contains
31 keyrec fields related to that type. Zone keyrec records contain data
32 about all the keys associated with a particular zone; set keyrec
33 records contain data about all the keys associated with a particular
34 signing set; key keyrec records contain key lengths and algorithms for
35 each particular key. (There is the case of subordinate revoked and
36 obsolete signing sets. These are stored in key keyrec records, but
37 they contain the set_type entry which key keyrecs do not.) The data to
38 be printed must be specified by selecting some combination of the
39 -zone, -sets, -keys, and -all options. There are also options for
40 specifying specific types of keys to be printed.
41 The three base output formats are the default format, the terse format,
43 and the long format. The -terse option indicates that a minimal amount
44 of output is desired; the -long option indicates that a great deal of
45 output is desired. The record-selection and attribute-selection
46 options may be used in conjunction with -terse to display exactly the
47 set of keyrec fields needed. The default output format is a middle
48 ground between terse and long output and is that used when neither
49 -terse nor -long is given.
50 Zone keyrec Output
52 The table below shows the zone keyrec fields displayed for each output
53 format.
54 keyrec field default terse long
56 ------------ ------- ----- ----
57 keyrec type yes no yes
58 zone name yes yes yes
59 zone file yes no yes
60 signed zonefile yes no yes
61 signing date yes no yes
62 expiration date no no yes
63 archive directory no no yes
64 KSK count no no yes
65 KSK directory no no yes
66 current KSK set no no yes
67 published KSK set no no yes
68 ZSK count no no yes
69 ZSK directory no no yes
70 current ZSK set no no yes
71 published ZSK set no no yes
72 new ZSK set no no yes
73 Set keyrec Output
75 The table below shows the signing set keyrec fields displayed for each
76 output format.
77 keyrec field default terse long
79 ------------ ------- ----- ----
80 keyrec type yes no yes
81 set name yes yes yes
82 zone name yes no yes
83 type yes no yes
84 keys no no yes
85 last modification date no no yes
86 Key keyrec Output
88 The table below shows the key keyrec fields displayed for each output
89 format.
90 keyrec field default terse long
92 ------------ ------- ----- ----
93 keyrec type yes no yes
94 key name yes yes yes
95 algorithm no no yes
96 end date no no yes
97 generation date yes no yes
98 key length no no yes
99 key life no no yes
100 key path no no yes
101 keys no no yes
102 random number generator no no yes
103 zone name yes no yes
104
106 lskrf takes three types of options: record-selection options, record-
107 attribute options, and output-style options. These option sets are
108 detailed below.
109 Record-selection options are required options; at least one record-
111 selection option must be selected. Record-attribute options and
112 output-style options are optional options; any number of these option
113 may be selected.
114 Record-Selection Options
116 These options select the types of keyrec that will be displayed.
117 -all
119 This option displays all the records in a keyrec file.
120 -zones
122 This option displays the zones in a keyrec file.
123 -sets
125 This option displays the signing sets in a keyrec file.
126 -keys
128 This option displays the keys in a keyrec file.
129 The key data are sorted by key type in the following order:
131 Current KSKs, Published KSKs, Current ZSKs, Published ZSKs, New
132 ZSKs, Obsolete KSKs, and Obsolete ZSKs.
133 -ksk
135 This option displays the KSK keys in a keyrec file.
136 -kcur
138 This option displays the Current KSK keys in a keyrec file.
139 -kpub
141 This option displays the Published KSK keys in a keyrec file.
142 -kobs
144 This option displays the obsolete KSK keys in a keyrec file. This
145 option must be give if obsolete KSK keys are to be displayed.
146 -krev
148 This option displays the revoked KSK keys in a keyrec file. This
149 option must be give if revoked KSK keys are to be displayed.
150 -zsk
152 This option displays the ZSK keys in a keyrec file. It does not
153 include obsolete ZSK keys; the -obs option must be specified to
154 display obsolete keys.
155 -cur
157 This option displays the Current ZSK keys in a keyrec file.
158 -new
160 This option displays the New ZSK keys in a keyrec file.
161 -pub
163 This option displays the Published ZSK keys in a keyrec file.
164 -zobs
166 This option displays the obsolete ZSK keys in a keyrec file. This
167 option must be give if obsolete ZSK keys are to be displayed.
168 -zrev
170 This option displays the revoked ZSK keys in a keyrec file. This
171 option must be give if revoked ZSK keys are to be displayed.
172 -obs
174 This option displays the obsolete KSK and ZSK keys in a keyrec
175 file. This option is a shorthand method specifying the -kobs and
176 -zobs options.
177 -rev
179 This option displays the revoked KSK and ZSK keys in a keyrec file.
180 This option is a shorthand method specifying the -krev and -zrev
181 options.
182 -invalid
184 This option displays the obsolete and revoked KSK and ZSK keys in a
185 keyrec file. This option is a shorthand method specifying the -obs
186 and -rev options.
187 Record-Attribute Options
189 These options select subsets of the keyrecs chosen by the record-
190 selection options.
191 -valid
193 This option displays the valid zones in a keyrec file. It implies
194 the -zones option.
195 -expired>
197 This option displays the expired zones in a keyrec file. It
198 implies the -zones option.
199 -ref
201 This option displays the referenced signing set keyrecs and the
202 referenced key keyrecs in a keyrec file, depending upon other
203 selected options.
204 Referenced state depends on the following:
206 * Signing sets are considered to be referenced if they
208 are listed in a zone keyrec.
209 * KSKs are considered to be referenced if they are listed
211 in a signing set keyrec that is listed in a zone keyrec.
212 * ZSKs are considered to be referenced if they are listed
214 in a signing set keyrec that is listed in a zone keyrec.
215 This option may be used with either the -sets or -keys options. If
217 it isn't used with any record-selection options, then it is assumed
218 that both -sets and -keys have been specified.
219 -unref
221 This option displays the unreferenced signing set keyrecs or the
222 unreferenced key keyrecs in a keyrec file, depending upon other
223 selected options.
224 Unreferenced state depends on the following:
226 * Signing sets are considered to be unreferenced if they
228 are not listed in a zone keyrec.
229 * KSKs are considered to be unreferenced if they are not listed
231 in a signing set keyrec that is listed in a zone keyrec.
232 * ZSKs are considered to be unreferenced if they are not listed
234 in a signing set keyrec that is listed in a zone keyrec.
235 * Obsolete ZSKs are checked, whether or not the -obs flag
237 was specified.
238 This option may be used with either the -sets or -keys options. If
240 it isn't used with any record-selection options, then it is assumed
241 that both -sets and -keys have been specified.
242 Zone-Attribute Options
244 These options allow specific zone fields to be included in the output.
245 If combined with the -terse option, only those fields specifically
246 desired will be printed. These options must be used with the -zone
247 option.
248 -z-archdir
250 Display the zone's archive directory. If an archive directory is
251 not explicitly set for the zone, the default directory will be
252 listed.
253 -z-dates
255 Display the zone's time-stamps. These are the signing date and the
256 expiration date.
257 -z-dirs
259 Display the zone's directories. These directories are the KSK
260 directory, the ZSK directory, and the key archive directory.
261 -z-expdate
263 Display the zone's expiration date.
264 -z-ksk
266 Display the zone's KSK data. This is the equivalent of specifying
267 the -z-kskcount, -z-kskcur, -z-kskdir, and -z-kskpub options.
268 -z-kskcount
270 Display the zone's KSK count.
271 -z-kskcur
273 Display the zone's Current KSK signing set. If this is not
274 defined, then "<unset>" will be given.
275 -z-kskdir
277 Display the zone's KSK directory. If this is not defined, then "."
278 will be given.
279 -z-kskpub
281 Display the zone's Published KSK signing set. If this is not
282 defined, then "<unset>" will be given.
283 -z-sets
285 Display the zone's signing sets. This is the equivalent of
286 specifying the -z-kskcur, -z-kskpub, -z-zskcur, -z-zsknew, and
287 -z-zskpub options.
288 -z-signdate
290 Display the zone's signing date.
291 -z-signfile
293 Display the zone's signed zonefile.
294 -z-zonefile
296 Display the zone's zonefile.
297 -z-zsk
299 Display the zone's ZSK data. This is the equivalent of specifying
300 the -z-zskcount, -z-zskcur, -z-zskdir, -z-zsknew, and -z-zskpub
301 options.
302 -z-zskcount
304 Display the zone's ZSK count.
305 -z-zskcur
307 Display the zone's Current ZSK signing set. If this is not
308 defined, then "<unset>" will be given.
309 -z-zskdir
311 Display the zone's ZSK directory. If this is not defined, then "."
312 will be given.
313 -z-zsknew
315 Display the zone's New ZSK signing set. If this is not defined,
316 then "<unset>" will be given.
317 -z-zskpub
319 Display the zone's Published ZSK signing set. If this is not
320 defined, then "<unset>" will be given.
321 Set-Attribute Options
323 These options allow specific set fields to be included in the output.
324 If combined with the -terse option, only those fields specifically
325 desired will be printed. These options must be used with the -sets
326 option.
327 If RFC5011 processing is enabled, there is special handling of the
329 zone's set keyrec of revoked KSK keys. The "kskrev" field in the
330 zone's keyrec points to a set keyrec, marked as being of type "kskrev".
331 This set keyrec, in turn, points to a number of other set keyrecs, all
332 of which are also marked as being of type "kskrev". The group of all
333 revoked KSK keys is found by consulting that subsidiary set of "kskrev"
334 set keyrecs. When the ages of these revoked keys exceeds their
335 revocation periods, they are marked as being obsolete ("kskobs"). If
336 this happens as part of normal rollover, these revoked key and set
337 keyrecs are all removed from the chain of active, revoked keyrecs. If
338 this happens to a key that's part of a larger set of keys, it is
339 removed from that signing set and put in its own new signing set.
340 lskrf displays the type of the "kskrev" set (listed in the zone keyrec)
341 as "KSK-REV", and all other revoked KSK keyrecs are listed as "KSK-
342 rev".
343 -s-keys
345 Display the set's keys.
346 -s-lastmod
348 Display the set's date of last modification.
349 -s-type
351 Display the set's type.
352 -s-zone
354 Display the set's zone name.
355 -s-ksk
357 Display KSK signing sets. This option implies the -sets option.
358 -s-kcur
360 Display current KSK signing sets. This option implies the -sets
361 option.
362 -s-kobs
364 Display obsolete KSK signing sets. This option implies the -sets
365 option.
366 -s-kpub
368 Display published KSK signing sets. This option implies the -sets
369 option.
370 -s-krev
372 Display revoked KSK signing sets. This option implies the -sets
373 option.
374 -s-zsk
376 Display ZSK signing sets. This option implies the -sets option.
377 -s-zcur
379 Display current ZSK signing sets. This option implies the -sets
380 option.
381 -s-znew
383 Display new ZSK signing sets. This option implies the -sets
384 option.
385 -s-zobs
387 Display obsolete ZSK signing sets. This option implies the -sets
388 option.
389 -s-zpub
391 Display published ZSK signing sets. This option implies the -sets
392 option.
393 -s-zrev
395 Display revoked ZSK signing sets. This option implies the -sets
396 option.
397 Key-Attribute Options
399 These options allow specific key fields to be included in the output.
400 If combined with the -terse option, only those fields specifically
401 desired will be printed. These options must be used with the -key
402 option.
403 -k-algorithm
405 Display the key's encryption algorithm.
406 -k-enddate
408 Display the key's end-date, calculated by adding the key's lifespan
409 to its signing date.
410 -k-length
412 Display the key's length.
413 -k-lifespan
415 Display the key's lifespan (in seconds.) This lifespan is only
416 related to the time between key rollover. There is no other
417 lifespan associated with a key.
418 -k-path
420 Display the key's path.
421 -k-random
423 Display the key's random number generator.
424 -k-signdate
426 Display the key's signing date.
427 -k-zone
429 Display the key's zonefile.
430 Output-Format Options
432 These options define how the keyrec information will be displayed.
433 Without any of these options, the zone name, zone file, zone-signing
435 date, and a label will be displayed for zones. For types, the key
436 name, the key's zone, the key's generation date, and a label will be
437 displayed if these options aren't given.
438 -count
440 The count of matching records will be displayed, but the matching
441 records will not be.
442 -nodate
444 The key's generation date will not be printed if this flag is
445 given.
446 -headers
448 Display explanatory column headers. If this flag is given, then
449 entry labels will not be printed unless explicitly requested by use
450 of the -label option.
451 -label
453 A label for the keyrec's type will be given.
454 -long
456 The long form of output will be given. See the OUTPUT FORMATS
457 section for details on data printed for each type of keyrec record.
458 Long zone output can get very wide, depending on the data.
460 -terse
462 This options displays only the name of the zones or keys selected
463 by other options.
464 -Version
466 Displays the version information for lskrf and the DNSSEC-Tools
467 package.
468 -help
470 Display a usage message and exit.
471 -h-zones
473 Display the zone-attribute options and exit.
474 -h-sets
476 Display the set-attribute options and exit.
477 -h-keys
479 Display the key-attribute options and exit.
480
482 Copyright 2005-2011 SPARTA, Inc. All rights reserved. See the COPYING
483 file included with the DNSSEC-Tools package for details.
484
486 Wayne Morrison, tewok@users.sourceforge.net
487
489 zonesigner(8)
490 Net::DNS::SEC::Tools::keyrec.pm(3)
492 file-keyrec(5)
494perl v5.12.4 2011-10-12 LSKRF(1)