1LSKRF(1)              User Contributed Perl Documentation             LSKRF(1)
2
3
4

NAME

6       lskrf - List the keyrecs in a DNSSEC-Tools keyrec file
7

SYNOPSIS

9         lskrf [options] <keyrec-files>
10

DESCRIPTION

12       lskrf lists the contents of the specified keyrec files.  All keyrec
13       files are loaded before the output is displayed.  If any keyrecs have
14       duplicated names, whether within one file or across multiple files, the
15       later keyrec will be the one whose data are displayed.
16
17       lskrf has three base output formats.  In ascending levels of detail,
18       these formats are terse output, default format, and long format.  Terse
19       output is given when the -terse option is specified; long output is
20       given when the -long option is specified.
21
22       The output displayed for each record in a keyrec file depends on the
23       selected records, the selected attributes, and the selected output
24       format.  Each option in these option groups is described in detail in
25       the OPTIONS section; the three basic output formats are described in
26       the OUTPUT FORMATS section.
27

OUTPUT FORMATS

29       keyrec files hold three types of keyrec records:  zone records, signing
30       set records, and key records.  Each type of keyrec record contains
31       keyrec fields related to that type.  Zone keyrec records contain data
32       about all the keys associated with a particular zone; set keyrec
33       records contain data about all the keys associated with a particular
34       signing set; key keyrec records contain key lengths and algorithms for
35       each particular key.  (There is the case of subordinate revoked and
36       obsolete signing sets.  These are stored in key keyrec records, but
37       they contain the set_type entry which key keyrecs do not.)  The data to
38       be printed must be specified by selecting some combination of the
39       -zone, -sets, -keys, and  -all options.  There are also options for
40       specifying specific types of keys to be printed.
41
42       The three base output formats are the default format, the terse format,
43       and the long format.  The -terse option indicates that a minimal amount
44       of output is desired; the -long option indicates that a great deal of
45       output is desired.  The record-selection and attribute-selection
46       options may be used in conjunction with -terse to display exactly the
47       set of keyrec fields needed.  The default output format is a middle
48       ground between terse and long output and is that used when neither
49       -terse nor -long is given.
50
51   Zone keyrec Output
52       The table below shows the zone keyrec fields displayed for each output
53       format.
54
55           keyrec field         default        terse        long
56           ------------         -------        -----        ----
57           keyrec type            yes           no          yes
58           zone name              yes           yes         yes
59           zone file              yes           no          yes
60           signed zonefile        yes           no          yes
61           signing date           yes           no          yes
62           expiration date        no            no          yes
63           archive directory      no            no          yes
64           KSK count              no            no          yes
65           KSK directory          no            no          yes
66           current KSK set        no            no          yes
67           published KSK set      no            no          yes
68           ZSK count              no            no          yes
69           ZSK directory          no            no          yes
70           current ZSK set        no            no          yes
71           published ZSK set      no            no          yes
72           new ZSK set            no            no          yes
73
74   Set keyrec Output
75       The table below shows the signing set keyrec fields displayed for each
76       output format.
77
78           keyrec field                 default        terse        long
79           ------------                 -------        -----        ----
80           keyrec type                    yes           no          yes
81           set name                       yes           yes         yes
82           zone name                      yes           no          yes
83           type                           yes           no          yes
84           keys                           no            no          yes
85           last modification date         no            no          yes
86
87   Key keyrec Output
88       The table below shows the key keyrec fields displayed for each output
89       format.
90
91           keyrec field               default       terse       long
92           ------------               -------       -----       ----
93           keyrec type                yes           no          yes
94           key name                   yes           yes         yes
95           algorithm                  no            no          yes
96           end date                   no            no          yes
97           generation date            yes           no          yes
98           key length                 no            no          yes
99           key life                   no            no          yes
100           key path                   no            no          yes
101           keys                       no            no          yes
102           random number generator    no            no          yes
103           zone name                  yes           no          yes
104

OPTIONS

106       lskrf takes three types of options:  record-selection options, record-
107       attribute options, and output-style options.  These option sets are
108       detailed below.
109
110       Record-selection options are required options; at least one record-
111       selection option must be selected.  Record-attribute options and
112       output-style options are optional options; any number of these option
113       may be selected.
114
115   Record-Selection Options
116       These options select the types of keyrec that will be displayed.
117
118       -all
119           This option displays all the records in a keyrec file.
120
121       -zones
122           This option displays the zones in a keyrec file.
123
124       -sets
125           This option displays the signing sets in a keyrec file.
126
127       -keys
128           This option displays the keys in a keyrec file.
129
130           The key data are sorted by key type in the following order:
131           Current KSKs, Published KSKs, Current ZSKs, Published ZSKs, New
132           ZSKs, Obsolete KSKs, and Obsolete ZSKs.
133
134       -ksk
135           This option displays the KSK keys in a keyrec file.
136
137       -kcur
138           This option displays the Current KSK keys in a keyrec file.
139
140       -kpub
141           This option displays the Published KSK keys in a keyrec file.
142
143       -kobs
144           This option displays the obsolete KSK keys in a keyrec file.  This
145           option must be give if obsolete KSK keys are to be displayed.
146
147       -krev
148           This option displays the revoked KSK keys in a keyrec file.  This
149           option must be give if revoked KSK keys are to be displayed.
150
151       -zsk
152           This option displays the ZSK keys in a keyrec file.  It does not
153           include obsolete ZSK keys; the -obs option must be specified to
154           display obsolete keys.
155
156       -cur
157           This option displays the Current ZSK keys in a keyrec file.
158
159       -new
160           This option displays the New ZSK keys in a keyrec file.
161
162       -pub
163           This option displays the Published ZSK keys in a keyrec file.
164
165       -zobs
166           This option displays the obsolete ZSK keys in a keyrec file.  This
167           option must be give if obsolete ZSK keys are to be displayed.
168
169       -zrev
170           This option displays the revoked ZSK keys in a keyrec file.  This
171           option must be give if revoked ZSK keys are to be displayed.
172
173       -obs
174           This option displays the obsolete KSK and ZSK keys in a keyrec
175           file.  This option is a shorthand method specifying the -kobs and
176           -zobs options.
177
178       -rev
179           This option displays the revoked KSK and ZSK keys in a keyrec file.
180           This option is a shorthand method specifying the -krev and -zrev
181           options.
182
183       -invalid
184           This option displays the obsolete and revoked KSK and ZSK keys in a
185           keyrec file.  This option is a shorthand method specifying the -obs
186           and -rev options.
187
188   Record-Attribute Options
189       These options select subsets of the keyrecs chosen by the record-
190       selection options.
191
192       -valid
193           This option displays the valid zones in a keyrec file.  It implies
194           the -zones option.
195
196       -expired>
197           This option displays the expired zones in a keyrec file.  It
198           implies the -zones option.
199
200       -ref
201           This option displays the referenced signing set keyrecs and the
202           referenced key keyrecs in a keyrec file, depending upon other
203           selected options.
204
205           Referenced state depends on the following:
206
207             * Signing sets are considered to be referenced if they
208               are listed in a zone keyrec.
209
210             * KSKs are considered to be referenced if they are listed
211               in a signing set keyrec that is listed in a zone keyrec.
212
213             * ZSKs are considered to be referenced if they are listed
214               in a signing set keyrec that is listed in a zone keyrec.
215
216           This option may be used with either the -sets or -keys options.  If
217           it isn't used with any record-selection options, then it is assumed
218           that both -sets and -keys have been specified.
219
220       -unref
221           This option displays the unreferenced signing set keyrecs or the
222           unreferenced key keyrecs in a keyrec file, depending upon other
223           selected options.
224
225           Unreferenced state depends on the following:
226
227             * Signing sets are considered to be unreferenced if they
228               are not listed in a zone keyrec.
229
230             * KSKs are considered to be unreferenced if they are not listed
231               in a signing set keyrec that is listed in a zone keyrec.
232
233             * ZSKs are considered to be unreferenced if they are not listed
234               in a signing set keyrec that is listed in a zone keyrec.
235
236             * Obsolete ZSKs are checked, whether or not the -obs flag
237               was specified.
238
239           This option may be used with either the -sets or -keys options.  If
240           it isn't used with any record-selection options, then it is assumed
241           that both -sets and -keys have been specified.
242
243   Zone-Attribute Options
244       These options allow specific zone fields to be included in the output.
245       If combined with the -terse option, only those fields specifically
246       desired will be printed.  These options must be used with the -zone
247       option.
248
249       -z-archdir
250           Display the zone's archive directory.  If an archive directory is
251           not explicitly set for the zone, the default directory will be
252           listed.
253
254       -z-dates
255           Display the zone's time-stamps.  These are the signing date and the
256           expiration date.
257
258       -z-dirs
259           Display the zone's directories.  These directories are the KSK
260           directory, the ZSK directory, and the key archive directory.
261
262       -z-expdate
263           Display the zone's expiration date.
264
265       -z-ksk
266           Display the zone's KSK data.  This is the equivalent of specifying
267           the -z-kskcount, -z-kskcur, -z-kskdir, and -z-kskpub options.
268
269       -z-kskcount
270           Display the zone's KSK count.
271
272       -z-kskcur
273           Display the zone's Current KSK signing set.  If this is not
274           defined, then "<unset>" will be given.
275
276       -z-kskdir
277           Display the zone's KSK directory.  If this is not defined, then "."
278           will be given.
279
280       -z-kskpub
281           Display the zone's Published KSK signing set.  If this is not
282           defined, then "<unset>" will be given.
283
284       -z-sets
285           Display the zone's signing sets.  This is the equivalent of
286           specifying the -z-kskcur, -z-kskpub, -z-zskcur, -z-zsknew, and
287           -z-zskpub options.
288
289       -z-signdate
290           Display the zone's signing date.
291
292       -z-signfile
293           Display the zone's signed zonefile.
294
295       -z-zonefile
296           Display the zone's zonefile.
297
298       -z-zsk
299           Display the zone's ZSK data.  This is the equivalent of specifying
300           the -z-zskcount, -z-zskcur, -z-zskdir, -z-zsknew, and -z-zskpub
301           options.
302
303       -z-zskcount
304           Display the zone's ZSK count.
305
306       -z-zskcur
307           Display the zone's Current ZSK signing set.  If this is not
308           defined, then "<unset>" will be given.
309
310       -z-zskdir
311           Display the zone's ZSK directory.  If this is not defined, then "."
312           will be given.
313
314       -z-zsknew
315           Display the zone's New ZSK signing set.  If this is not defined,
316           then "<unset>" will be given.
317
318       -z-zskpub
319           Display the zone's Published ZSK signing set.  If this is not
320           defined, then "<unset>" will be given.
321
322   Set-Attribute Options
323       These options allow specific set fields to be included in the output.
324       If combined with the -terse option, only those fields specifically
325       desired will be printed.  These options must be used with the -sets
326       option.
327
328       If RFC5011 processing is enabled, there is special handling of the
329       zone's set keyrec of revoked KSK keys.  The "kskrev" field in the
330       zone's keyrec points to a set keyrec, marked as being of type "kskrev".
331       This set keyrec, in turn, points to a number of other set keyrecs, all
332       of which are also marked as being of type "kskrev".  The group of all
333       revoked KSK keys is found by consulting that subsidiary set of "kskrev"
334       set keyrecs.  When the ages of these revoked keys exceeds their
335       revocation periods, they are marked as being obsolete ("kskobs").  If
336       this happens as part of normal rollover, these revoked key and set
337       keyrecs are all removed from the chain of active, revoked keyrecs.  If
338       this happens to a key that's part of a larger set of keys, it is
339       removed from that signing set and put in its own new signing set.
340       lskrf displays the type of the "kskrev" set (listed in the zone keyrec)
341       as "KSK-REV", and all other revoked KSK keyrecs are listed as "KSK-
342       rev".
343
344       -s-keys
345           Display the set's keys.
346
347       -s-lastmod
348           Display the set's date of last modification.
349
350       -s-type
351           Display the set's type.
352
353       -s-zone
354           Display the set's zone name.
355
356       -s-ksk
357           Display KSK signing sets.  This option implies the -sets option.
358
359       -s-kcur
360           Display current KSK signing sets.  This option implies the -sets
361           option.
362
363       -s-kobs
364           Display obsolete KSK signing sets.  This option implies the -sets
365           option.
366
367       -s-kpub
368           Display published KSK signing sets.  This option implies the -sets
369           option.
370
371       -s-krev
372           Display revoked KSK signing sets.  This option implies the -sets
373           option.
374
375       -s-zsk
376           Display ZSK signing sets.  This option implies the -sets option.
377
378       -s-zcur
379           Display current ZSK signing sets.  This option implies the -sets
380           option.
381
382       -s-znew
383           Display new ZSK signing sets.  This option implies the -sets
384           option.
385
386       -s-zobs
387           Display obsolete ZSK signing sets.  This option implies the -sets
388           option.
389
390       -s-zpub
391           Display published ZSK signing sets.  This option implies the -sets
392           option.
393
394       -s-zrev
395           Display revoked ZSK signing sets.  This option implies the -sets
396           option.
397
398   Key-Attribute Options
399       These options allow specific key fields to be included in the output.
400       If combined with the -terse option, only those fields specifically
401       desired will be printed.  These options must be used with the -key
402       option.
403
404       -k-algorithm
405           Display the key's encryption algorithm.
406
407       -k-enddate
408           Display the key's end-date, calculated by adding the key's lifespan
409           to its signing date.
410
411       -k-length
412           Display the key's length.
413
414       -k-lifespan
415           Display the key's lifespan (in seconds.) This lifespan is only
416           related to the time between key rollover.  There is no other
417           lifespan associated with a key.
418
419       -k-path
420           Display the key's path.
421
422       -k-random
423           Display the key's random number generator.
424
425       -k-signdate
426           Display the key's signing date.
427
428       -k-zone
429           Display the key's zonefile.
430
431   Output-Format Options
432       These options define how the keyrec information will be displayed.
433
434       Without any of these options, the zone name, zone file, zone-signing
435       date, and a label will be displayed for zones.  For types, the key
436       name, the key's zone, the key's generation date, and a label will be
437       displayed if these options aren't given.
438
439       -count
440           The count of matching records will be displayed, but the matching
441           records will not be.
442
443       -nodate
444           The key's generation date will not be printed if this flag is
445           given.
446
447       -headers
448           Display explanatory column headers.  If this flag is given, then
449           entry labels will not be printed unless explicitly requested by use
450           of the -label option.
451
452       -label
453           A label for the keyrec's type will be given.
454
455       -long
456           The long form of output will be given.  See the OUTPUT FORMATS
457           section for details on data printed for each type of keyrec record.
458
459           Long zone output can get very wide, depending on the data.
460
461       -terse
462           This options displays only the name of the zones or keys selected
463           by other options.
464
465       -Version
466           Displays the version information for lskrf and the DNSSEC-Tools
467           package.
468
469       -help
470           Display a usage message and exit.
471
472       -h-zones
473           Display the zone-attribute options and exit.
474
475       -h-sets
476           Display the set-attribute options and exit.
477
478       -h-keys
479           Display the key-attribute options and exit.
480
482       Copyright 2005-2014 SPARTA, Inc.  All rights reserved.  See the COPYING
483       file included with the DNSSEC-Tools package for details.
484

AUTHOR

486       Wayne Morrison, tewok@tislabs.com
487

SEE ALSO

489       zonesigner(8)
490
491       Net::DNS::SEC::Tools::keyrec.pm(3)
492
493       file-keyrec(5)
494
495
496
497perl v5.28.1                      2018-08-29                          LSKRF(1)
Impressum