1KEYMGR(8)                          Knot DNS                          KEYMGR(8)
2
3
4

NAME

6       keymgr - Knot DNS key management utility
7

SYNOPSIS

9       keymgr basic_option [parameters...]
10
11       keymgr [config_option config_storage] zone command argument...
12

DESCRIPTION

14       The keymgr utility serves for manual key management in Knot DNS server.
15
16       Functions  for  DNSSEC keys and KASP (Key And Signature Policy) manage‐
17       ment are provided.
18
19       The DNSSEC and KASP configuration is stored in a so called  KASP  data‐
20       base.  The database is backed by LMDB.
21
22   Basic options
23       -h, --help
24              Print the program help.
25
26       -V, --version
27              Print the program version.
28
29       -t, --tsig tsig_name [tsig_algorithm] [tsig_bits]
30              Generates  a TSIG key. TSIG algorithm can be specified by string
31              (default:  hmac-sha256),  bit  length  of  the  key  by   number
32              (default: optimal length given by algorithm). The generated TSIG
33              key is only displayed on stdout: the command does not  create  a
34              file, nor include the key in a keystore.
35
36   Config options
37       -c, --config file
38              Use     a     textual    configuration    file    (default    is
39              /etc/knot/knot.conf).
40
41       -C, --confdb directory
42              Use  a  binary  configuration  database  directory  (default  is
43              /var/lib/knot/confdb).   The  default configuration database, if
44              exists, has a preference to the default configuration file.
45
46       -d, --dir path
47              Use specified KASP database path and default configuration.
48
49   Commands
50       list [timestamp_format]
51              Prints the list of key IDs and parameters of keys  belonging  to
52              the zone.
53
54       generate [arguments...]
55              Generates  new DNSSEC key and stores it in KASP database. Prints
56              the key ID.  This action takes some  number  of  arguments  (see
57              below).  Values  for unspecified arguments are taken from corre‐
58              sponding policy (if -c or -C options used) or from  Knot  policy
59              defaults.
60
61       import-bind BIND_key_file
62              Imports  a  BIND-style  key into KASP database (converting it to
63              PEM format).  Takes one argument: path to BIND key file (private
64              or public, but both MUST exist).
65
66       import-pub BIND_pubkey_file
67              Imports  a  public  key  into  KASP  database. This key won't be
68              rollovered nor used for signing.  Takes one  argument:  path  to
69              BIND public key file.
70
71       import-pem PEM_file [arguments...]
72              Imports  a DNSSEC key from PEM file. The key parameters (same as
73              for the generate action) need to be specified (mainly algorithm,
74              timers...) because they are not contained in the PEM format.
75
76       import-pkcs11 key_id [arguments...]
77              Imports  a  DNSSEC key from PKCS #11 storage. The key parameters
78              (same as for the generate action) need to be  specified  (mainly
79              algorithm,  timers...)  because they are not available. In fact,
80              no key data is imported, only KASP database metadata is created.
81
82       nsec3-salt [new_salt]
83              Prints the current NSEC3 salt used for signing. If  new_salt  is
84              specified,  the  salt  is  overwritten.  The salt is printed and
85              expected in hexadecimal, or dash if empty.
86
87       set key_spec [arguments...]
88              Changes a timing argument (or ksk/zsk) of an existing key  to  a
89              new value. Key_spec is either the key tag or a prefix of the key
90              ID; arguments are like for generate, but just the related ones.
91
92       ds [key_spec]
93              Generate DS record (all digest algorithms together)  for  speci‐
94              fied key. Key_spec is like for set, if unspecified, all KSKs are
95              used.
96
97       dnskey [key_spec]
98              Generate DNSKEY record for specified key. Key_spec is  like  for
99              ds, if unspecified, all KSKs are used.
100
101       delete key_spec
102              Remove  the  specified key from zone. If the key was not shared,
103              it is also deleted from keystore.
104
105       share key_ID
106              Import a key (specified by full key ID)  from  another  zone  as
107              shared. After this, the key is owned by both zones equally.
108
109   Generate arguments
110       Arguments   are   separated  by  space,  each  of  them  is  in  format
111       'name=value'.
112
113       algorithm
114              Either an algorithm number  (e.g.  14),  or  text  name  without
115              dashes (e.g. ECDSAP384SHA384).
116
117       size   Key length in bits.
118
119       ksk    If  set  to  yes, the key will be used for signing DNSKEY rrset.
120              The generated key will also have the Secure Entry Point flag set
121              to 1.
122
123       zsk    If  set  to  yes,  the key will be used for signing zone (except
124              DNSKEY rrset). This flag can be set concurrently  with  the  ksk
125              flag.
126
127       sep    Overrides  the  standard  setting of the Secure Entry Point flag
128              for the generated key.
129
130       The following arguments are timestamps of key lifetime:
131
132       created
133              Key created.
134
135       pre_active
136              Key started to be used for  signing,  not  published  (only  for
137              algorithm rollover).
138
139       publish
140              Key published.
141
142       ready  Key  used for signing and submitted to the parent zone (only for
143              KSK).
144
145       active Key used for signing.
146
147       post_active
148              Key still used for singing, but another key is active (only  for
149              KSK).
150
151       retire_active
152              Key  no  longer  published, but still used for signing (only for
153              algorithm rollover).
154
155       retire Key still published, but no longer used for signing.
156
157       remove Key deleted.
158
159   Timestamps
160       0      Zero timestamp means infinite future.
161
162       UNIX_time
163              Positive number of seconds since 1970 UTC.
164
165       YYYYMMDDHHMMSS
166              Date and time in this format without any punctuation.
167
168       relative_timestamp
169              A sign character (+, -), a number, and an optional time unit (y,
170              mo,  d,  h,  mi, s). The default unit is one second.  E.g. +1mi,
171              -2mo.
172
173   Output timestamp formats
174       (none) The timestamps are printed as UNIX timestamp.
175
176       human  The timestamps are printed relatively to now  using  time  units
177              (e.g. -2y5mo, +1h13s).
178
179       iso    The   timestamps   are  printed  in  the  ISO8601  format  (e.g.
180              2016-12-31T23:59:00).
181

EXAMPLES

183       1. Generate new TSIG key:
184
185             $ keymgr -t my_name hmac-sha384
186
187       2. Generate new DNSSEC key:
188
189             $ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \
190               ksk=true created=1488034625 publish=20170223205611 retire=+10mo remove=+1y
191
192       3. Import a DNSSEC key from BIND:
193
194             $ keymgr example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key
195
196       4. Configure key timing:
197
198             $ keymgr example.com. set 4208 active=+2mi retire=+4mi remove=+5mi
199
200       5. Share a KSK from another zone:
201
202             $ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
203

SEE ALSO

205       RFC 6781 -  DNSSEC  Operational  Practices.   RFC  7583  -  DNSSEC  Key
206       Rollover Timing Considerations.
207
208       knot.conf(5), knotc(8), knotd(8).
209

AUTHOR

211       CZ.NIC Labs <https://www.knot-dns.cz>
212

COPYRIGHT

214       Copyright 2010–2019, CZ.NIC, z.s.p.o.
215
216
217
218
2192.7.6                             2019-01-23                         KEYMGR(8)