1KRFCHECK(1)           User Contributed Perl Documentation          KRFCHECK(1)
2
3
4

NAME

6       krfcheck - Check a DNSSEC-Tools keyrec file for problems and
7       inconsistencies
8

SYNOPSIS

10         krfcheck [-zone | -set | -key] [-count] [-quiet]
11                  [-verbose] [-Version] [-help] keyrec-file
12

DESCRIPTION

14       This script checks a keyrec file for problems, potential problems, and
15       inconsistencies.
16
17       Recognized problems include:
18
19       ·   no zones defined
20
21           The keyrec file does not contain any zone keyrecs.
22
23       ·   no sets defined
24
25           The keyrec file does not contain any set keyrecs.
26
27       ·   no keys defined
28
29           The keyrec file does not contain any key keyrecs.
30
31       ·   unknown zone keyrecs
32
33           A set keyrec or a key keyrec references a non-existent zone keyrec.
34
35       ·   missing key from zone keyrec
36
37           A zone keyrec does not have both a KSK key and a ZSK key.
38
39       ·   missing key from set keyrec
40
41           A key listed in a set keyrec does not have a key keyrec.
42
43       ·   expired zone keyrecs
44
45           A zone has expired.
46
47       ·   mislabeled key
48
49           A key is labeled as a KSK (or ZSK) and its owner zone has it
50           labeled as the opposite.
51
52       ·   invalid zone data values
53
54           A zone's keyrec data are checked to ensure that they are valid.
55           The following conditions are checked:  existence of the zone file,
56           existence of the KSK file, existence of the KSK and ZSK
57           directories, the end-time is greater than one day, and the seconds-
58           count and date string match.
59
60       ·   invalid key data values
61
62           A key's keyrec data are checked to ensure that they are valid.  The
63           following conditions are checked:  valid encryption algorithm, key
64           length falls within algorithm's size range, random generator file
65           exists, and the seconds-count and date string match.
66
67       Recognized potential problems include:
68
69       ·   imminent zone expiration
70
71           A zone will expire within one week.
72
73       ·   odd zone-signing date
74
75           A zone's recorded signing date is later than the current system
76           clock.
77
78       ·   orphaned keys
79
80           A key keyrec is unreferenced by any set keyrec.
81
82       ·   missing key directories
83
84           A zone keyrec's key directories (kskdirectory or zskdirectory) does
85           not exist.
86
87       Recognized inconsistencies include:
88
89       ·   key-specific fields in a zone keyrec
90
91           A zone keyrec contains key-specific entries.  To allow for site-
92           specific extensibility, krfcheck does not check for undefined
93           keyrec fields.
94
95       ·   zone-specific fields in a key keyrec
96
97           A key keyrec contains zone-specific entries.  To allow for site-
98           specific extensibility, krfcheck does not check for undefined
99           keyrec fields.
100
101       ·   mismatched zone timestamp
102
103           A zone's seconds-count timestamp does not match its textual
104           timestamp.
105
106       ·   mismatched set timestamp
107
108           A set's seconds-count timestamp does not match its textual
109           timestamp.
110
111       ·   mismatched key timestamp
112
113           A key's seconds-count timestamp does not match its textual
114           timestamp.
115

OPTIONS

117       -zone
118           Only perform checks of zone keyrecs.  This option may not be
119           combined with the -set or -key options.
120
121       -set
122           Only perform checks of set keyrecs.  This option may not be
123           combined with the -zone or -key options.
124
125       -key
126           Only perform checks of key keyrecs.  This option may not be
127           combined with the -set or -zone options.
128
129       -count
130           Display a final count of errors.
131
132       -quiet
133           Do not display messages.  This option supersedes the setting of the
134           -verbose option.
135
136       -verbose
137           Display many messages.  This option is subordinate to the -quiet
138           option.
139
140       -Version
141           Displays the version information for krfcheck and the DNSSEC-Tools
142           package.
143
144       -help
145           Display a usage message.
146
148       Copyright 2004-2014 SPARTA, Inc.  All rights reserved.  See the COPYING
149       file included with the DNSSEC-Tools package for details.
150

AUTHOR

152       Wayne Morrison, tewok@tislabs.com
153

SEE ALSO

155       cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)
156
157       Net::DNS::SEC::Tools::keyrec.pm(3)
158
159       file-keyrec(5)
160
161
162
163perl v5.30.0                      2019-07-24                       KRFCHECK(1)
Impressum