1DNSSEC-COVERAGE(8) BIND9 DNSSEC-COVERAGE(8)
2
3
4
6 dnssec-coverage - checks future DNSKEY coverage for a zone
7
9 dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL]
10 [-m max TTL] [-r interval] [-c compilezone path] [-k]
11 [-z] [zone...]
12
14 dnssec-coverage verifies that the DNSSEC keys for a given zone or a set
15 of zones have timing metadata set properly to ensure no future lapses
16 in DNSSEC coverage.
17
18 If zone is specified, then keys found in the key repository matching
19 that zone are scanned, and an ordered list is generated of the events
20 scheduled for that key (i.e., publication, activation, inactivation,
21 deletion). The list of events is walked in order of occurrence.
22 Warnings are generated if any event is scheduled which could cause the
23 zone to enter a state in which validation failures might occur: for
24 example, if the number of published or active keys for a given
25 algorithm drops to zero, or if a key is deleted from the zone too soon
26 after a new key is rolled, and cached data signed by the prior key has
27 not had time to expire from resolver caches.
28
29 If zone is not specified, then all keys in the key repository will be
30 scanned, and all zones for which there are keys will be analyzed.
31 (Note: This method of reporting is only accurate if all the zones that
32 have keys in a given repository share the same TTL parameters.)
33
35 -K directory
36 Sets the directory in which keys can be found. Defaults to the
37 current working directory.
38
39 -f file
40 If a file is specified, then the zone is read from that file; the
41 largest TTL and the DNSKEY TTL are determined directly from the
42 zone data, and the -m and -d options do not need to be specified on
43 the command line.
44
45 -l duration
46 The length of time to check for DNSSEC coverage. Key events
47 scheduled further into the future than duration will be ignored,
48 and assumed to be correct.
49
50 The value of duration can be set in seconds, or in larger units of
51 time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for
52 days, 'w' for weeks, 'mo' for months, 'y' for years.
53
54 -m maximum TTL
55 Sets the value to be used as the maximum TTL for the zone or zones
56 being analyzed when determining whether there is a possibility of
57 validation failure. When a zone-signing key is deactivated, there
58 must be enough time for the record in the zone with the longest TTL
59 to have expired from resolver caches before that key can be purged
60 from the DNSKEY RRset. If that condition does not apply, a warning
61 will be generated.
62
63 The length of the TTL can be set in seconds, or in larger units of
64 time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for
65 days, 'w' for weeks, 'mo' for months, 'y' for years.
66
67 This option is not necessary if the -f has been used to specify a
68 zone file. If -f has been specified, this option may still be used;
69 it will override the value found in the file.
70
71 If this option is not used and the maximum TTL cannot be retrieved
72 from a zone file, a warning is generated and a default value of 1
73 week is used.
74
75 -d DNSKEY TTL
76 Sets the value to be used as the DNSKEY TTL for the zone or zones
77 being analyzed when determining whether there is a possibility of
78 validation failure. When a key is rolled (that is, replaced with a
79 new key), there must be enough time for the old DNSKEY RRset to
80 have expired from resolver caches before the new key is activated
81 and begins generating signatures. If that condition does not apply,
82 a warning will be generated.
83
84 The length of the TTL can be set in seconds, or in larger units of
85 time by adding a suffix: 'mi' for minutes, 'h' for hours, 'd' for
86 days, 'w' for weeks, 'mo' for months, 'y' for years.
87
88 This option is not necessary if -f has been used to specify a zone
89 file from which the TTL of the DNSKEY RRset can be read, or if a
90 default key TTL was set using ith the -L to dnssec-keygen. If
91 either of those is true, this option may still be used; it will
92 override the values found in the zone file or the key file.
93
94 If this option is not used and the key TTL cannot be retrieved from
95 the zone file or the key file, then a warning is generated and a
96 default value of 1 day is used.
97
98 -r resign interval
99 Sets the value to be used as the resign interval for the zone or
100 zones being analyzed when determining whether there is a
101 possibility of validation failure. This value defaults to 22.5
102 days, which is also the default in named. However, if it has been
103 changed by the sig-validity-interval option in named.conf, then it
104 should also be changed here.
105
106 The length of the interval can be set in seconds, or in larger
107 units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
108 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
109
110 -k
111 Only check KSK coverage; ignore ZSK events. Cannot be used with -z.
112
113 -z
114 Only check ZSK coverage; ignore KSK events. Cannot be used with -k.
115
116 -c compilezone path
117 Specifies a path to a named-compilezone binary. Used for testing.
118
120 dnssec-checkds(8), dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-
121 signzone(8)
122
124 Internet Systems Consortium, Inc.
125
127 Copyright © 2013-2016, 2018-2021 Internet Systems Consortium, Inc.
128 ("ISC")
129
130
131
132ISC 2014-01-11 DNSSEC-COVERAGE(8)