1DNSSEC-COVERAGE(8) BIND 9 DNSSEC-COVERAGE(8)
2
6 dnssec-coverage - checks future DNSKEY coverage for a zone
7
9 dnssec-coverage [-Kdirectory] [-llength] [-ffile] [-dDNSKEY TTL] [-mmax
10 TTL] [-rinterval] [-ccompilezone path] [-k] [-z] [zone...]
11
13 dnssec-coverage verifies that the DNSSEC keys for a given zone or a set
14 of zones have timing metadata set properly to ensure no future lapses
15 in DNSSEC coverage.
16 If zone is specified, then keys found in the key repository matching
18 that zone are scanned, and an ordered list is generated of the events
19 scheduled for that key (i.e., publication, activation, inactivation,
20 deletion). The list of events is walked in order of occurrence. Warn‐
21 ings are generated if any event is scheduled which could cause the zone
22 to enter a state in which validation failures might occur: for example,
23 if the number of published or active keys for a given algorithm drops
24 to zero, or if a key is deleted from the zone too soon after a new key
25 is rolled, and cached data signed by the prior key has not had time to
26 expire from resolver caches.
27 If zone is not specified, then all keys in the key repository will be
29 scanned, and all zones for which there are keys will be analyzed.
30 (Note: This method of reporting is only accurate if all the zones that
31 have keys in a given repository share the same TTL parameters.)
32
34 -K directory
35 Sets the directory in which keys can be found. Defaults to the cur‐
36 rent working directory.
37 -f file
39 If a file is specified, then the zone is read from that file; the
40 largest TTL and the DNSKEY TTL are determined directly from the zone
41 data, and the -m and -d options do not need to be specified on the
42 command line.
43 -l duration
45 The length of time to check for DNSSEC coverage. Key events sched‐
46 uled further into the future than duration will be ignored, and as‐
47 sumed to be correct.
48 The value of duration can be set in seconds, or in larger units of
50 time by adding a suffix: mi for minutes, h for hours, d for days, w
51 for weeks, mo for months, y for years.
52 -m maximum TTL
54 Sets the value to be used as the maximum TTL for the zone or zones
55 being analyzed when determining whether there is a possibility of
56 validation failure. When a zone-signing key is deactivated, there
57 must be enough time for the record in the zone with the longest TTL
58 to have expired from resolver caches before that key can be purged
59 from the DNSKEY RRset. If that condition does not apply, a warning
60 will be generated.
61 The length of the TTL can be set in seconds, or in larger units of
63 time by adding a suffix: mi for minutes, h for hours, d for days, w
64 for weeks, mo for months, y for years.
65 This option is not necessary if the -f has been used to specify a
67 zone file. If -f has been specified, this option may still be used;
68 it will override the value found in the file.
69 If this option is not used and the maximum TTL cannot be retrieved
71 from a zone file, a warning is generated and a default value of 1
72 week is used.
73 -d DNSKEY TTL
75 Sets the value to be used as the DNSKEY TTL for the zone or zones
76 being analyzed when determining whether there is a possibility of
77 validation failure. When a key is rolled (that is, replaced with a
78 new key), there must be enough time for the old DNSKEY RRset to have
79 expired from resolver caches before the new key is activated and be‐
80 gins generating signatures. If that condition does not apply, a
81 warning will be generated.
82 The length of the TTL can be set in seconds, or in larger units of
84 time by adding a suffix: mi for minutes, h for hours, d for days, w
85 for weeks, mo for months, y for years.
86 This option is not necessary if -f has been used to specify a zone
88 file from which the TTL of the DNSKEY RRset can be read, or if a de‐
89 fault key TTL was set using ith the -L to dnssec-keygen. If either
90 of those is true, this option may still be used; it will override
91 the values found in the zone file or the key file.
92 If this option is not used and the key TTL cannot be retrieved from
94 the zone file or the key file, then a warning is generated and a de‐
95 fault value of 1 day is used.
96 -r resign interval
98 Sets the value to be used as the resign interval for the zone or
99 zones being analyzed when determining whether there is a possibility
100 of validation failure. This value defaults to 22.5 days, which is
101 also the default in named. However, if it has been changed by the
102 sig-validity-interval option in named.conf, then it should also be
103 changed here.
104 The length of the interval can be set in seconds, or in larger units
106 of time by adding a suffix: mi for minutes, h for hours, d for days,
107 w for weeks, mo for months, y for years.
108 -k
110 Only check KSK coverage; ignore ZSK events. Cannot be used with -z.
111 -z
113 Only check ZSK coverage; ignore KSK events. Cannot be used with -k.
114 -c compilezone path
116 Specifies a path to a named-compilezone binary. Used for testing.
117
119 dnssec-checkds(8), dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-sign‐
120 zone(8)
121
123 Internet Systems Consortium
124
126 2021, Internet Systems Consortium
1279.16.16-RH DNSSEC-COVERAGE(8)