1KRFCHECK(1) User Contributed Perl Documentation KRFCHECK(1)
2
3
4
6 krfcheck - Check a DNSSEC-Tools keyrec file for problems and
7 inconsistencies
8
10 krfcheck [-zone | -set | -key] [-count] [-quiet]
11 [-verbose] [-Version] [-help] keyrec-file
12
14 This script checks a keyrec file for problems, potential problems, and
15 inconsistencies.
16
17 Recognized problems include:
18
19 • no zones defined
20
21 The keyrec file does not contain any zone keyrecs.
22
23 • no sets defined
24
25 The keyrec file does not contain any set keyrecs.
26
27 • no keys defined
28
29 The keyrec file does not contain any key keyrecs.
30
31 • unknown zone keyrecs
32
33 A set keyrec or a key keyrec references a non-existent zone keyrec.
34
35 • missing key from zone keyrec
36
37 A zone keyrec does not have both a KSK key and a ZSK key.
38
39 • missing key from set keyrec
40
41 A key listed in a set keyrec does not have a key keyrec.
42
43 • expired zone keyrecs
44
45 A zone has expired.
46
47 • mislabeled key
48
49 A key is labeled as a KSK (or ZSK) and its owner zone has it
50 labeled as the opposite.
51
52 • invalid zone data values
53
54 A zone's keyrec data are checked to ensure that they are valid.
55 The following conditions are checked: existence of the zone file,
56 existence of the KSK file, existence of the KSK and ZSK
57 directories, the end-time is greater than one day, and the seconds-
58 count and date string match.
59
60 • invalid key data values
61
62 A key's keyrec data are checked to ensure that they are valid. The
63 following conditions are checked: valid encryption algorithm, key
64 length falls within algorithm's size range, random generator file
65 exists, and the seconds-count and date string match.
66
67 Recognized potential problems include:
68
69 • imminent zone expiration
70
71 A zone will expire within one week.
72
73 • odd zone-signing date
74
75 A zone's recorded signing date is later than the current system
76 clock.
77
78 • orphaned keys
79
80 A key keyrec is unreferenced by any set keyrec.
81
82 • missing key directories
83
84 A zone keyrec's key directories (kskdirectory or zskdirectory) does
85 not exist.
86
87 Recognized inconsistencies include:
88
89 • key-specific fields in a zone keyrec
90
91 A zone keyrec contains key-specific entries. To allow for site-
92 specific extensibility, krfcheck does not check for undefined
93 keyrec fields.
94
95 • zone-specific fields in a key keyrec
96
97 A key keyrec contains zone-specific entries. To allow for site-
98 specific extensibility, krfcheck does not check for undefined
99 keyrec fields.
100
101 • mismatched zone timestamp
102
103 A zone's seconds-count timestamp does not match its textual
104 timestamp.
105
106 • mismatched set timestamp
107
108 A set's seconds-count timestamp does not match its textual
109 timestamp.
110
111 • mismatched key timestamp
112
113 A key's seconds-count timestamp does not match its textual
114 timestamp.
115
117 -zone
118 Only perform checks of zone keyrecs. This option may not be
119 combined with the -set or -key options.
120
121 -set
122 Only perform checks of set keyrecs. This option may not be
123 combined with the -zone or -key options.
124
125 -key
126 Only perform checks of key keyrecs. This option may not be
127 combined with the -set or -zone options.
128
129 -count
130 Display a final count of errors.
131
132 -quiet
133 Do not display messages. This option supersedes the setting of the
134 -verbose option.
135
136 -verbose
137 Display many messages. This option is subordinate to the -quiet
138 option.
139
140 -Version
141 Displays the version information for krfcheck and the DNSSEC-Tools
142 package.
143
144 -help
145 Display a usage message.
146
148 Copyright 2004-2014 SPARTA, Inc. All rights reserved. See the COPYING
149 file included with the DNSSEC-Tools package for details.
150
152 Wayne Morrison, tewok@tislabs.com
153
155 cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)
156
157 Net::DNS::SEC::Tools::keyrec.pm(3)
158
159 file-keyrec(5)
160
161
162
163perl v5.34.0 2021-07-21 KRFCHECK(1)