1DNSSEC-COVERAGE(8)                  BIND 9                  DNSSEC-COVERAGE(8)
2
3
4

NAME

6       dnssec-coverage - checks future DNSKEY coverage for a zone
7

SYNOPSIS

9       dnssec-coverage [-Kdirectory] [-llength] [-ffile] [-dDNSKEY TTL] [-mmax
10       TTL] [-rinterval] [-ccompilezone path] [-k] [-z] [zone...]
11

DESCRIPTION

13       dnssec-coverage verifies that the DNSSEC keys for a given zone or a set
14       of  zones  have timing metadata set properly to ensure no future lapses
15       in DNSSEC coverage.
16
17       If zone is specified, then keys found in the  key  repository  matching
18       that  zone  are scanned, and an ordered list is generated of the events
19       scheduled for that key (i.e.,  publication,  activation,  inactivation,
20       deletion).  The  list of events is walked in order of occurrence. Warn‐
21       ings are generated if any event is scheduled which could cause the zone
22       to enter a state in which validation failures might occur: for example,
23       if the number of published or active keys for a given  algorithm  drops
24       to  zero, or if a key is deleted from the zone too soon after a new key
25       is rolled, and cached data signed by the prior key has not had time  to
26       expire from resolver caches.
27
28       If  zone  is not specified, then all keys in the key repository will be
29       scanned, and all zones for which  there  are  keys  will  be  analyzed.
30       (Note:  This method of reporting is only accurate if all the zones that
31       have keys in a given repository share the same TTL parameters.)
32

OPTIONS

34       -K directory
35          Sets the directory in which keys can be found. Defaults to the  cur‐
36          rent working directory.
37
38       -f file
39          If  a  file  is specified, then the zone is read from that file; the
40          largest TTL and the DNSKEY TTL are determined directly from the zone
41          data,  and  the -m and -d options do not need to be specified on the
42          command line.
43
44       -l duration
45          The length of time to check for DNSSEC coverage. Key  events  sched‐
46          uled  further into the future than duration will be ignored, and as‐
47          sumed to be correct.
48
49          The value of duration can be set in seconds, or in larger  units  of
50          time  by adding a suffix: mi for minutes, h for hours, d for days, w
51          for weeks, mo for months, y for years.
52
53       -m maximum TTL
54          Sets the value to be used as the maximum TTL for the zone  or  zones
55          being  analyzed  when  determining whether there is a possibility of
56          validation failure. When a zone-signing key  is  deactivated,  there
57          must  be enough time for the record in the zone with the longest TTL
58          to have expired from resolver caches before that key can  be  purged
59          from  the  DNSKEY RRset. If that condition does not apply, a warning
60          will be generated.
61
62          The length of the TTL can be set in seconds, or in larger  units  of
63          time  by adding a suffix: mi for minutes, h for hours, d for days, w
64          for weeks, mo for months, y for years.
65
66          This option is not necessary if the -f has been used  to  specify  a
67          zone  file. If -f has been specified, this option may still be used;
68          it will override the value found in the file.
69
70          If this option is not used and the maximum TTL cannot  be  retrieved
71          from  a  zone  file, a warning is generated and a default value of 1
72          week is used.
73
74       -d DNSKEY TTL
75          Sets the value to be used as the DNSKEY TTL for the  zone  or  zones
76          being  analyzed  when  determining whether there is a possibility of
77          validation failure. When a key is rolled (that is, replaced  with  a
78          new key), there must be enough time for the old DNSKEY RRset to have
79          expired from resolver caches before the new key is activated and be‐
80          gins  generating  signatures.  If  that  condition does not apply, a
81          warning will be generated.
82
83          The length of the TTL can be set in seconds, or in larger  units  of
84          time  by adding a suffix: mi for minutes, h for hours, d for days, w
85          for weeks, mo for months, y for years.
86
87          This option is not necessary if -f has been used to specify  a  zone
88          file from which the TTL of the DNSKEY RRset can be read, or if a de‐
89          fault key TTL was set using ith the -L to dnssec-keygen.  If  either
90          of  those  is  true, this option may still be used; it will override
91          the values found in the zone file or the key file.
92
93          If this option is not used and the key TTL cannot be retrieved  from
94          the zone file or the key file, then a warning is generated and a de‐
95          fault value of 1 day is used.
96
97       -r resign interval
98          Sets the value to be used as the resign interval  for  the  zone  or
99          zones being analyzed when determining whether there is a possibility
100          of validation failure. This value defaults to 22.5  days,  which  is
101          also  the  default  in named. However, if it has been changed by the
102          sig-validity-interval option in named.conf, then it should  also  be
103          changed here.
104
105          The length of the interval can be set in seconds, or in larger units
106          of time by adding a suffix: mi for minutes, h for hours, d for days,
107          w for weeks, mo for months, y for years.
108
109       -k
110          Only check KSK coverage; ignore ZSK events. Cannot be used with -z.
111
112       -z
113          Only check ZSK coverage; ignore KSK events. Cannot be used with -k.
114
115       -c compilezone path
116          Specifies a path to a named-compilezone binary. Used for testing.
117

SEE ALSO

119       dnssec-checkds(8),  dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-sign‐
120       zone(8)
121

AUTHOR

123       Internet Systems Consortium
124
126       2022, Internet Systems Consortium
127
128
129
130
1319.16.30-RH                                                  DNSSEC-COVERAGE(8)
Impressum