1KRFCHECK(1)           User Contributed Perl Documentation          KRFCHECK(1)
2
3
4

NAME

6       krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsis‐
7       tencies
8

SYNOPSIS

10         krfcheck [-zone ⎪ -set ⎪ -key] [-count] [-quiet]
11                  [-verbose] [-Version] [-help] keyrec-file
12

DESCRIPTION

14       This script checks a keyrec file for problems, potential problems, and
15       inconsistencies.
16
17       Recognized problems include:
18
19       * no zones defined
20           The keyrec file does not contain any zone keyrecs.
21
22       * no sets defined
23           The keyrec file does not contain any set keyrecs.
24
25       * no keys defined
26           The keyrec file does not contain any key keyrecs.
27
28       * unknown zone keyrecs
29           A set keyrec or a key keyrec references a non-existent zone keyrec.
30
31       * missing key from zone keyrec
32           A zone keyrec does not have both a KSK key and a ZSK key.
33
34       * missing key from set keyrec
35           A key listed in a set keyrec does not have a key keyrec.
36
37       * expired zone keyrecs
38           A zone has expired.
39
40       * mislabeled key
41           A key is labeled as a KSK (or ZSK) and its owner zone has it
42           labeled as the opposite.
43
44       * invalid zone data values
45           A zone's keyrec data are checked to ensure that they are valid.
46           The following conditions are checked:  existence of the zone file,
47           existence of the KSK file, existence of the KSK and ZSK directo‐
48           ries, the end-time is greater than one day, and the seconds-count
49           and date string match.
50
51       * invalid key data values
52           A key's keyrec data are checked to ensure that they are valid.  The
53           following conditions are checked:  valid encryption algorithm, key
54           length falls within algorithm's size range, random generator file
55           exists, and the seconds-count and date string match.
56
57       Recognized potential problems include:
58
59       * imminent zone expiration
60           A zone will expire within one week.
61
62       * odd zone-signing date
63           A zone's recorded signing date is later than the current system
64           clock.
65
66       * orphaned keys
67           A key keyrec is unreferenced by any set keyrec.
68
69       * missing key directories
70           A zone keyrec's key directories (kskdirectory or zskdirectory) does
71           not exist.
72
73       Recognized inconsistencies include:
74
75       * key-specific fields in a zone keyrec
76           A zone keyrec contains key-specific entries.  To allow for site-
77           specific extensibility, krfcheck does not check for undefined
78           keyrec fields.
79
80       * zone-specific fields in a key keyrec
81           A key keyrec contains zone-specific entries.  To allow for site-
82           specific extensibility, krfcheck does not check for undefined
83           keyrec fields.
84
85       * mismatched zone timestamp
86           A zone's seconds-count timestamp does not match its textual time‐
87           stamp.
88
89       * mismatched set timestamp
90           A set's seconds-count timestamp does not match its textual time‐
91           stamp.
92
93       * mismatched key timestamp
94           A key's seconds-count timestamp does not match its textual time‐
95           stamp.
96

OPTIONS

98       -zone
99           Only perform checks of zone keyrecs.  This option may not be com‐
100           bined with the -set or -key options.
101
102       -set
103           Only perform checks of set keyrecs.  This option may not be com‐
104           bined with the -zone or -key options.
105
106       -key
107           Only perform checks of key keyrecs.  This option may not be com‐
108           bined with the -set or -zone options.
109
110       -count
111           Display a final count of errors.
112
113       -quiet
114           Do not display messages.  This option supersedes the setting of the
115           -verbose option.
116
117       -verbose
118           Display many messages.  This option is subordinate to the -quiet
119           option.
120
121       -Version
122           Display the krfcheck version number and exit.
123
124       -help
125           Display a usage message.
126
128       Copyright 2004-2007 SPARTA, Inc.  All rights reserved.  See the COPYING
129       file included with the DNSSEC-Tools package for details.
130

AUTHOR

132       Wayne Morrison, tewok@users.sourceforge.net
133

SEE ALSO

135       cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)
136
137       Net::DNS::SEC::Tools::keyrec.pm(3)
138
139       file-keyrec(5)
140
141
142
143perl v5.8.8                       2007-09-14                       KRFCHECK(1)
Impressum