1KRFCHECK(1) User Contributed Perl Documentation KRFCHECK(1)
2
6 krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsis‐
7 tencies
8
10 krfcheck [-zone ⎪ -set ⎪ -key] [-count] [-quiet]
11 [-verbose] [-Version] [-help] keyrec-file
12
14 This script checks a keyrec file for problems, potential problems, and
15 inconsistencies.
16 Recognized problems include:
18 * no zones defined
20 The keyrec file does not contain any zone keyrecs.
21 * no sets defined
23 The keyrec file does not contain any set keyrecs.
24 * no keys defined
26 The keyrec file does not contain any key keyrecs.
27 * unknown zone keyrecs
29 A set keyrec or a key keyrec references a non-existent zone keyrec.
30 * missing key from zone keyrec
32 A zone keyrec does not have both a KSK key and a ZSK key.
33 * missing key from set keyrec
35 A key listed in a set keyrec does not have a key keyrec.
36 * expired zone keyrecs
38 A zone has expired.
39 * mislabeled key
41 A key is labeled as a KSK (or ZSK) and its owner zone has it
42 labeled as the opposite.
43 * invalid zone data values
45 A zone's keyrec data are checked to ensure that they are valid.
46 The following conditions are checked: existence of the zone file,
47 existence of the KSK file, existence of the KSK and ZSK directo‐
48 ries, the end-time is greater than one day, and the seconds-count
49 and date string match.
50 * invalid key data values
52 A key's keyrec data are checked to ensure that they are valid. The
53 following conditions are checked: valid encryption algorithm, key
54 length falls within algorithm's size range, random generator file
55 exists, and the seconds-count and date string match.
56 Recognized potential problems include:
58 * imminent zone expiration
60 A zone will expire within one week.
61 * odd zone-signing date
63 A zone's recorded signing date is later than the current system
64 clock.
65 * orphaned keys
67 A key keyrec is unreferenced by any set keyrec.
68 * missing key directories
70 A zone keyrec's key directories (kskdirectory or zskdirectory) does
71 not exist.
72 Recognized inconsistencies include:
74 * key-specific fields in a zone keyrec
76 A zone keyrec contains key-specific entries. To allow for site-
77 specific extensibility, krfcheck does not check for undefined
78 keyrec fields.
79 * zone-specific fields in a key keyrec
81 A key keyrec contains zone-specific entries. To allow for site-
82 specific extensibility, krfcheck does not check for undefined
83 keyrec fields.
84 * mismatched zone timestamp
86 A zone's seconds-count timestamp does not match its textual time‐
87 stamp.
88 * mismatched set timestamp
90 A set's seconds-count timestamp does not match its textual time‐
91 stamp.
92 * mismatched key timestamp
94 A key's seconds-count timestamp does not match its textual time‐
95 stamp.
96
98 -zone
99 Only perform checks of zone keyrecs. This option may not be com‐
100 bined with the -set or -key options.
101 -set
103 Only perform checks of set keyrecs. This option may not be com‐
104 bined with the -zone or -key options.
105 -key
107 Only perform checks of key keyrecs. This option may not be com‐
108 bined with the -set or -zone options.
109 -count
111 Display a final count of errors.
112 -quiet
114 Do not display messages. This option supersedes the setting of the
115 -verbose option.
116 -verbose
118 Display many messages. This option is subordinate to the -quiet
119 option.
120 -Version
122 Display the krfcheck version number and exit.
123 -help
125 Display a usage message.
126
128 Copyright 2004-2007 SPARTA, Inc. All rights reserved. See the COPYING
129 file included with the DNSSEC-Tools package for details.
130
132 Wayne Morrison, tewok@users.sourceforge.net
133
135 cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)
136 Net::DNS::SEC::Tools::keyrec.pm(3)
138 file-keyrec(5)
140perl v5.8.8 2007-09-14 KRFCHECK(1)