1ROLLINIT(1) User Contributed Perl Documentation ROLLINIT(1)
2
6 rollinit - Create new rollrec records for a DNSSEC-Tools rollrec file.
7
9 rollinit [options] <zonename1> ... <zonenameN>
10
12 rollinit creates new rollrec entries for a rollrec file. This rollrec
13 file will be used by rollerd to manage key rollover for the named
14 zones.
15 A rollrec entry has this format:
17 roll "example.com"
19 zonename "example.com"
20 zonefile "example.com.signed"
21 keyrec "example.com.krf"
22 kskphase "0"
23 zskphase "0"
24 administrator "bob@bobhost.example.com"
25 directory "/var/dns/zones/example.com"
26 loglevel "phase"
27 ksk_rolldate " "
28 ksk_rollsecs "0"
29 zsk_rolldate " "
30 zsk_rollsecs "0"
31 maxttl "604800"
32 display "1"
33 phasestart "Mon Jan 9 16:00:00 2006"
34 # optional records for RFC5011 rolling:
35 istrustanchor "no"
36 holddowntime "60D"
37 The roll line has a name which is used to distinguish it from all other
39 rollrec entries in the file. The zonename field is set to the name of
40 the zone. These two data are often the same, but this is not required.
41 rollinit will set them to the same value, unless the -rollrec option is
42 used.
43 The zonefile and keyrec fields are set according to command-line
45 options and arguments. The manner of generating the rollrec's actual
46 values is a little complex and is described in the ZONEFILE And KEYREC
47 FIELDS section below.
48 The administrator field is set to "bob@bobhost.example.com" to indicate
50 that the email messages to the zone's administrator should be sent to
51 "bob@bobhost.example.com".
52 The directory field is set to "/var/dns/zones/example.com" to indicate
54 that the files for this zone should be found in
55 /var/dns/zones/example.com. This includes the zone file, the signed
56 zone file, and the keyrec file.
57 The loglevel field is set to "phase" to indicate that rollerd should
59 only log phase-level (and greater) log messages for this zone.
60 The kskphase field is set to 0 to indicate that the zone is in normal
62 operation (non-rollover) for KSK keys. The zskphase field is set to 0
63 to indicate that the zone is in normal operation (non-rollover) for ZSK
64 keys.
65 The ksk_rolldate and ksk_rollsecs fields are set to indicate that the
67 zone has not yet undergone KSK rollover.
68 The zsk_rolldate and zsk_rollsecs fields are set to indicate that the
70 zone has not yet undergone ZSK rollover.
71 The display field is set to indicate that blinkenlights should display
73 the record. The maxttl and phasestart fields are set to dummy values.
74 rollrec files also have the zsargs field that holds user-specified
76 options for zonesigner. This field is set during rollerd execution
77 when the administrator determines that some zone fields should be
78 modified. It is not an initial rollrec field and consequently cannot
79 be specified by rollinit.
80 The istrustanchor field specifies whether to roll the KSK keys in a
82 manner compliant with any remote validating resolver using the KSK as a
83 trust-anchor. If set to "yes" then 60 days will be the minimum wait
84 time during phase 3 of KSK rolling to ensure remote validators can
85 properly follow the steps needed as specified by RFC5011. The 60-day
86 default can be changed via the holddowntime field.
87 The keywords roll and skip indicate whether rollerd should process or
89 ignore a particular rollrec entry. roll records are created by
90 default; skip entries are created if the -skip option is specified.
91 The newly generated rollrec entries are written to standard output,
93 unless the -out option is specified.
94
96 The zonefile and keyrec fields may be given by using the -zonefile and
97 -keyrec options, or default values may be used.
98 The default values use the rollrec's zone name, taken from the command
100 line, as a base. .signed is appended to the zone name for the zone
101 file; .krf is appended to the zone name for the keyrec file.
102 If -zonefile or -keyrec are specified, then the options values are used
104 in one of two ways:
105 1. A single zone name is given on the command line.
107 The option values for -zonefile and/or -keyrec are used for the
108 actual rollrec fields.
109 2. Multiple zone names are given on the command line.
111 The option values for -zonefile and/or -keyrec are used as
112 templates for the actual rollrec fields. The option values must
113 contain the string =. This string is replaced by the zone whose
114 rollrec is being created.
115 See the EXAMPLES section for examples of how options are used by
117 rollinit.
118
120 rollinit may be given the following options:
121 -rollrec rollrec-name
123 This specifies the name of the rollrec record. This value may
124 contain spaces. If this option is not specified, it will be set to
125 the same value as the zonename field. See the ZONEFILE And KEYREC
126 FIELDS and EXAMPLES sections for more details.
127 -zonefile zonefile
129 This specifies the value of the zonefile field. See the ZONEFILE
130 And KEYREC FIELDS and EXAMPLES sections for more details.
131 -keyrec keyrec-file
133 This specifies the value of the keyrec field. See the ZONEFILE And
134 KEYREC FIELDS and EXAMPLES sections for more details.
135 -admin
137 This specifies the value of the administrator field. If it is not
138 given, an administrator field will not be included for the record.
139 -directory
141 This specifies the value of the directory field. If it is not
142 given, a directory field will not be included for the record.
143 -loglevel
145 This specifies the value of the loglevel field. If it is not
146 given, a loglevel field will not be included for the record.
147 -skip
149 By default, roll records are generated. If this option is given,
150 then skip records will be generated instead.
151 -out output-file
153 The new rollrec entries will be appended to output-file. The file
154 will be created if it does not exist.
155 If this option is not given, the new rollrec entries will be
157 written to standard output.
158 -help
160 Display a usage message.
161 -Version
163 Display version information for rollinit and DNSSEC-Tools.
164
166 The following options should make clear how rollinit deals with options
167 and the new rollrecs. Example 1 will show the complete new rollrec
168 record. For the sake of brevity, the remaining examples will only show
169 the newly created zonefile and keyrec records.
170 Example 1. One zone, no options
172 This example shows the rollrec generated by giving rollinit a single
173 zone, without any options.
174 $ rollinit example.com
176 roll "example.com"
177 zonename "example.com"
178 zonefile "example.com.signed"
179 keyrec "example.com.krf"
180 kskphase "0"
181 zskphase "0"
182 ksk_rolldate " "
183 ksk_rollsecs "0"
184 zsk_rolldate " "
185 zsk_rollsecs "0"
186 maxttl "0"
187 display "1"
188 phasestart "new"
189 Example 2. One zone, -zonefile option
191 This example shows the rollrec generated by giving rollinit a single
192 zone, with the -zonefile option.
193 $ rollinit -zonefile signed-example example.com
195 roll "example.com"
196 zonename "example.com"
197 zonefile "signed-example"
198 keyrec "example.com.krf"
199 Example 3. One zone, -keyrec option
201 This example shows the rollrec generated by giving rollinit a single
202 zone, with the -keyrec option.
203 $ rollinit -keyrec x-rrf example.com
205 roll "example.com"
206 zonename "example.com"
207 zonefile "example.com.signed"
208 keyrec "x-rrf"
209 Example 4. One zone, -zonefile and -keyrec options
211 This example shows the rollrec generated by giving rollinit a single
212 zone, with the -zonefile and -keyrec options.
213 $ rollinit -zonefile signed-example -keyrec example.rrf example.com
215 roll "example.com"
216 zonename "example.com"
217 zonefile "signed-example"
218 keyrec "example.rrf"
219 Example 5. One zone, -skip option
221 This example shows the rollrec generated by giving rollinit a single
222 zone, with the -zonefile and -keyrec options.
223 $ rollinit -skip example.com
225 skip "example.com"
226 zonename "example.com"
227 zonefile "example.com.signed"
228 keyrec "example.com.krf"
229 Example 6. One zone, -rollrec option
231 This example shows the rollrec generated by giving rollinit a single
232 zone, with the -rollrec option.
233 $ rollinit -rollrec test example.com
235 roll "test"
236 zonename "example.com"
237 zonefile "example.com.signed"
238 keyrec "example.com.krf"
239 Example 7. Multiple zones, no options
241 This example shows the rollrecs generated by giving rollinit several
242 zones, without any options.
243 $ rollinit example1.com example2.com
245 roll "example1.com"
246 zonename "example1.com"
247 zonefile "example1.com.signed"
248 keyrec "example1.com.krf"
249 roll "example2.com"
251 zonename "example2.com"
252 zonefile "example2.com.signed"
253 keyrec "example2.com.krf"
254 Example 8. Multiple zones, -zonefile option
256 This example shows the rollrecs generated by giving rollinit several
257 zones, with the -zonefile option.
258 $ rollinit -zonefile =-signed example1.com example2.com
260 roll "example1.com"
261 zonename "example1.com"
262 zonefile "example1.com-signed"
263 keyrec "example1.com.krf"
264 roll "example2.com"
266 zonename "example2.com"
267 zonefile "example2.com-signed"
268 keyrec "example2.com.krf"
269 Example 9. Multiple zones, -keyrec option
271 This example shows the rollrecs generated by giving rollinit several
272 zones, with the -keyrec option.
273 $ rollinit -keyrec zone-=-keyrec example1.com example2.com
275 roll "example1.com"
276 zonename "example1.com"
277 zonefile "example1.com.signed"
278 keyrec "zone-example1.com-keyrec"
279 roll "example2.com"
281 zonename "example2.com"
282 zonefile "example2.com.signed"
283 keyrec "zone-example2.com-keyrec"
284 Example 10. Multiple zones, -zonefile and -keyrec options
286 This example shows the rollrecs generated by giving rollinit several
287 zones, with the -zonefile and -keyrec options.
288 $ rollinit -zonefile Z-= -keyrec =K example1.com example2.com
290 roll "example1.com"
291 zonename "example1.com"
292 zonefile "Z-example1.com"
293 keyrec "example1.comK"
294 roll "example2.com"
296 zonename "example2.com"
297 zonefile "Z-example2.com"
298 keyrec "example2.comK"
299 Example 11. Single zone, -zonefile and -keyrec options with template
301 This example shows the rollrec generated by giving rollinit a single
302 zone, with the -zonefile and -keyrec options. The options use the
303 multi-zone = template.
304 $ rollinit -zonefile Z-= -keyrec =.K example.com
306 roll "example.com"
307 zonename "example.com"
308 zonefile "Z-="
309 keyrec "=.K"
310 This is probably not what is wanted, since it results in the zonefile
312 and keyrec field values containing the =.
313 Example 12. Multiple zones, -zonefile and -keyrec options without template
315 This example shows the rollrecs generated by giving rollinit several
316 zones, with the -zonefile and -keyrec options. The options do not use
317 the multi-zone = template.
318 $ rollinit -zonefile ex.zone -keyrec ex.krf example1.com example2.com
320 roll "example1.com"
321 zonename "example1.com"
322 zonefile "ex.zone"
323 keyrec "ex.krf"
324 roll "example2.com"
326 zonename "example2.com"
327 zonefile "ex.zone"
328 keyrec "ex.krf"
329 This may not be what is wanted, since it results in the same zonefile
331 and keyrec fields values for each rollrec.
332 Example 13. Multiple zones, -rollrec option
334 This example shows the rollrecs generated by giving rollinit several
335 zones, with the -rollrec option. The rollrec names include a space.
336 $ rollinit -rollrec "= entry" example1.com example2.com
338 roll "example1.com entry"
339 zonename "example1.com"
340 zonefile "example1.com.signed"
341 keyrec "example1.com.krf"
342 roll "example2.com entry"
344 zonename "example2.com"
345 zonefile "example2.com.signed"
346 keyrec "example2.com.krf"
347
349 Copyright 2006-2011 SPARTA, Inc. All rights reserved. See the COPYING
350 file included with the DNSSEC-Tools package for details.
351
353 Wayne Morrison, tewok@users.sourceforge.net
354
356 lsroll(1), rollerd(8), rollchk(8), zonesigner(8)
357 Net::DNS::SEC::Tools::keyrec.pm(3), Net::DNS::SEC::Tools::rollrec.pm(3)
359 file-keyrec.pm(5), file-rollrec.pm(5)
361perl v5.12.4 2011-10-12 ROLLINIT(1)