KRFCHECK(1) | User Contributed Perl Documentation | KRFCHECK(1) |
NAME
krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistencies
SYNOPSIS
krfcheck [-zone | -set | -key] [-count] [-quiet] [-verbose] [-Version] [-help] keyrec-file
DESCRIPTION
This script checks a keyrec file for problems, potential problems, and inconsistencies.
Recognized problems include:
- no zones defined
The keyrec file does not contain any zone keyrecs.
- no sets defined
The keyrec file does not contain any set keyrecs.
- no keys defined
The keyrec file does not contain any key keyrecs.
- unknown zone keyrecs
A set keyrec or a key keyrec references a non-existent zone keyrec.
- missing key from zone keyrec
A zone keyrec does not have both a KSK key and a ZSK key.
- missing key from set keyrec
A key listed in a set keyrec does not have a key keyrec.
- expired zone keyrecs
A zone has expired.
- mislabeled key
A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite.
- invalid zone data values
A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file, existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and date string match.
- invalid key data values
A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match.
Recognized potential problems include:
- imminent zone expiration
A zone will expire within one week.
- odd zone-signing date
A zone's recorded signing date is later than the current system clock.
- orphaned keys
A key keyrec is unreferenced by any set keyrec.
- missing key directories
A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.
Recognized inconsistencies include:
- key-specific fields in a zone keyrec
A zone keyrec contains key-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.
- zone-specific fields in a key keyrec
A key keyrec contains zone-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.
- mismatched zone timestamp
A zone's seconds-count timestamp does not match its textual timestamp.
- mismatched set timestamp
A set's seconds-count timestamp does not match its textual timestamp.
- mismatched key timestamp
A key's seconds-count timestamp does not match its textual timestamp.
OPTIONS
- -zone
- Only perform checks of zone keyrecs. This option may not be combined with the -set or -key options.
- -set
- Only perform checks of set keyrecs. This option may not be combined with the -zone or -key options.
- -key
- Only perform checks of key keyrecs. This option may not be combined with the -set or -zone options.
- -count
- Display a final count of errors.
- -quiet
- Do not display messages. This option supersedes the setting of the -verbose option.
- -verbose
- Display many messages. This option is subordinate to the -quiet option.
- -Version
- Displays the version information for krfcheck and the DNSSEC-Tools package.
- -help
- Display a usage message.
COPYRIGHT
Copyright 2004-2014 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO
cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)
2024-09-01 | perl v5.40.0 |