KRFCHECK(1) User Contributed Perl Documentation KRFCHECK(1)

krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistencies

krfcheck [-zone | -set | -key] [-count] [-quiet]
         [-verbose] [-Version] [-help] keyrec-file

This script checks a keyrec file for problems, potential problems, and inconsistencies.

Recognized problems include:

  • no zones defined

    The keyrec file does not contain any zone keyrecs.

  • no sets defined

    The keyrec file does not contain any set keyrecs.

  • no keys defined

    The keyrec file does not contain any key keyrecs.

  • unknown zone keyrecs

    A set keyrec or a key keyrec references a non-existent zone keyrec.

  • missing key from zone keyrec

    A zone keyrec does not have both a KSK key and a ZSK key.

  • missing key from set keyrec

    A key listed in a set keyrec does not have a key keyrec.

  • expired zone keyrecs

    A zone has expired.

  • mislabeled key

    A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite.

  • invalid zone data values

    A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file, existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and date string match.

  • invalid key data values

    A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match.

Recognized potential problems include:

  • imminent zone expiration

    A zone will expire within one week.

  • odd zone-signing date

    A zone's recorded signing date is later than the current system clock.

  • orphaned keys

    A key keyrec is unreferenced by any set keyrec.

  • missing key directories

    A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.

Recognized inconsistencies include:

  • key-specific fields in a zone keyrec

    A zone keyrec contains key-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.

  • zone-specific fields in a key keyrec

    A key keyrec contains zone-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.

  • mismatched zone timestamp

    A zone's seconds-count timestamp does not match its textual timestamp.

  • mismatched set timestamp

    A set's seconds-count timestamp does not match its textual timestamp.

  • mismatched key timestamp

    A key's seconds-count timestamp does not match its textual timestamp.

Only perform checks of zone keyrecs. This option may not be combined with the -set or -key options.
Only perform checks of set keyrecs. This option may not be combined with the -zone or -key options.
Only perform checks of key keyrecs. This option may not be combined with the -set or -zone options.
Display a final count of errors.
Do not display messages. This option supersedes the setting of the -verbose option.
Display many messages. This option is subordinate to the -quiet option.
Displays the version information for krfcheck and the DNSSEC-Tools package.
Display a usage message.

Copyright 2004-2014 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.

Wayne Morrison, tewok@tislabs.com

cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)

Net::DNS::SEC::Tools::keyrec.pm(3)

file-keyrec(5)

2024-09-01 perl v5.40.0