.\" -*- mode: troff; coding: utf-8 -*- .\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ . ds C` "" . ds C' "" 'br\} .el\{\ . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "LSKRF 1" .TH LSKRF 1 2023-07-29 "perl v5.38.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME lskrf \- List the keyrecs in a DNSSEC\-Tools keyrec file .SH SYNOPSIS .IX Header "SYNOPSIS" .Vb 1 \& lskrf [options] .Ve .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBlskrf\fR lists the contents of the specified \fIkeyrec\fR files. All \&\fIkeyrec\fR files are loaded before the output is displayed. If any \fIkeyrec\fRs have duplicated names, whether within one file or across multiple files, the later \fIkeyrec\fR will be the one whose data are displayed. .PP \&\fBlskrf\fR has three base output formats. In ascending levels of detail, these formats are terse output, default format, and long format. Terse output is given when the \fB\-terse\fR option is specified; long output is given when the \&\fB\-long\fR option is specified. .PP The output displayed for each record in a \fIkeyrec\fR file depends on the selected records, the selected attributes, and the selected output format. Each option in these option groups is described in detail in the OPTIONS section; the three basic output formats are described in the OUTPUT FORMATS section. .SH "OUTPUT FORMATS" .IX Header "OUTPUT FORMATS" \&\fIkeyrec\fR files hold three types of \fIkeyrec\fR records: zone records, signing set records, and key records. Each type of \fIkeyrec\fR record contains \&\fIkeyrec\fR fields related to that type. Zone \fIkeyrec\fR records contain data about all the keys associated with a particular zone; set \fIkeyrec\fR records contain data about all the keys associated with a particular signing set; key \&\fIkeyrec\fR records contain key lengths and algorithms for each particular key. (There is the case of subordinate revoked and obsolete signing sets. These are stored in key \fIkeyrec\fR records, but they contain the \fIset_type\fR entry which key \fIkeyrec\fRs do not.) The data to be printed must be specified by selecting some combination of the \&\fB\-zone\fR, \fB\-sets\fR, \fB\-keys\fR, and \fB\-all\fR options. There are also options for specifying specific types of keys to be printed. .PP The three base output formats are the default format, the terse format, and the long format. The \fB\-terse\fR option indicates that a minimal amount of output is desired; the \fB\-long\fR option indicates that a great deal of output is desired. The record-selection and attribute-selection options may be used in conjunction with \fB\-terse\fR to display exactly the set of \fIkeyrec\fR fields needed. The default output format is a middle ground between terse and long output and is that used when neither \fB\-terse\fR nor \fB\-long\fR is given. .SS "Zone \fIkeyrec\fP Output" .IX Subsection "Zone keyrec Output" The table below shows the zone \fIkeyrec\fR fields displayed for each output format. .PP .Vb 10 \& keyrec field default terse long \& \-\-\-\-\-\-\-\-\-\-\-\- \-\-\-\-\-\-\- \-\-\-\-\- \-\-\-\- \& keyrec type yes no yes \& zone name yes yes yes \& zone file yes no yes \& signed zonefile yes no yes \& signing date yes no yes \& expiration date no no yes \& archive directory no no yes \& KSK count no no yes \& KSK directory no no yes \& current KSK set no no yes \& published KSK set no no yes \& ZSK count no no yes \& ZSK directory no no yes \& current ZSK set no no yes \& published ZSK set no no yes \& new ZSK set no no yes .Ve .SS "Set \fIkeyrec\fP Output" .IX Subsection "Set keyrec Output" The table below shows the signing set \fIkeyrec\fR fields displayed for each output format. .PP .Vb 8 \& keyrec field default terse long \& \-\-\-\-\-\-\-\-\-\-\-\- \-\-\-\-\-\-\- \-\-\-\-\- \-\-\-\- \& keyrec type yes no yes \& set name yes yes yes \& zone name yes no yes \& type yes no yes \& keys no no yes \& last modification date no no yes .Ve .SS "Key \fIkeyrec\fP Output" .IX Subsection "Key keyrec Output" The table below shows the key \fIkeyrec\fR fields displayed for each output format. .PP .Vb 10 \& keyrec field default terse long \& \-\-\-\-\-\-\-\-\-\-\-\- \-\-\-\-\-\-\- \-\-\-\-\- \-\-\-\- \& keyrec type yes no yes \& key name yes yes yes \& algorithm no no yes \& end date no no yes \& generation date yes no yes \& key length no no yes \& key life no no yes \& key path no no yes \& keys no no yes \& random number generator no no yes \& zone name yes no yes .Ve .SH OPTIONS .IX Header "OPTIONS" \&\fBlskrf\fR takes three types of options: record-selection options, record-attribute options, and output-style options. These option sets are detailed below. .PP Record-selection options are required options; at least one record-selection option \fBmust\fR be selected. Record-attribute options and output-style options are optional options; any number of these option \fImay\fR be selected. .SS "Record-Selection Options" .IX Subsection "Record-Selection Options" These options select the types of \fIkeyrec\fR that will be displayed. .IP \fB\-all\fR 4 .IX Item "-all" This option displays all the records in a \fIkeyrec\fR file. .IP \fB\-zones\fR 4 .IX Item "-zones" This option displays the zones in a \fIkeyrec\fR file. .IP \fB\-sets\fR 4 .IX Item "-sets" This option displays the signing sets in a \fIkeyrec\fR file. .IP \fB\-keys\fR 4 .IX Item "-keys" This option displays the keys in a \fIkeyrec\fR file. .Sp The key data are sorted by key type in the following order: Current KSKs, Published KSKs, Current ZSKs, Published ZSKs, New ZSKs, Obsolete KSKs, and Obsolete ZSKs. .IP \fB\-ksk\fR 4 .IX Item "-ksk" This option displays the KSK keys in a \fIkeyrec\fR file. .IP \fB\-kcur\fR 4 .IX Item "-kcur" This option displays the Current KSK keys in a \fIkeyrec\fR file. .IP \fB\-kpub\fR 4 .IX Item "-kpub" This option displays the Published KSK keys in a \fIkeyrec\fR file. .IP \fB\-kobs\fR 4 .IX Item "-kobs" This option displays the obsolete KSK keys in a \fIkeyrec\fR file. This option must be give if obsolete KSK keys are to be displayed. .IP \fB\-krev\fR 4 .IX Item "-krev" This option displays the revoked KSK keys in a \fIkeyrec\fR file. This option must be give if revoked KSK keys are to be displayed. .IP \fB\-zsk\fR 4 .IX Item "-zsk" This option displays the ZSK keys in a \fIkeyrec\fR file. It does not include obsolete ZSK keys; the \fB\-obs\fR option must be specified to display obsolete keys. .IP \fB\-cur\fR 4 .IX Item "-cur" This option displays the Current ZSK keys in a \fIkeyrec\fR file. .IP \fB\-new\fR 4 .IX Item "-new" This option displays the New ZSK keys in a \fIkeyrec\fR file. .IP \fB\-pub\fR 4 .IX Item "-pub" This option displays the Published ZSK keys in a \fIkeyrec\fR file. .IP \fB\-zobs\fR 4 .IX Item "-zobs" This option displays the obsolete ZSK keys in a \fIkeyrec\fR file. This option must be give if obsolete ZSK keys are to be displayed. .IP \fB\-zrev\fR 4 .IX Item "-zrev" This option displays the revoked ZSK keys in a \fIkeyrec\fR file. This option must be give if revoked ZSK keys are to be displayed. .IP \fB\-obs\fR 4 .IX Item "-obs" This option displays the obsolete KSK and ZSK keys in a \fIkeyrec\fR file. This option is a shorthand method specifying the \fB\-kobs\fR and \fB\-zobs\fR options. .IP \fB\-rev\fR 4 .IX Item "-rev" This option displays the revoked KSK and ZSK keys in a \fIkeyrec\fR file. This option is a shorthand method specifying the \fB\-krev\fR and \fB\-zrev\fR options. .IP \fB\-invalid\fR 4 .IX Item "-invalid" This option displays the obsolete and revoked KSK and ZSK keys in a \fIkeyrec\fR file. This option is a shorthand method specifying the \fB\-obs\fR and \fB\-rev\fR options. .SS "Record-Attribute Options" .IX Subsection "Record-Attribute Options" These options select subsets of the \fIkeyrec\fRs chosen by the record-selection options. .IP \fB\-valid\fR 4 .IX Item "-valid" This option displays the valid zones in a \fIkeyrec\fR file. It implies the \fB\-zones\fR option. .IP \fB\-expired\fR> 4 .IX Item "-expired>" This option displays the expired zones in a \fIkeyrec\fR file. It implies the \fB\-zones\fR option. .IP \fB\-ref\fR 4 .IX Item "-ref" This option displays the referenced signing set \fIkeyrec\fRs and the referenced key \fIkeyrec\fRs in a \fIkeyrec\fR file, depending upon other selected options. .Sp Referenced state depends on the following: .Sp .Vb 2 \& * Signing sets are considered to be referenced if they \& are listed in a zone keyrec. \& \& * KSKs are considered to be referenced if they are listed \& in a signing set keyrec that is listed in a zone keyrec. \& \& * ZSKs are considered to be referenced if they are listed \& in a signing set keyrec that is listed in a zone keyrec. .Ve .Sp This option may be used with either the \fB\-sets\fR or \fB\-keys\fR options. If it isn't used with any record-selection options, then it is assumed that both \&\fB\-sets\fR and \fB\-keys\fR have been specified. .IP \fB\-unref\fR 4 .IX Item "-unref" This option displays the unreferenced signing set \fIkeyrec\fRs or the unreferenced key \fIkeyrec\fRs in a \fIkeyrec\fR file, depending upon other selected options. .Sp Unreferenced state depends on the following: .Sp .Vb 2 \& * Signing sets are considered to be unreferenced if they \& are not listed in a zone keyrec. \& \& * KSKs are considered to be unreferenced if they are not listed \& in a signing set keyrec that is listed in a zone keyrec. \& \& * ZSKs are considered to be unreferenced if they are not listed \& in a signing set keyrec that is listed in a zone keyrec. \& \& * Obsolete ZSKs are checked, whether or not the \-obs flag \& was specified. .Ve .Sp This option may be used with either the \fB\-sets\fR or \fB\-keys\fR options. If it isn't used with any record-selection options, then it is assumed that both \&\fB\-sets\fR and \fB\-keys\fR have been specified. .SS "Zone-Attribute Options" .IX Subsection "Zone-Attribute Options" These options allow specific zone fields to be included in the output. If combined with the \fB\-terse\fR option, only those fields specifically desired will be printed. These options must be used with the \fB\-zone\fR option. .IP \fB\-z\-archdir\fR 4 .IX Item "-z-archdir" Display the zone's archive directory. If an archive directory is not explicitly set for the zone, the default directory will be listed. .IP \fB\-z\-dates\fR 4 .IX Item "-z-dates" Display the zone's time-stamps. These are the signing date and the expiration date. .IP \fB\-z\-dirs\fR 4 .IX Item "-z-dirs" Display the zone's directories. These directories are the KSK directory, the ZSK directory, and the key archive directory. .IP \fB\-z\-expdate\fR 4 .IX Item "-z-expdate" Display the zone's expiration date. .IP \fB\-z\-ksk\fR 4 .IX Item "-z-ksk" Display the zone's KSK data. This is the equivalent of specifying the \&\fB\-z\-kskcount\fR, \fB\-z\-kskcur\fR, \fB\-z\-kskdir\fR, and \fB\-z\-kskpub\fR options. .IP \fB\-z\-kskcount\fR 4 .IX Item "-z-kskcount" Display the zone's KSK count. .IP \fB\-z\-kskcur\fR 4 .IX Item "-z-kskcur" Display the zone's Current KSK signing set. If this is not defined, then "" will be given. .IP \fB\-z\-kskdir\fR 4 .IX Item "-z-kskdir" Display the zone's KSK directory. If this is not defined, then "." will be given. .IP \fB\-z\-kskpub\fR 4 .IX Item "-z-kskpub" Display the zone's Published KSK signing set. If this is not defined, then "" will be given. .IP \fB\-z\-sets\fR 4 .IX Item "-z-sets" Display the zone's signing sets. This is the equivalent of specifying the \&\fB\-z\-kskcur\fR, \fB\-z\-kskpub\fR, \fB\-z\-zskcur\fR, \fB\-z\-zsknew\fR, and \fB\-z\-zskpub\fR options. .IP \fB\-z\-signdate\fR 4 .IX Item "-z-signdate" Display the zone's signing date. .IP \fB\-z\-signfile\fR 4 .IX Item "-z-signfile" Display the zone's signed zonefile. .IP \fB\-z\-zonefile\fR 4 .IX Item "-z-zonefile" Display the zone's zonefile. .IP \fB\-z\-zsk\fR 4 .IX Item "-z-zsk" Display the zone's ZSK data. This is the equivalent of specifying the \&\fB\-z\-zskcount\fR, \fB\-z\-zskcur\fR, \fB\-z\-zskdir\fR, \fB\-z\-zsknew\fR, and \fB\-z\-zskpub\fR options. .IP \fB\-z\-zskcount\fR 4 .IX Item "-z-zskcount" Display the zone's ZSK count. .IP \fB\-z\-zskcur\fR 4 .IX Item "-z-zskcur" Display the zone's Current ZSK signing set. If this is not defined, then "" will be given. .IP \fB\-z\-zskdir\fR 4 .IX Item "-z-zskdir" Display the zone's ZSK directory. If this is not defined, then "." will be given. .IP \fB\-z\-zsknew\fR 4 .IX Item "-z-zsknew" Display the zone's New ZSK signing set. If this is not defined, then "" will be given. .IP \fB\-z\-zskpub\fR 4 .IX Item "-z-zskpub" Display the zone's Published ZSK signing set. If this is not defined, then "" will be given. .SS "Set-Attribute Options" .IX Subsection "Set-Attribute Options" These options allow specific set fields to be included in the output. If combined with the \fB\-terse\fR option, only those fields specifically desired will be printed. These options must be used with the \fB\-sets\fR option. .PP If RFC5011 processing is enabled, there is special handling of the zone's set \&\fIkeyrec\fR of revoked KSK keys. The "kskrev" field in the zone's \fIkeyrec\fR points to a set \fIkeyrec\fR, marked as being of type "kskrev". This set \&\fIkeyrec\fR, in turn, points to a number of other set \fIkeyrec\fRs, all of which are also marked as being of type "kskrev". The group of all revoked KSK keys is found by consulting that subsidiary set of "kskrev" set \fIkeyrec\fRs. When the ages of these revoked keys exceeds their revocation periods, they are marked as being obsolete ("kskobs"). If this happens as part of normal rollover, these revoked key and set \fIkeyrec\fRs are all removed from the chain of active, revoked \fIkeyrec\fRs. If this happens to a key that's part of a larger set of keys, it is removed from that signing set and put in its own new signing set. \fBlskrf\fR displays the type of the "kskrev" set (listed in the zone \fIkeyrec\fR) as "KSK-REV", and all other revoked KSK \fIkeyrec\fRs are listed as "KSK-rev". .IP \fB\-s\-keys\fR 4 .IX Item "-s-keys" Display the set's keys. .IP \fB\-s\-lastmod\fR 4 .IX Item "-s-lastmod" Display the set's date of last modification. .IP \fB\-s\-type\fR 4 .IX Item "-s-type" Display the set's type. .IP \fB\-s\-zone\fR 4 .IX Item "-s-zone" Display the set's zone name. .IP \fB\-s\-ksk\fR 4 .IX Item "-s-ksk" Display KSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-kcur\fR 4 .IX Item "-s-kcur" Display current KSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-kobs\fR 4 .IX Item "-s-kobs" Display obsolete KSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-kpub\fR 4 .IX Item "-s-kpub" Display published KSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-krev\fR 4 .IX Item "-s-krev" Display revoked KSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-zsk\fR 4 .IX Item "-s-zsk" Display ZSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-zcur\fR 4 .IX Item "-s-zcur" Display current ZSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-znew\fR 4 .IX Item "-s-znew" Display new ZSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-zobs\fR 4 .IX Item "-s-zobs" Display obsolete ZSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-zpub\fR 4 .IX Item "-s-zpub" Display published ZSK signing sets. This option implies the \fB\-sets\fR option. .IP \fB\-s\-zrev\fR 4 .IX Item "-s-zrev" Display revoked ZSK signing sets. This option implies the \fB\-sets\fR option. .SS "Key-Attribute Options" .IX Subsection "Key-Attribute Options" These options allow specific key fields to be included in the output. If combined with the \fB\-terse\fR option, only those fields specifically desired will be printed. These options must be used with the \fB\-key\fR option. .IP \fB\-k\-algorithm\fR 4 .IX Item "-k-algorithm" Display the key's encryption algorithm. .IP \fB\-k\-enddate\fR 4 .IX Item "-k-enddate" Display the key's end-date, calculated by adding the key's lifespan to its signing date. .IP \fB\-k\-length\fR 4 .IX Item "-k-length" Display the key's length. .IP \fB\-k\-lifespan\fR 4 .IX Item "-k-lifespan" Display the key's lifespan (in seconds.) This lifespan is \fBonly\fR related to the time between key rollover. There is no other lifespan associated with a key. .IP \fB\-k\-path\fR 4 .IX Item "-k-path" Display the key's path. .IP \fB\-k\-random\fR 4 .IX Item "-k-random" Display the key's random number generator. .IP \fB\-k\-signdate\fR 4 .IX Item "-k-signdate" Display the key's signing date. .IP \fB\-k\-zone\fR 4 .IX Item "-k-zone" Display the key's zonefile. .SS "Output-Format Options" .IX Subsection "Output-Format Options" These options define how the \fIkeyrec\fR information will be displayed. .PP Without any of these options, the zone name, zone file, zone-signing date, and a label will be displayed for zones. For types, the key name, the key's zone, the key's generation date, and a label will be displayed if these options aren't given. .IP \fB\-count\fR 4 .IX Item "-count" The count of matching records will be displayed, but the matching records will not be. .IP \fB\-nodate\fR 4 .IX Item "-nodate" The key's generation date will not be printed if this flag is given. .IP \fB\-headers\fR 4 .IX Item "-headers" Display explanatory column headers. If this flag is given, then entry labels will not be printed unless explicitly requested by use of the \fB\-label\fR option. .IP \fB\-label\fR 4 .IX Item "-label" A label for the \fIkeyrec\fR's type will be given. .IP \fB\-long\fR 4 .IX Item "-long" The long form of output will be given. See the OUTPUT FORMATS section for details on data printed for each type of \fIkeyrec\fR record. .Sp Long zone output can get \fIvery\fR wide, depending on the data. .IP \fB\-terse\fR 4 .IX Item "-terse" This options displays only the name of the zones or keys selected by other options. .IP \fB\-Version\fR 4 .IX Item "-Version" Displays the version information for \fBlskrf\fR and the DNSSEC-Tools package. .IP \fB\-help\fR 4 .IX Item "-help" Display a usage message and exit. .IP \fB\-h\-zones\fR 4 .IX Item "-h-zones" Display the zone-attribute options and exit. .IP \fB\-h\-sets\fR 4 .IX Item "-h-sets" Display the set-attribute options and exit. .IP \fB\-h\-keys\fR 4 .IX Item "-h-keys" Display the key-attribute options and exit. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2005\-2014 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details. .SH AUTHOR .IX Header "AUTHOR" Wayne Morrison, tewok@tislabs.com .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBzonesigner\|(8)\fR .PP \&\fBNet::DNS::SEC::Tools::keyrec.pm\|(3)\fR .PP \&\fBfile\-keyrec\|(5)\fR