krfcheck - Man Page
Check a DNSSEC-Tools keyrec file for problems and inconsistencies
Synopsis
krfcheck [-zone | -set | -key] [-count] [-quiet] [-verbose] [-Version] [-help] keyrec-file
Description
This script checks a keyrec file for problems, potential problems, and inconsistencies.
Recognized problems include:
no zones defined
The keyrec file does not contain any zone keyrecs.
no sets defined
The keyrec file does not contain any set keyrecs.
no keys defined
The keyrec file does not contain any key keyrecs.
unknown zone keyrecs
A set keyrec or a key keyrec references a non-existent zone keyrec.
missing key from zone keyrec
A zone keyrec does not have both a KSK key and a ZSK key.
missing key from set keyrec
A key listed in a set keyrec does not have a key keyrec.
expired zone keyrecs
A zone has expired.
mislabeled key
A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite.
invalid zone data values
A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file, existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and date string match.
invalid key data values
A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match.
Recognized potential problems include:
imminent zone expiration
A zone will expire within one week.
odd zone-signing date
A zone's recorded signing date is later than the current system clock.
orphaned keys
A key keyrec is unreferenced by any set keyrec.
missing key directories
A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.
Recognized inconsistencies include:
key-specific fields in a zone keyrec
A zone keyrec contains key-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.
zone-specific fields in a key keyrec
A key keyrec contains zone-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.
mismatched zone timestamp
A zone's seconds-count timestamp does not match its textual timestamp.
mismatched set timestamp
A set's seconds-count timestamp does not match its textual timestamp.
mismatched key timestamp
A key's seconds-count timestamp does not match its textual timestamp.
Options
- -zone
Only perform checks of zone keyrecs. This option may not be combined with the -set or -key options.
- -set
Only perform checks of set keyrecs. This option may not be combined with the -zone or -key options.
- -key
Only perform checks of key keyrecs. This option may not be combined with the -set or -zone options.
- -count
Display a final count of errors.
- -quiet
Do not display messages. This option supersedes the setting of the -verbose option.
- -verbose
Display many messages. This option is subordinate to the -quiet option.
- -Version
Displays the version information for krfcheck and the DNSSEC-Tools package.
- -help
Display a usage message.
Copyright
Copyright 2004-2014 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
Author
Wayne Morrison, tewok@tislabs.com
See Also
cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)
Net::DNS::SEC::Tools::keyrec.pm(3)
file-keyrec(5)