Provided by: dnssec-tools_2.0-1_all 
NAME
lskrf - List the keyrecs in a DNSSEC-Tools keyrec file
SYNOPSIS
lskrf [options] <keyrec-files>
DESCRIPTION
lskrf lists the contents of the specified keyrec files. All keyrec files are loaded
before the output is displayed. If any keyrecs have duplicated names, whether within one
file or across multiple files, the later keyrec will be the one whose data are displayed.
lskrf has three base output formats. In ascending levels of detail, these formats are
terse output, default format, and long format. Terse output is given when the -terse
option is specified; long output is given when the -long option is specified.
The output displayed for each record in a keyrec file depends on the selected records, the
selected attributes, and the selected output format. Each option in these option groups
is described in detail in the OPTIONS section; the three basic output formats are
described in the OUTPUT FORMATS section.
OUTPUT FORMATS
keyrec files hold three types of keyrec records: zone records, signing set records, and
key records. Each type of keyrec record contains keyrec fields related to that type.
Zone keyrec records contain data about all the keys associated with a particular zone; set
keyrec records contain data about all the keys associated with a particular signing set;
key keyrec records contain key lengths and algorithms for each particular key. (There is
the case of subordinate revoked and obsolete signing sets. These are stored in key keyrec
records, but they contain the set_type entry which key keyrecs do not.) The data to be
printed must be specified by selecting some combination of the -zone, -sets, -keys, and
-all options. There are also options for specifying specific types of keys to be printed.
The three base output formats are the default format, the terse format, and the long
format. The -terse option indicates that a minimal amount of output is desired; the -long
option indicates that a great deal of output is desired. The record-selection and
attribute-selection options may be used in conjunction with -terse to display exactly the
set of keyrec fields needed. The default output format is a middle ground between terse
and long output and is that used when neither -terse nor -long is given.
Zone keyrec Output
The table below shows the zone keyrec fields displayed for each output format.
keyrec field default terse long
------------ ------- ----- ----
keyrec type yes no yes
zone name yes yes yes
zone file yes no yes
signed zonefile yes no yes
signing date yes no yes
expiration date no no yes
archive directory no no yes
KSK count no no yes
KSK directory no no yes
current KSK set no no yes
published KSK set no no yes
ZSK count no no yes
ZSK directory no no yes
current ZSK set no no yes
published ZSK set no no yes
new ZSK set no no yes
Set keyrec Output
The table below shows the signing set keyrec fields displayed for each output format.
keyrec field default terse long
------------ ------- ----- ----
keyrec type yes no yes
set name yes yes yes
zone name yes no yes
type yes no yes
keys no no yes
last modification date no no yes
Key keyrec Output
The table below shows the key keyrec fields displayed for each output format.
keyrec field default terse long
------------ ------- ----- ----
keyrec type yes no yes
key name yes yes yes
algorithm no no yes
end date no no yes
generation date yes no yes
key length no no yes
key life no no yes
key path no no yes
keys no no yes
random number generator no no yes
zone name yes no yes
OPTIONS
lskrf takes three types of options: record-selection options, record-attribute options,
and output-style options. These option sets are detailed below.
Record-selection options are required options; at least one record-selection option must
be selected. Record-attribute options and output-style options are optional options; any
number of these option may be selected.
Record-Selection Options
These options select the types of keyrec that will be displayed.
-all
This option displays all the records in a keyrec file.
-zones
This option displays the zones in a keyrec file.
-sets
This option displays the signing sets in a keyrec file.
-keys
This option displays the keys in a keyrec file.
The key data are sorted by key type in the following order: Current KSKs, Published
KSKs, Current ZSKs, Published ZSKs, New ZSKs, Obsolete KSKs, and Obsolete ZSKs.
-ksk
This option displays the KSK keys in a keyrec file.
-kcur
This option displays the Current KSK keys in a keyrec file.
-kpub
This option displays the Published KSK keys in a keyrec file.
-kobs
This option displays the obsolete KSK keys in a keyrec file. This option must be give
if obsolete KSK keys are to be displayed.
-krev
This option displays the revoked KSK keys in a keyrec file. This option must be give
if revoked KSK keys are to be displayed.
-zsk
This option displays the ZSK keys in a keyrec file. It does not include obsolete ZSK
keys; the -obs option must be specified to display obsolete keys.
-cur
This option displays the Current ZSK keys in a keyrec file.
-new
This option displays the New ZSK keys in a keyrec file.
-pub
This option displays the Published ZSK keys in a keyrec file.
-zobs
This option displays the obsolete ZSK keys in a keyrec file. This option must be give
if obsolete ZSK keys are to be displayed.
-zrev
This option displays the revoked ZSK keys in a keyrec file. This option must be give
if revoked ZSK keys are to be displayed.
-obs
This option displays the obsolete KSK and ZSK keys in a keyrec file. This option is a
shorthand method specifying the -kobs and -zobs options.
-rev
This option displays the revoked KSK and ZSK keys in a keyrec file. This option is a
shorthand method specifying the -krev and -zrev options.
-invalid
This option displays the obsolete and revoked KSK and ZSK keys in a keyrec file. This
option is a shorthand method specifying the -obs and -rev options.
Record-Attribute Options
These options select subsets of the keyrecs chosen by the record-selection options.
-valid
This option displays the valid zones in a keyrec file. It implies the -zones option.
-expired>
This option displays the expired zones in a keyrec file. It implies the -zones
option.
-ref
This option displays the referenced signing set keyrecs and the referenced key keyrecs
in a keyrec file, depending upon other selected options.
Referenced state depends on the following:
* Signing sets are considered to be referenced if they
are listed in a zone keyrec.
* KSKs are considered to be referenced if they are listed
in a signing set keyrec that is listed in a zone keyrec.
* ZSKs are considered to be referenced if they are listed
in a signing set keyrec that is listed in a zone keyrec.
This option may be used with either the -sets or -keys options. If it isn't used with
any record-selection options, then it is assumed that both -sets and -keys have been
specified.
-unref
This option displays the unreferenced signing set keyrecs or the unreferenced key
keyrecs in a keyrec file, depending upon other selected options.
Unreferenced state depends on the following:
* Signing sets are considered to be unreferenced if they
are not listed in a zone keyrec.
* KSKs are considered to be unreferenced if they are not listed
in a signing set keyrec that is listed in a zone keyrec.
* ZSKs are considered to be unreferenced if they are not listed
in a signing set keyrec that is listed in a zone keyrec.
* Obsolete ZSKs are checked, whether or not the -obs flag
was specified.
This option may be used with either the -sets or -keys options. If it isn't used with
any record-selection options, then it is assumed that both -sets and -keys have been
specified.
Zone-Attribute Options
These options allow specific zone fields to be included in the output. If combined with
the -terse option, only those fields specifically desired will be printed. These options
must be used with the -zone option.
-z-archdir
Display the zone's archive directory. If an archive directory is not explicitly set
for the zone, the default directory will be listed.
-z-dates
Display the zone's time-stamps. These are the signing date and the expiration date.
-z-dirs
Display the zone's directories. These directories are the KSK directory, the ZSK
directory, and the key archive directory.
-z-expdate
Display the zone's expiration date.
-z-ksk
Display the zone's KSK data. This is the equivalent of specifying the -z-kskcount,
-z-kskcur, -z-kskdir, and -z-kskpub options.
-z-kskcount
Display the zone's KSK count.
-z-kskcur
Display the zone's Current KSK signing set. If this is not defined, then "<unset>"
will be given.
-z-kskdir
Display the zone's KSK directory. If this is not defined, then "." will be given.
-z-kskpub
Display the zone's Published KSK signing set. If this is not defined, then "<unset>"
will be given.
-z-sets
Display the zone's signing sets. This is the equivalent of specifying the -z-kskcur,
-z-kskpub, -z-zskcur, -z-zsknew, and -z-zskpub options.
-z-signdate
Display the zone's signing date.
-z-signfile
Display the zone's signed zonefile.
-z-zonefile
Display the zone's zonefile.
-z-zsk
Display the zone's ZSK data. This is the equivalent of specifying the -z-zskcount,
-z-zskcur, -z-zskdir, -z-zsknew, and -z-zskpub options.
-z-zskcount
Display the zone's ZSK count.
-z-zskcur
Display the zone's Current ZSK signing set. If this is not defined, then "<unset>"
will be given.
-z-zskdir
Display the zone's ZSK directory. If this is not defined, then "." will be given.
-z-zsknew
Display the zone's New ZSK signing set. If this is not defined, then "<unset>" will
be given.
-z-zskpub
Display the zone's Published ZSK signing set. If this is not defined, then "<unset>"
will be given.
Set-Attribute Options
These options allow specific set fields to be included in the output. If combined with
the -terse option, only those fields specifically desired will be printed. These options
must be used with the -sets option.
If RFC5011 processing is enabled, there is special handling of the zone's set keyrec of
revoked KSK keys. The "kskrev" field in the zone's keyrec points to a set keyrec, marked
as being of type "kskrev". This set keyrec, in turn, points to a number of other set
keyrecs, all of which are also marked as being of type "kskrev". The group of all revoked
KSK keys is found by consulting that subsidiary set of "kskrev" set keyrecs. When the
ages of these revoked keys exceeds their revocation periods, they are marked as being
obsolete ("kskobs"). If this happens as part of normal rollover, these revoked key and
set keyrecs are all removed from the chain of active, revoked keyrecs. If this happens to
a key that's part of a larger set of keys, it is removed from that signing set and put in
its own new signing set. lskrf displays the type of the "kskrev" set (listed in the zone
keyrec) as "KSK-REV", and all other revoked KSK keyrecs are listed as "KSK-rev".
-s-keys
Display the set's keys.
-s-lastmod
Display the set's date of last modification.
-s-type
Display the set's type.
-s-zone
Display the set's zone name.
-s-ksk
Display KSK signing sets. This option implies the -sets option.
-s-kcur
Display current KSK signing sets. This option implies the -sets option.
-s-kobs
Display obsolete KSK signing sets. This option implies the -sets option.
-s-kpub
Display published KSK signing sets. This option implies the -sets option.
-s-krev
Display revoked KSK signing sets. This option implies the -sets option.
-s-zsk
Display ZSK signing sets. This option implies the -sets option.
-s-zcur
Display current ZSK signing sets. This option implies the -sets option.
-s-znew
Display new ZSK signing sets. This option implies the -sets option.
-s-zobs
Display obsolete ZSK signing sets. This option implies the -sets option.
-s-zpub
Display published ZSK signing sets. This option implies the -sets option.
-s-zrev
Display revoked ZSK signing sets. This option implies the -sets option.
Key-Attribute Options
These options allow specific key fields to be included in the output. If combined with
the -terse option, only those fields specifically desired will be printed. These options
must be used with the -key option.
-k-algorithm
Display the key's encryption algorithm.
-k-enddate
Display the key's end-date, calculated by adding the key's lifespan to its signing
date.
-k-length
Display the key's length.
-k-lifespan
Display the key's lifespan (in seconds.) This lifespan is only related to the time
between key rollover. There is no other lifespan associated with a key.
-k-path
Display the key's path.
-k-random
Display the key's random number generator.
-k-signdate
Display the key's signing date.
-k-zone
Display the key's zonefile.
Output-Format Options
These options define how the keyrec information will be displayed.
Without any of these options, the zone name, zone file, zone-signing date, and a label
will be displayed for zones. For types, the key name, the key's zone, the key's
generation date, and a label will be displayed if these options aren't given.
-count
The count of matching records will be displayed, but the matching records will not be.
-nodate
The key's generation date will not be printed if this flag is given.
-headers
Display explanatory column headers. If this flag is given, then entry labels will not
be printed unless explicitly requested by use of the -label option.
-label
A label for the keyrec's type will be given.
-long
The long form of output will be given. See the OUTPUT FORMATS section for details on
data printed for each type of keyrec record.
Long zone output can get very wide, depending on the data.
-terse
This options displays only the name of the zones or keys selected by other options.
-Version
Displays the version information for lskrf and the DNSSEC-Tools package.
-help
Display a usage message and exit.
-h-zones
Display the zone-attribute options and exit.
-h-sets
Display the set-attribute options and exit.
-h-keys
Display the key-attribute options and exit.
COPYRIGHT
Copyright 2005-2013 SPARTA, Inc. All rights reserved. See the COPYING file included with
the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO
zonesigner(8)
Net::DNS::SEC::Tools::keyrec.pm(3)
file-keyrec(5)