NAME

       rollchk - Check a DNSSEC-Tools rollrec file for problems and inconsistencies.

SYNOPSIS

         rollchk [-roll | -skip] [-count] [-quiet] [-verbose] [-help] rollrec-file

DESCRIPTION

       This script checks the rollrec file specified by rollrec-file for problems and
       inconsistencies.

TYPES OF CHECKS

       There are four types of checks performed by rollchk:  file checks, "raw" file checks, info
       rollrec checks, and rollrec checks.  The checks are performed in that order, and if any of
       the group checks fail then rollchk exits.

   File Checks
       These checks determine basic information about the rollrec file itself.  Recognized
       problems are:

       •   non-existent rollrec file

           The specified rollrec file does not exist.

       •   non-regular rollrec file

           The specified rollrec file is not a regular file.

   Raw File Checks
       These checks are performed directly on the file contents, rather than by using the
       rollrec.pm interfaces.  Recognized problems are:

       •   duplicated rollrec names

           A rollrec name is not unique.

   Info Rollrec Checks
       These checks are performed to ensure the info rollrec is valid.  Recognized problems are:

       •   negative version

           The version number in the info rollrec is less than 0.

       •   overly large version

           The version number in the info rollrec is greater than 2.

       •   invalid version

           The version number in the info rollrec is not 0, 1, or 2.

   Rollrec Checks
       These checks are performed after referencing the file contents with the the rollrec.pm
       interfaces.  Recognized problems are:

       •   no zones defined

           No zones are defined in the specified rollrec file.

       •   invalid KSK rollover phase

           A zone has an invalid KSK rollover phase.  These phases may be 0, 1, 2, 3, 4, 5, 6, or
           7; any other value is invalid.

       •   mismatch in KSK timestamp data

           A zone's KSK roll-seconds timestamp does not translate into the date stored in its
           roll-date string.

       •   invalid ZSK rollover phase

           A zone has an invalid ZSK rollover phase.  These phases may be 0, 1, 2, 3, or 4; any
           other value is invalid.

       •   mismatch in ZSK timestamp data

           A zone's ZSK roll-seconds timestamp does not translate into the date stored in its
           roll-date string.

       •   contemporaneous KSK and ZSK rollovers

           A zone has a KSK rollover occurring at the same time as a ZSK rollover.  A zone may
           only have one rollover phase be non-zero at a time.

       •   in rollover without a phasestart

           A zone is currently in rollover, but its rollrec record does not have a phasestart
           field.

       •   empty administrator

           A zone has an empty administrator field.  This field must contain a non-empty data
           value.  The value itself is not parsed for accuracy.

       •   non-existent directory

           Several checks are made for a zone's directory.  If the zone has a directory
           specified, the directory must exist and it must be an actual directory.

       •   invalid display flag

           A zone has an invalid display flag.  This flag may be 0 or 1; any other value is
           invalid.

       •   non-positive maxttl

           The maximum TTL value must be greater than zero.

       •   zone file checks

           Several checks are made for a zone's zone file.  The zone file must exist, it must be
           a regular file, and it must not be of zero length.

           If the file is not an absolute path and the file's rollrec has a directory entry, then
           the directory is prepended to the filename prior to performing any checks.

       •   keyrec file checks

           Several checks are made for a zone's keyrec file.  The keyrec file must exist, it must
           be a regular file, and it must not be of zero length.

           If the file is not an absolute path and the file's rollrec has a directory entry, then
           the directory is prepended to the filename prior to performing any checks.

       •   zonename checks

           Several checks are made for zonename.  The zonename must maatch the SOA name in the
           zone file, and the zonename's keyrec record in its keyrec file must be a zone record.

       •   empty zsargs

           A zone has an empty zonesigner-arguments field.  If this field exists, it must contain
           a non-empty data value.  The value itself is not parsed for accuracy.

OPTIONS

       -roll
           Only display rollrecs that are active ("roll") records.  This option is mutually
           exclusive of the -skip option.

       -skip
           Only display rollrecs that are inactive ("skip") records.  This option is mutually
           exclusive of the -roll option.

       -count
           Display a final count of errors.

       -quiet
           Do not display messages.  This option supersedes the setting of the -verbose option.

       -verbose
           Display many messages.  This option is subordinate to the -quiet option.

       -Version
           Displays the version information for rollchk and the DNSSEC-Tools package.

       -help
           Display a usage message.

COPYRIGHT

       Copyright 2006-2013 SPARTA, Inc.  All rights reserved.  See the COPYING file included with
       the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@tislabs.com

SEE ALSO

       lsroll(8), rollerd(8), rollinit(8)

       Net::DNS::SEC::Tools::rollrec.pm(3)

       file-rollrec(5), keyrec(8)