Provided by: dnssec-tools_2.2-2_all bug


       cleankrf - Clean a DNSSEC-Tools keyrec files of old data


         cleankrf [options] <keyrec-files>


       cleankrf cleans old data out of a set of DNSSEC-Tools keyrec files.  The old data are
       obsolete signing sets, orphaned keys, and obsolete keys.

       Obsolete signing sets are set keyrecs unreferenced by a zone keyrec.  Revoked signing sets
       are considered obsolete by cleankrf.

       Orphaned keys are KSK and ZSK key keyrecs unreferenced by a set keyrec.

       Obsolete keys are key keyrecs with a keyrec_type of kskobs or zskobs.

       cleankrf's exit code is the count of orphaned and obsolete keyrecs found.


           Display a final count of old keyrecs found in the keyrec files.  This option allows
           the count to be displayed even if the -quiet option is given.

           The key keyrecs are checked for old keyrecs, but they are not removed from the keyrec
           file.  The names of the old keyrecs are displayed.

       -rm Delete the key files, both .key and .private, from orphaned and expired keyrecs.

           Display no output.

           Display output about referenced keys and unreferenced keys.

           Displays the version information for cleankrf and the DNSSEC-Tools package.

           Display a usage message.


       Copyright 2004-2014 SPARTA, Inc.  All rights reserved.  See the COPYING file included with
       the DNSSEC-Tools package for details.


       Wayne Morrison,


       fixkrf(8), lskrf(8), zonesigner(8)