Provided by: dnssec-tools_2.0-1_all bug

NAME

       krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistencies

SYNOPSIS

         krfcheck [-zone | -set | -key] [-count] [-quiet]
                  [-verbose] [-Version] [-help] keyrec-file

DESCRIPTION

       This script checks a keyrec file for problems, potential problems, and inconsistencies.

       Recognized problems include:

       •   no zones defined

           The keyrec file does not contain any zone keyrecs.

       •   no sets defined

           The keyrec file does not contain any set keyrecs.

       •   no keys defined

           The keyrec file does not contain any key keyrecs.

       •   unknown zone keyrecs

           A set keyrec or a key keyrec references a non-existent zone keyrec.

       •   missing key from zone keyrec

           A zone keyrec does not have both a KSK key and a ZSK key.

       •   missing key from set keyrec

           A key listed in a set keyrec does not have a key keyrec.

       •   expired zone keyrecs

           A zone has expired.

       •   mislabeled key

           A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite.

       •   invalid zone data values

           A zone's keyrec data are checked to ensure that they are valid.  The following
           conditions are checked:  existence of the zone file, existence of the KSK file,
           existence of the KSK and ZSK directories, the end-time is greater than one day, and
           the seconds-count and date string match.

       •   invalid key data values

           A key's keyrec data are checked to ensure that they are valid.  The following
           conditions are checked:  valid encryption algorithm, key length falls within
           algorithm's size range, random generator file exists, and the seconds-count and date
           string match.

       Recognized potential problems include:

       •   imminent zone expiration

           A zone will expire within one week.

       •   odd zone-signing date

           A zone's recorded signing date is later than the current system clock.

       •   orphaned keys

           A key keyrec is unreferenced by any set keyrec.

       •   missing key directories

           A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.

       Recognized inconsistencies include:

       •   key-specific fields in a zone keyrec

           A zone keyrec contains key-specific entries.  To allow for site-specific
           extensibility, krfcheck does not check for undefined keyrec fields.

       •   zone-specific fields in a key keyrec

           A key keyrec contains zone-specific entries.  To allow for site-specific
           extensibility, krfcheck does not check for undefined keyrec fields.

       •   mismatched zone timestamp

           A zone's seconds-count timestamp does not match its textual timestamp.

       •   mismatched set timestamp

           A set's seconds-count timestamp does not match its textual timestamp.

       •   mismatched key timestamp

           A key's seconds-count timestamp does not match its textual timestamp.

OPTIONS

       -zone
           Only perform checks of zone keyrecs.  This option may not be combined with the -set or
           -key options.

       -set
           Only perform checks of set keyrecs.  This option may not be combined with the -zone or
           -key options.

       -key
           Only perform checks of key keyrecs.  This option may not be combined with the -set or
           -zone options.

       -count
           Display a final count of errors.

       -quiet
           Do not display messages.  This option supersedes the setting of the -verbose option.

       -verbose
           Display many messages.  This option is subordinate to the -quiet option.

       -Version
           Displays the version information for krfcheck and the DNSSEC-Tools package.

       -help
           Display a usage message.

COPYRIGHT

       Copyright 2004-2013 SPARTA, Inc.  All rights reserved.  See the COPYING file included with
       the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@tislabs.com

SEE ALSO

       cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)

       Net::DNS::SEC::Tools::keyrec.pm(3)

       file-keyrec(5)