Provided by: dnssec-tools_2.0-1_all
NAME
krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistencies
SYNOPSIS
krfcheck [-zone | -set | -key] [-count] [-quiet] [-verbose] [-Version] [-help] keyrec-file
DESCRIPTION
This script checks a keyrec file for problems, potential problems, and inconsistencies. Recognized problems include: • no zones defined The keyrec file does not contain any zone keyrecs. • no sets defined The keyrec file does not contain any set keyrecs. • no keys defined The keyrec file does not contain any key keyrecs. • unknown zone keyrecs A set keyrec or a key keyrec references a non-existent zone keyrec. • missing key from zone keyrec A zone keyrec does not have both a KSK key and a ZSK key. • missing key from set keyrec A key listed in a set keyrec does not have a key keyrec. • expired zone keyrecs A zone has expired. • mislabeled key A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite. • invalid zone data values A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file, existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and date string match. • invalid key data values A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match. Recognized potential problems include: • imminent zone expiration A zone will expire within one week. • odd zone-signing date A zone's recorded signing date is later than the current system clock. • orphaned keys A key keyrec is unreferenced by any set keyrec. • missing key directories A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist. Recognized inconsistencies include: • key-specific fields in a zone keyrec A zone keyrec contains key-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields. • zone-specific fields in a key keyrec A key keyrec contains zone-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields. • mismatched zone timestamp A zone's seconds-count timestamp does not match its textual timestamp. • mismatched set timestamp A set's seconds-count timestamp does not match its textual timestamp. • mismatched key timestamp A key's seconds-count timestamp does not match its textual timestamp.
OPTIONS
-zone Only perform checks of zone keyrecs. This option may not be combined with the -set or -key options. -set Only perform checks of set keyrecs. This option may not be combined with the -zone or -key options. -key Only perform checks of key keyrecs. This option may not be combined with the -set or -zone options. -count Display a final count of errors. -quiet Do not display messages. This option supersedes the setting of the -verbose option. -verbose Display many messages. This option is subordinate to the -quiet option. -Version Displays the version information for krfcheck and the DNSSEC-Tools package. -help Display a usage message.
COPYRIGHT
Copyright 2004-2013 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
AUTHOR
Wayne Morrison, tewok@tislabs.com
SEE ALSO
cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8) Net::DNS::SEC::Tools::keyrec.pm(3) file-keyrec(5)