00b67f09dd
Also known as ISC bind. This import adds utilities such as host(1), dig(1), and nslookup(1), as well as many other tools and libraries. Change-Id: I035ca46e64f1965d57019e773f4ff0ef035e4aa3
384 lines
12 KiB
HTML
384 lines
12 KiB
HTML
<!-- Creator : groff version 1.20.1 -->
|
|
<!-- CreationDate: Sat Aug 28 01:15:12 2010 -->
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
|
|
"http://www.w3.org/TR/html4/loose.dtd">
|
|
<html>
|
|
<head>
|
|
<meta name="generator" content="groff -Thtml, see www.gnu.org">
|
|
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
|
|
<meta name="Content-Style" content="text/css">
|
|
<style type="text/css">
|
|
p { margin-top: 0; margin-bottom: 0; vertical-align: top }
|
|
pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
|
|
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
|
|
h1 { text-align: center }
|
|
</style>
|
|
<title>zkt−keyman</title>
|
|
|
|
</head>
|
|
<body>
|
|
|
|
<h1 align="center">zkt−keyman</h1>
|
|
|
|
<a href="#NAME">NAME</a><br>
|
|
<a href="#SYNOPSYS">SYNOPSYS</a><br>
|
|
<a href="#DESCRIPTION">DESCRIPTION</a><br>
|
|
<a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br>
|
|
<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
|
|
<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
|
|
<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
|
|
<a href="#FILES">FILES</a><br>
|
|
<a href="#BUGS">BUGS</a><br>
|
|
<a href="#AUTHORS">AUTHORS</a><br>
|
|
<a href="#COPYRIGHT">COPYRIGHT</a><br>
|
|
<a href="#SEE ALSO">SEE ALSO</a><br>
|
|
|
|
<hr>
|
|
|
|
|
|
<h2>NAME
|
|
<a name="NAME"></a>
|
|
</h2>
|
|
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em">zkt−keyman
|
|
— A DNSSEC key management tool</p>
|
|
|
|
<h2>SYNOPSYS
|
|
<a name="SYNOPSYS"></a>
|
|
</h2>
|
|
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
|
|
−C</b><label> [<b>−V|--view</b>
|
|
<i>view</i>] [<b>−c</b> <i>file</i>]
|
|
[<b>−krpz</b>] [{<i>keyfile</i>|<i>dir</i>}
|
|
<i>...</i>] <b><br>
|
|
zkt−keyman −−create=</b><label>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] [<b>−krpz</b>]
|
|
[{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p>
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
|
|
−</b>{<b>P</b>|<b>A</b>|<b>D</b>|<b>R</b>}<b><keytag></b>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
|
|
<i>...</i>] <b><br>
|
|
zkt−keyman −−published=</b><keytag>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
|
|
<i>...</i>] <b><br>
|
|
zkt−keyman −−active=</b><keytag>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
|
|
<i>...</i>] <b><br>
|
|
zkt−keyman −−depreciate=</b><keytag>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
|
|
<i>...</i>] <b><br>
|
|
zkt−keyman −−rename=</b><keytag>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
|
|
<i>...</i>]</p>
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
|
|
−−destroy=</b><keytag>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>}
|
|
<i>...</i>]</p>
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman
|
|
−9 | −−ksk-rollover <br>
|
|
zkt−keyman −1 |
|
|
−−ksk-roll-phase1</b> <i>do.ma.in.</i>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] <b><br>
|
|
zkt−keyman −2 |
|
|
−−ksk-roll-phase2</b> <i>do.ma.in.</i>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] <b><br>
|
|
zkt−keyman −3 |
|
|
−−ksk-roll-phase3</b> <i>do.ma.in.</i>
|
|
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
|
|
<i>file</i>] <b><br>
|
|
zkt−keyman −0 | −−ksk-roll-stat</b>
|
|
<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>]
|
|
[<b>−c</b> <i>file</i>]</p>
|
|
|
|
<h2>DESCRIPTION
|
|
<a name="DESCRIPTION"></a>
|
|
</h2>
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em">The
|
|
<i>zkt−keyman</i> command is a wrapper around
|
|
<i>dnssec-keygen(8)</i> to assist in dnssec zone key
|
|
management.</p>
|
|
|
|
<p style="margin-left:11%; margin-top: 1em">The command is
|
|
useful in dns key management. It is suitable for
|
|
modification of key status.</p>
|
|
|
|
<h2>GENERAL OPTIONS
|
|
<a name="GENERAL OPTIONS"></a>
|
|
</h2>
|
|
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em"><b>−V</b>
|
|
<i>view</i><b>, −−view=</b><i>view</i></p>
|
|
|
|
<p style="margin-left:22%;">Try to read the default
|
|
configuration out of a file named
|
|
<i>dnssec-<view>.conf .</i> Instead of specifying the
|
|
−V or --view option every time, it is also possible to
|
|
create a hard or softlink to the executable file to give it
|
|
an additional name like
|
|
<i>zkt−keyman−<view> .</i></p>
|
|
|
|
<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
|
|
−−config=</b><i>file</i></p>
|
|
|
|
<p style="margin-left:22%;">Read default values from the
|
|
specified config file. Otherwise the default config file is
|
|
read or build in defaults will be used.</p>
|
|
|
|
<p style="margin-left:11%;"><b>−O</b>
|
|
<i>optstr</i><b>,
|
|
−−config-option=</b><i>optstr</i></p>
|
|
|
|
<p style="margin-left:22%;">Set any config file option via
|
|
the commandline. Several config file options could be
|
|
specified at the argument string but have to be delimited by
|
|
semicolon (or newline).</p>
|
|
|
|
<p style="margin-left:11%;"><b>−d</b>,
|
|
<b>−−directory</b></p>
|
|
|
|
<p style="margin-left:22%;">Skip directory arguments. This
|
|
will be useful in combination with wildcard arguments to
|
|
prevent dnsssec-zkt to list all keys found in
|
|
subdirectories. For example "zkt−keyman -d
|
|
*" will print out a list of all keys only found in the
|
|
current directory. Maybe it is easier to use
|
|
"zkt−keyman ." instead (without -r set). The
|
|
option works similar to the −d option of
|
|
<i>ls(1)</i>.</p>
|
|
|
|
<p style="margin-left:11%;"><b>−k</b>,
|
|
<b>−−ksk</b></p>
|
|
|
|
<p style="margin-left:22%;">Select key signing keys only
|
|
(default depends on command mode).</p>
|
|
|
|
<p style="margin-left:11%;"><b>−z</b>,
|
|
<b>−−zsk</b></p>
|
|
|
|
<p style="margin-left:22%;">Select zone signing keys only
|
|
(default depends on command mode).</p>
|
|
|
|
<p style="margin-left:11%;"><b>−r</b>,
|
|
<b>−−recursive</b></p>
|
|
|
|
<p style="margin-left:22%;">Recursive mode (default is
|
|
off). <br>
|
|
Also settable in the dnssec.conf file (Parameter:
|
|
Recursive).</p>
|
|
|
|
<p style="margin-left:11%;"><b>−F</b>,
|
|
<b>−−setlifetime</b></p>
|
|
|
|
<p style="margin-left:22%;">Set the key lifetime of all the
|
|
selected keys. Use option -k, -z, -l or the file and dir
|
|
argument for key selection.</p>
|
|
|
|
<h2>COMMAND OPTIONS
|
|
<a name="COMMAND OPTIONS"></a>
|
|
</h2>
|
|
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em"><b>−h</b>,
|
|
<b>−−help</b></p>
|
|
|
|
<p style="margin-left:22%;">Print out the online help.</p>
|
|
|
|
<p style="margin-left:11%;"><b>−C</b> <i>zone</i><b>,
|
|
−−create=</b><i>zone</i></p>
|
|
|
|
<p style="margin-left:22%;">Create a new zone signing key
|
|
for the given zone. Add option <b>−k</b> to create a
|
|
key signing key. The key algorithm and key length will be
|
|
examined from built-in default values or from the parameter
|
|
settings in the <i>dnssec.conf</i> file. <br>
|
|
The keyfile will be created in the current directory if the
|
|
<b>−p</b> option is specified.</p>
|
|
|
|
<p style="margin-left:11%;"><b>−R</b>
|
|
<i>keyid</i><b>, −−revoke=</b><i>keyid</i></p>
|
|
|
|
<p style="margin-left:22%;">Revoke the key signing key with
|
|
the given keyid. A revoked key has bit 8 in the flags field
|
|
set (see RFC5011). The keyid is the numeric keytag with an
|
|
optionally added zone name separated by a colon.</p>
|
|
|
|
|
|
<p style="margin-left:11%;"><b>−−rename="</b><i>keyid</i></p>
|
|
|
|
<p style="margin-left:22%;">Rename the key files of the key
|
|
with the given keyid (Look at key file names starting with
|
|
an lower ’k’). The keyid is the numeric keytag
|
|
with an optionally added zone name separated by a colon.</p>
|
|
|
|
|
|
<p style="margin-left:11%;"><b>−−destroy=</b><i>keyid</i></p>
|
|
|
|
<p style="margin-left:22%;">Deletes the key with the given
|
|
keyid. The keyid is the numeric keytag with an optionally
|
|
added zone name separated by a colon. Beware that this
|
|
deletes both private and public keyfiles, thus the key is
|
|
unrecoverable lost.</p>
|
|
|
|
<p style="margin-left:11%;"><b>−P|A|D</b>
|
|
<i>keyid,</i> <b>−−published=</b><i>keyid,</i>
|
|
<b>−−active=</b><i>keyid,</i>
|
|
<b>−−depreciated=</b><i>keyid</i></p>
|
|
|
|
<p style="margin-left:22%;">Change the status of the given
|
|
dnssec key to published (<b>−P</b>), active
|
|
(<b>−A</b>) or depreciated (<b>−D</b>). The
|
|
<i>keyid</i> is the numeric keytag with an optionally added
|
|
zone name separated by a colon. Setting the status to
|
|
"published" or "depreciate" will change
|
|
the filename of the private key file to
|
|
".published" or ".depreciated"
|
|
respectivly. This prevents the usage of the key as a signing
|
|
key by the use of <i>dnssec-signzone(8)</i>. The time of
|
|
status change will be stored in the ’mtime’
|
|
field of the corresponding ".key" file. Key
|
|
activation via option <b>−A</b> will restore the
|
|
original timestamp and file name (".private").</p>
|
|
|
|
|
|
<p style="margin-left:11%;"><b>−−ksk-roll-phase[123]</b>
|
|
<i>do.ma.in.</i></p>
|
|
|
|
<p style="margin-left:22%;">Initiate a key signing key
|
|
rollover of the specified domain. This feature is currently
|
|
in experimental status and is mainly for the use in an
|
|
hierachical environment. Use --ksk-rollover for a little
|
|
more detailed description.</p>
|
|
|
|
<h2>SAMPLE USAGE
|
|
<a name="SAMPLE USAGE"></a>
|
|
</h2>
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em"><b>zkt-keyman
|
|
−C example.net −k −r ./zonedir</b></p>
|
|
|
|
<p style="margin-left:22%;">Create a new key signing key
|
|
for the zone "example.net". Store the key in the
|
|
same directory below "zonedir" where the other
|
|
"example.net" keys life.</p>
|
|
|
|
<p style="margin-left:11%;"><b>zkt-keyman −D 123245
|
|
−r .</b></p>
|
|
|
|
<p style="margin-left:22%;">Depreciate the key with tag
|
|
"12345" below the current directory,</p>
|
|
|
|
<p style="margin-left:11%;"><b>zkt-keyman --view intern
|
|
−C example.net</b></p>
|
|
|
|
<p style="margin-left:22%;">Create a new zone key for the
|
|
internal zone example.net.</p>
|
|
|
|
<p style="margin-left:11%;"><b>zkt-keyman-intern</b></p>
|
|
|
|
<p style="margin-left:22%;">Same as above. The binary file
|
|
<i>zkt−keyman</i> has another link, named
|
|
<i>zkt-keyman-intern</i> made, and <i>zkt−keyman</i>
|
|
examines argv[0] to find a view whose zones it proceeds to
|
|
process.</p>
|
|
|
|
<h2>ENVIRONMENT VARIABLES
|
|
<a name="ENVIRONMENT VARIABLES"></a>
|
|
</h2>
|
|
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
|
|
|
|
<p style="margin-left:22%;">Specifies the name of the
|
|
default global configuration files.</p>
|
|
|
|
<h2>FILES
|
|
<a name="FILES"></a>
|
|
</h2>
|
|
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
|
|
|
|
<p style="margin-left:22%;">Built-in default global
|
|
configuration file. The name of the default global config
|
|
file is settable via the environment variable
|
|
ZKT_CONFFILE.</p>
|
|
|
|
|
|
<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p>
|
|
|
|
<p style="margin-left:22%;">View specific global
|
|
configuration file.</p>
|
|
|
|
<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
|
|
|
|
<p style="margin-left:22%;">Local configuration file (only
|
|
used in <b>−C</b> mode).</p>
|
|
|
|
<h2>BUGS
|
|
<a name="BUGS"></a>
|
|
</h2>
|
|
|
|
|
|
<h2>AUTHORS
|
|
<a name="AUTHORS"></a>
|
|
</h2>
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em">Holger
|
|
Zuleger</p>
|
|
|
|
<h2>COPYRIGHT
|
|
<a name="COPYRIGHT"></a>
|
|
</h2>
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em">Copyright (c)
|
|
2005 − 2008 by Holger Zuleger. Licensed under the BSD
|
|
Licences. There is NO warranty; not even for MERCHANTABILITY
|
|
or FITNESS FOR A PARTICULAR PURPOSE.</p>
|
|
|
|
<h2>SEE ALSO
|
|
<a name="SEE ALSO"></a>
|
|
</h2>
|
|
|
|
|
|
|
|
<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
|
|
dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8),
|
|
zkt-ls(8), zkt-signer(8) <br>
|
|
RFC4641 "DNSSEC Operational Practices" by Miek
|
|
Gieben and Olaf Kolkman, <br>
|
|
DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
|
|
(http://www.nlnetlabs.nl/dnssec_howto/)</p>
|
|
<hr>
|
|
</body>
|
|
</html>
|