upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-03 20:40:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/python/dnssec-coverage.rst
Ondřej Surý 2bf7921c7e Update the copyright information in all files in the repository 
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.

(cherry picked from commit 58bd26b6cf)
2022-01-11 12:22:09 +01:00

152 lines
5.7 KiB
ReStructuredText
Raw Permalink Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-coverage:
dnssec-coverage - checks future DNSKEY coverage for a zone
----------------------------------------------------------
Synopsis
~~~~~~~~
``dnssec-coverage`` [**-K**\ *directory*] [**-l**\ *length*]
[**-f**\ *file*] [**-d**\ *DNSKEY TTL*] [**-m**\ *max TTL*]
[**-r**\ *interval*] [**-c**\ *compilezone path*] [**-k**] [**-z**]
[zone...]
Description
~~~~~~~~~~~
``dnssec-coverage`` verifies that the DNSSEC keys for a given zone or a
set of zones have timing metadata set properly to ensure no future
lapses in DNSSEC coverage.
If ``zone`` is specified, then keys found in the key repository matching
that zone are scanned, and an ordered list is generated of the events
scheduled for that key (i.e., publication, activation, inactivation,
deletion). The list of events is walked in order of occurrence. Warnings
are generated if any event is scheduled which could cause the zone to
enter a state in which validation failures might occur: for example, if
the number of published or active keys for a given algorithm drops to
zero, or if a key is deleted from the zone too soon after a new key is
rolled, and cached data signed by the prior key has not had time to
expire from resolver caches.
If ``zone`` is not specified, then all keys in the key repository will
be scanned, and all zones for which there are keys will be analyzed.
(Note: This method of reporting is only accurate if all the zones that
have keys in a given repository share the same TTL parameters.)
Options
~~~~~~~
**-K** *directory*
Sets the directory in which keys can be found. Defaults to the
current working directory.
**-f** *file*
If a ``file`` is specified, then the zone is read from that file; the
largest TTL and the DNSKEY TTL are determined directly from the zone
data, and the ``-m`` and ``-d`` options do not need to be specified
on the command line.
**-l** *duration*
The length of time to check for DNSSEC coverage. Key events scheduled
further into the future than ``duration`` will be ignored, and
assumed to be correct.
The value of ``duration`` can be set in seconds, or in larger units
of time by adding a suffix: mi for minutes, h for hours, d for days,
w for weeks, mo for months, y for years.
**-m** *maximum TTL*
Sets the value to be used as the maximum TTL for the zone or zones
being analyzed when determining whether there is a possibility of
validation failure. When a zone-signing key is deactivated, there
must be enough time for the record in the zone with the longest TTL
to have expired from resolver caches before that key can be purged
from the DNSKEY RRset. If that condition does not apply, a warning
will be generated.
The length of the TTL can be set in seconds, or in larger units of
time by adding a suffix: mi for minutes, h for hours, d for days, w
for weeks, mo for months, y for years.
This option is not necessary if the ``-f`` has been used to specify a
zone file. If ``-f`` has been specified, this option may still be
used; it will override the value found in the file.
If this option is not used and the maximum TTL cannot be retrieved
from a zone file, a warning is generated and a default value of 1
week is used.
**-d** *DNSKEY TTL*
Sets the value to be used as the DNSKEY TTL for the zone or zones
being analyzed when determining whether there is a possibility of
validation failure. When a key is rolled (that is, replaced with a
new key), there must be enough time for the old DNSKEY RRset to have
expired from resolver caches before the new key is activated and
begins generating signatures. If that condition does not apply, a
warning will be generated.
The length of the TTL can be set in seconds, or in larger units of
time by adding a suffix: mi for minutes, h for hours, d for days, w
for weeks, mo for months, y for years.
This option is not necessary if ``-f`` has been used to specify a
zone file from which the TTL of the DNSKEY RRset can be read, or if a
default key TTL was set using ith the ``-L`` to ``dnssec-keygen``. If
either of those is true, this option may still be used; it will
override the values found in the zone file or the key file.
If this option is not used and the key TTL cannot be retrieved from
the zone file or the key file, then a warning is generated and a
default value of 1 day is used.
**-r** *resign interval*
Sets the value to be used as the resign interval for the zone or
zones being analyzed when determining whether there is a possibility
of validation failure. This value defaults to 22.5 days, which is
also the default in ``named``. However, if it has been changed by the
``sig-validity-interval`` option in named.conf, then it should also
be changed here.
The length of the interval can be set in seconds, or in larger units
of time by adding a suffix: mi for minutes, h for hours, d for days,
w for weeks, mo for months, y for years.
**-k**
Only check KSK coverage; ignore ZSK events. Cannot be used with
``-z``.
**-z**
Only check ZSK coverage; ignore KSK events. Cannot be used with
``-k``.
**-c** *compilezone path*
Specifies a path to a ``named-compilezone`` binary. Used for testing.
See Also
~~~~~~~~
``dnssec-checkds``\ (8), ``dnssec-dsfromkey``\ (8),
``dnssec-keygen``\ (8), ``dnssec-signzone``\ (8)
Reference in a new issue View git blame Copy permalink