mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-26 11:32:01 -05:00
1d239012a9
Commit070c5fff49updated the man pages to contents produced using: - Sphinx 4.0.2 - sphinx-rtd-theme 0.5.2 - docutils 0.17.1 However, sphinx-rtd-theme 0.5.2 is incompatible with versions 0.17+ of the docutils package. This problem was addressed in the Docker image used for building man pages by downgrading the docutils package to version 0.16. Regenerate the man pages again, this time using: - Sphinx 4.0.2 - sphinx-rtd-theme 0.5.2 - docutils 0.16 This is necessary to prevent the "docs" GitLab CI job from failing. (cherry picked from commit6a2daddf5b)
192 lines
6.5 KiB
Text
192 lines
6.5 KiB
Text
.\" Man page generated from reStructuredText.
|
|
.
|
|
.TH "DNSSEC-COVERAGE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
|
|
.SH NAME
|
|
dnssec-coverage \- checks future DNSKEY coverage for a zone
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.SH SYNOPSIS
|
|
.sp
|
|
\fBdnssec\-coverage\fP [\fB\-K\fP\fIdirectory\fP] [\fB\-l\fP\fIlength\fP]
|
|
[\fB\-f\fP\fIfile\fP] [\fB\-d\fP\fIDNSKEY TTL\fP] [\fB\-m\fP\fImax TTL\fP]
|
|
[\fB\-r\fP\fIinterval\fP] [\fB\-c\fP\fIcompilezone path\fP] [\fB\-k\fP] [\fB\-z\fP]
|
|
[zone...]
|
|
.SH DESCRIPTION
|
|
.sp
|
|
\fBdnssec\-coverage\fP verifies that the DNSSEC keys for a given zone or a
|
|
set of zones have timing metadata set properly to ensure no future
|
|
lapses in DNSSEC coverage.
|
|
.sp
|
|
If \fBzone\fP is specified, then keys found in the key repository matching
|
|
that zone are scanned, and an ordered list is generated of the events
|
|
scheduled for that key (i.e., publication, activation, inactivation,
|
|
deletion). The list of events is walked in order of occurrence. Warnings
|
|
are generated if any event is scheduled which could cause the zone to
|
|
enter a state in which validation failures might occur: for example, if
|
|
the number of published or active keys for a given algorithm drops to
|
|
zero, or if a key is deleted from the zone too soon after a new key is
|
|
rolled, and cached data signed by the prior key has not had time to
|
|
expire from resolver caches.
|
|
.sp
|
|
If \fBzone\fP is not specified, then all keys in the key repository will
|
|
be scanned, and all zones for which there are keys will be analyzed.
|
|
(Note: This method of reporting is only accurate if all the zones that
|
|
have keys in a given repository share the same TTL parameters.)
|
|
.SH OPTIONS
|
|
.sp
|
|
\fB\-K\fP \fIdirectory\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Sets the directory in which keys can be found. Defaults to the
|
|
current working directory.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-f\fP \fIfile\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
If a \fBfile\fP is specified, then the zone is read from that file; the
|
|
largest TTL and the DNSKEY TTL are determined directly from the zone
|
|
data, and the \fB\-m\fP and \fB\-d\fP options do not need to be specified
|
|
on the command line.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-l\fP \fIduration\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
The length of time to check for DNSSEC coverage. Key events scheduled
|
|
further into the future than \fBduration\fP will be ignored, and
|
|
assumed to be correct.
|
|
.sp
|
|
The value of \fBduration\fP can be set in seconds, or in larger units
|
|
of time by adding a suffix: mi for minutes, h for hours, d for days,
|
|
w for weeks, mo for months, y for years.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-m\fP \fImaximum TTL\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Sets the value to be used as the maximum TTL for the zone or zones
|
|
being analyzed when determining whether there is a possibility of
|
|
validation failure. When a zone\-signing key is deactivated, there
|
|
must be enough time for the record in the zone with the longest TTL
|
|
to have expired from resolver caches before that key can be purged
|
|
from the DNSKEY RRset. If that condition does not apply, a warning
|
|
will be generated.
|
|
.sp
|
|
The length of the TTL can be set in seconds, or in larger units of
|
|
time by adding a suffix: mi for minutes, h for hours, d for days, w
|
|
for weeks, mo for months, y for years.
|
|
.sp
|
|
This option is not necessary if the \fB\-f\fP has been used to specify a
|
|
zone file. If \fB\-f\fP has been specified, this option may still be
|
|
used; it will override the value found in the file.
|
|
.sp
|
|
If this option is not used and the maximum TTL cannot be retrieved
|
|
from a zone file, a warning is generated and a default value of 1
|
|
week is used.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-d\fP \fIDNSKEY TTL\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Sets the value to be used as the DNSKEY TTL for the zone or zones
|
|
being analyzed when determining whether there is a possibility of
|
|
validation failure. When a key is rolled (that is, replaced with a
|
|
new key), there must be enough time for the old DNSKEY RRset to have
|
|
expired from resolver caches before the new key is activated and
|
|
begins generating signatures. If that condition does not apply, a
|
|
warning will be generated.
|
|
.sp
|
|
The length of the TTL can be set in seconds, or in larger units of
|
|
time by adding a suffix: mi for minutes, h for hours, d for days, w
|
|
for weeks, mo for months, y for years.
|
|
.sp
|
|
This option is not necessary if \fB\-f\fP has been used to specify a
|
|
zone file from which the TTL of the DNSKEY RRset can be read, or if a
|
|
default key TTL was set using ith the \fB\-L\fP to \fBdnssec\-keygen\fP\&. If
|
|
either of those is true, this option may still be used; it will
|
|
override the values found in the zone file or the key file.
|
|
.sp
|
|
If this option is not used and the key TTL cannot be retrieved from
|
|
the zone file or the key file, then a warning is generated and a
|
|
default value of 1 day is used.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-r\fP \fIresign interval\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Sets the value to be used as the resign interval for the zone or
|
|
zones being analyzed when determining whether there is a possibility
|
|
of validation failure. This value defaults to 22.5 days, which is
|
|
also the default in \fBnamed\fP\&. However, if it has been changed by the
|
|
\fBsig\-validity\-interval\fP option in named.conf, then it should also
|
|
be changed here.
|
|
.sp
|
|
The length of the interval can be set in seconds, or in larger units
|
|
of time by adding a suffix: mi for minutes, h for hours, d for days,
|
|
w for weeks, mo for months, y for years.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-k\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Only check KSK coverage; ignore ZSK events. Cannot be used with
|
|
\fB\-z\fP\&.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-z\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Only check ZSK coverage; ignore KSK events. Cannot be used with
|
|
\fB\-k\fP\&.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-c\fP \fIcompilezone path\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
Specifies a path to a \fBnamed\-compilezone\fP binary. Used for testing.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.SH SEE ALSO
|
|
.sp
|
|
\fBdnssec\-checkds\fP(8), \fBdnssec\-dsfromkey\fP(8),
|
|
\fBdnssec\-keygen\fP(8), \fBdnssec\-signzone\fP(8)
|
|
.SH AUTHOR
|
|
Internet Systems Consortium
|
|
.SH COPYRIGHT
|
|
2021, Internet Systems Consortium
|
|
.\" Generated by docutils manpage writer.
|
|
.
|