1<!-- Creator : groff version 1.20.1 --> 2<!-- CreationDate: Sat Aug 28 01:15:12 2010 --> 3<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 4"http://www.w3.org/TR/html4/loose.dtd"> 5<html> 6<head> 7<meta name="generator" content="groff -Thtml, see www.gnu.org"> 8<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII"> 9<meta name="Content-Style" content="text/css"> 10<style type="text/css"> 11 p { margin-top: 0; margin-bottom: 0; vertical-align: top } 12 pre { margin-top: 0; margin-bottom: 0; vertical-align: top } 13 table { margin-top: 0; margin-bottom: 0; vertical-align: top } 14 h1 { text-align: center } 15</style> 16<title>zkt−keyman</title> 17 18</head> 19<body> 20 21<h1 align="center">zkt−keyman</h1> 22 23<a href="#NAME">NAME</a><br> 24<a href="#SYNOPSYS">SYNOPSYS</a><br> 25<a href="#DESCRIPTION">DESCRIPTION</a><br> 26<a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br> 27<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br> 28<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br> 29<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br> 30<a href="#FILES">FILES</a><br> 31<a href="#BUGS">BUGS</a><br> 32<a href="#AUTHORS">AUTHORS</a><br> 33<a href="#COPYRIGHT">COPYRIGHT</a><br> 34<a href="#SEE ALSO">SEE ALSO</a><br> 35 36<hr> 37 38 39<h2>NAME 40<a name="NAME"></a> 41</h2> 42 43 44 45<p style="margin-left:11%; margin-top: 1em">zkt−keyman 46— A DNSSEC key management tool</p> 47 48<h2>SYNOPSYS 49<a name="SYNOPSYS"></a> 50</h2> 51 52 53 54<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman 55−C</b><label> [<b>−V|--view</b> 56<i>view</i>] [<b>−c</b> <i>file</i>] 57[<b>−krpz</b>] [{<i>keyfile</i>|<i>dir</i>} 58<i>...</i>] <b><br> 59zkt−keyman −−create=</b><label> 60[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 61<i>file</i>] [<b>−krpz</b>] 62[{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p> 63 64 65<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman 66−</b>{<b>P</b>|<b>A</b>|<b>D</b>|<b>R</b>}<b><keytag></b> 67[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 68<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} 69<i>...</i>] <b><br> 70zkt−keyman −−published=</b><keytag> 71[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 72<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} 73<i>...</i>] <b><br> 74zkt−keyman −−active=</b><keytag> 75[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 76<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} 77<i>...</i>] <b><br> 78zkt−keyman −−depreciate=</b><keytag> 79[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 80<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} 81<i>...</i>] <b><br> 82zkt−keyman −−rename=</b><keytag> 83[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 84<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} 85<i>...</i>]</p> 86 87 88<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman 89−−destroy=</b><keytag> 90[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 91<i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} 92<i>...</i>]</p> 93 94 95<p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman 96−9 | −−ksk-rollover <br> 97zkt−keyman −1 | 98−−ksk-roll-phase1</b> <i>do.ma.in.</i> 99[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 100<i>file</i>] <b><br> 101zkt−keyman −2 | 102−−ksk-roll-phase2</b> <i>do.ma.in.</i> 103[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 104<i>file</i>] <b><br> 105zkt−keyman −3 | 106−−ksk-roll-phase3</b> <i>do.ma.in.</i> 107[<b>−V|--view</b> <i>view</i>] [<b>−c</b> 108<i>file</i>] <b><br> 109zkt−keyman −0 | −−ksk-roll-stat</b> 110<i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>] 111[<b>−c</b> <i>file</i>]</p> 112 113<h2>DESCRIPTION 114<a name="DESCRIPTION"></a> 115</h2> 116 117 118<p style="margin-left:11%; margin-top: 1em">The 119<i>zkt−keyman</i> command is a wrapper around 120<i>dnssec-keygen(8)</i> to assist in dnssec zone key 121management.</p> 122 123<p style="margin-left:11%; margin-top: 1em">The command is 124useful in dns key management. It is suitable for 125modification of key status.</p> 126 127<h2>GENERAL OPTIONS 128<a name="GENERAL OPTIONS"></a> 129</h2> 130 131 132 133<p style="margin-left:11%; margin-top: 1em"><b>−V</b> 134<i>view</i><b>, −−view=</b><i>view</i></p> 135 136<p style="margin-left:22%;">Try to read the default 137configuration out of a file named 138<i>dnssec-<view>.conf .</i> Instead of specifying the 139−V or --view option every time, it is also possible to 140create a hard or softlink to the executable file to give it 141an additional name like 142<i>zkt−keyman−<view> .</i></p> 143 144<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>, 145−−config=</b><i>file</i></p> 146 147<p style="margin-left:22%;">Read default values from the 148specified config file. Otherwise the default config file is 149read or build in defaults will be used.</p> 150 151<p style="margin-left:11%;"><b>−O</b> 152<i>optstr</i><b>, 153−−config-option=</b><i>optstr</i></p> 154 155<p style="margin-left:22%;">Set any config file option via 156the commandline. Several config file options could be 157specified at the argument string but have to be delimited by 158semicolon (or newline).</p> 159 160<p style="margin-left:11%;"><b>−d</b>, 161<b>−−directory</b></p> 162 163<p style="margin-left:22%;">Skip directory arguments. This 164will be useful in combination with wildcard arguments to 165prevent dnsssec-zkt to list all keys found in 166subdirectories. For example "zkt−keyman -d 167*" will print out a list of all keys only found in the 168current directory. Maybe it is easier to use 169"zkt−keyman ." instead (without -r set). The 170option works similar to the −d option of 171<i>ls(1)</i>.</p> 172 173<p style="margin-left:11%;"><b>−k</b>, 174<b>−−ksk</b></p> 175 176<p style="margin-left:22%;">Select key signing keys only 177(default depends on command mode).</p> 178 179<p style="margin-left:11%;"><b>−z</b>, 180<b>−−zsk</b></p> 181 182<p style="margin-left:22%;">Select zone signing keys only 183(default depends on command mode).</p> 184 185<p style="margin-left:11%;"><b>−r</b>, 186<b>−−recursive</b></p> 187 188<p style="margin-left:22%;">Recursive mode (default is 189off). <br> 190Also settable in the dnssec.conf file (Parameter: 191Recursive).</p> 192 193<p style="margin-left:11%;"><b>−F</b>, 194<b>−−setlifetime</b></p> 195 196<p style="margin-left:22%;">Set the key lifetime of all the 197selected keys. Use option -k, -z, -l or the file and dir 198argument for key selection.</p> 199 200<h2>COMMAND OPTIONS 201<a name="COMMAND OPTIONS"></a> 202</h2> 203 204 205 206<p style="margin-left:11%; margin-top: 1em"><b>−h</b>, 207<b>−−help</b></p> 208 209<p style="margin-left:22%;">Print out the online help.</p> 210 211<p style="margin-left:11%;"><b>−C</b> <i>zone</i><b>, 212−−create=</b><i>zone</i></p> 213 214<p style="margin-left:22%;">Create a new zone signing key 215for the given zone. Add option <b>−k</b> to create a 216key signing key. The key algorithm and key length will be 217examined from built-in default values or from the parameter 218settings in the <i>dnssec.conf</i> file. <br> 219The keyfile will be created in the current directory if the 220<b>−p</b> option is specified.</p> 221 222<p style="margin-left:11%;"><b>−R</b> 223<i>keyid</i><b>, −−revoke=</b><i>keyid</i></p> 224 225<p style="margin-left:22%;">Revoke the key signing key with 226the given keyid. A revoked key has bit 8 in the flags field 227set (see RFC5011). The keyid is the numeric keytag with an 228optionally added zone name separated by a colon.</p> 229 230 231<p style="margin-left:11%;"><b>−−rename="</b><i>keyid</i></p> 232 233<p style="margin-left:22%;">Rename the key files of the key 234with the given keyid (Look at key file names starting with 235an lower ’k’). The keyid is the numeric keytag 236with an optionally added zone name separated by a colon.</p> 237 238 239<p style="margin-left:11%;"><b>−−destroy=</b><i>keyid</i></p> 240 241<p style="margin-left:22%;">Deletes the key with the given 242keyid. The keyid is the numeric keytag with an optionally 243added zone name separated by a colon. Beware that this 244deletes both private and public keyfiles, thus the key is 245unrecoverable lost.</p> 246 247<p style="margin-left:11%;"><b>−P|A|D</b> 248<i>keyid,</i> <b>−−published=</b><i>keyid,</i> 249<b>−−active=</b><i>keyid,</i> 250<b>−−depreciated=</b><i>keyid</i></p> 251 252<p style="margin-left:22%;">Change the status of the given 253dnssec key to published (<b>−P</b>), active 254(<b>−A</b>) or depreciated (<b>−D</b>). The 255<i>keyid</i> is the numeric keytag with an optionally added 256zone name separated by a colon. Setting the status to 257"published" or "depreciate" will change 258the filename of the private key file to 259".published" or ".depreciated" 260respectivly. This prevents the usage of the key as a signing 261key by the use of <i>dnssec-signzone(8)</i>. The time of 262status change will be stored in the ’mtime’ 263field of the corresponding ".key" file. Key 264activation via option <b>−A</b> will restore the 265original timestamp and file name (".private").</p> 266 267 268<p style="margin-left:11%;"><b>−−ksk-roll-phase[123]</b> 269<i>do.ma.in.</i></p> 270 271<p style="margin-left:22%;">Initiate a key signing key 272rollover of the specified domain. This feature is currently 273in experimental status and is mainly for the use in an 274hierachical environment. Use --ksk-rollover for a little 275more detailed description.</p> 276 277<h2>SAMPLE USAGE 278<a name="SAMPLE USAGE"></a> 279</h2> 280 281 282<p style="margin-left:11%; margin-top: 1em"><b>zkt-keyman 283−C example.net −k −r ./zonedir</b></p> 284 285<p style="margin-left:22%;">Create a new key signing key 286for the zone "example.net". Store the key in the 287same directory below "zonedir" where the other 288"example.net" keys life.</p> 289 290<p style="margin-left:11%;"><b>zkt-keyman −D 123245 291−r .</b></p> 292 293<p style="margin-left:22%;">Depreciate the key with tag 294"12345" below the current directory,</p> 295 296<p style="margin-left:11%;"><b>zkt-keyman --view intern 297−C example.net</b></p> 298 299<p style="margin-left:22%;">Create a new zone key for the 300internal zone example.net.</p> 301 302<p style="margin-left:11%;"><b>zkt-keyman-intern</b></p> 303 304<p style="margin-left:22%;">Same as above. The binary file 305<i>zkt−keyman</i> has another link, named 306<i>zkt-keyman-intern</i> made, and <i>zkt−keyman</i> 307examines argv[0] to find a view whose zones it proceeds to 308process.</p> 309 310<h2>ENVIRONMENT VARIABLES 311<a name="ENVIRONMENT VARIABLES"></a> 312</h2> 313 314 315 316<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p> 317 318<p style="margin-left:22%;">Specifies the name of the 319default global configuration files.</p> 320 321<h2>FILES 322<a name="FILES"></a> 323</h2> 324 325 326 327<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p> 328 329<p style="margin-left:22%;">Built-in default global 330configuration file. The name of the default global config 331file is settable via the environment variable 332ZKT_CONFFILE.</p> 333 334 335<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p> 336 337<p style="margin-left:22%;">View specific global 338configuration file.</p> 339 340<p style="margin-left:11%;"><i>./dnssec.conf</i></p> 341 342<p style="margin-left:22%;">Local configuration file (only 343used in <b>−C</b> mode).</p> 344 345<h2>BUGS 346<a name="BUGS"></a> 347</h2> 348 349 350<h2>AUTHORS 351<a name="AUTHORS"></a> 352</h2> 353 354 355<p style="margin-left:11%; margin-top: 1em">Holger 356Zuleger</p> 357 358<h2>COPYRIGHT 359<a name="COPYRIGHT"></a> 360</h2> 361 362 363<p style="margin-left:11%; margin-top: 1em">Copyright (c) 3642005 − 2008 by Holger Zuleger. Licensed under the BSD 365Licences. There is NO warranty; not even for MERCHANTABILITY 366or FITNESS FOR A PARTICULAR PURPOSE.</p> 367 368<h2>SEE ALSO 369<a name="SEE ALSO"></a> 370</h2> 371 372 373 374<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8), 375dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), 376zkt-ls(8), zkt-signer(8) <br> 377RFC4641 "DNSSEC Operational Practices" by Miek 378Gieben and Olaf Kolkman, <br> 379DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br> 380 (http://www.nlnetlabs.nl/dnssec_howto/)</p> 381<hr> 382</body> 383</html> 384