Rechercher une page de manuel
dnskey-pull
Langue: en
Version: 7 November 2008 (fedora - 04/07/09)
Section: 1 (Commandes utilisateur)
NAME
dnskey-pull - fetch DNSKEY records from a zone, from all sub-zones or from a webpageSYNOPSIS
- dnskey-pull [-a] [-t] [-o <output>] [-s <ns>] zone [..]
- dnskey-pull [-o <output>] url [..]
DESCRIPTION
dnskey-pull
- obtains Key-Signing-Key (KSK) DNSKEY records for use as trust-anchor with recursing nameserver that are setup to use DNSSEC.
dnskey-pull itself performs no DNSSEC validation. dnskey-pull pulls KSK DNSKEY records for a single zone but can also be told, if it has zone-transfer (AXFR) permission, to lookup KSK DNSKEY records for all NS records found in a zone. This latter feature can be used to find new DNSKEY's in TLD's.
The output of this command can be directly included in the configuration files for the Bind and Unbound recursing nameservers as DNSSEC trust anchor.
dnskey-pull ignores the system's /etc/resolv.conf setting for domain appending, and treats all zone arguments as FQDN. It does use the system's resolver settings for recursive lookups.
OPTIONS
-a
- Use a zone-transfer (AXFR) to find all NS records in a zone and return any DNSKEY records found for these NS records in trusted-key format. Note that AXFR is often blocked on nameservers.
-s <nameserver>
- Use the specified nameserver to perform the zone-transfer (AXFR).
-t
- Return the resulting DNSKEY's within a trusted-key { }; statement, compatible for including with a bind or unbound nameserver configuration.
EXAMPLES
Get all DNSKEY records for Top Level Domains (TLD's) in the Root (".") zone, using the F root-server that allows zone-transfers:
% dnskey-pull -t -a -s f.root-servers.net .
Get a trusted-key statement for the xelerance.com zone:
% dnskey-pull -t xelerance.com
Get the trusted keys for the TLD's of Sweden, Brasil and Bulgaria:
% dnskey-pull se. br. bg.
Find all secured ENUM zones:
% dnskey-pull -a -s ns-pri.ripe.net. e164.arpa.
Find the keys on the webpage of the Brasil NIC:
% dnskey-pull https://registro.br/ksk/index.html
EXIT STATUS
dnskey-pull returns 0 when it found one or more DNSKEY records, and non-zero upon finding no DNSKEY records.
SEE ALSO
dnssec-configure(1), system-config-dnssec(1), named.conf(8), unbound.conf(8), autotrust(8), unbound-host(8).
AUTHOR
Paul Wouters <paul@xelerance.com>
Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre