dnskey-pull

Langue: en

Version: 7 November 2008 (fedora - 04/07/09)

Section: 1 (Commandes utilisateur)

NAME

dnskey-pull - fetch DNSKEY records from a zone, from all sub-zones or from a webpage

SYNOPSIS

dnskey-pull [-a] [-t] [-o <output>] [-s <ns>] zone [..]
dnskey-pull [-o <output>] url [..]

DESCRIPTION

dnskey-pull

obtains Key-Signing-Key (KSK) DNSKEY records for use as trust-anchor with recursing nameserver that are setup to use DNSSEC.

dnskey-pull itself performs no DNSSEC validation. dnskey-pull pulls KSK DNSKEY records for a single zone but can also be told, if it has zone-transfer (AXFR) permission, to lookup KSK DNSKEY records for all NS records found in a zone. This latter feature can be used to find new DNSKEY's in TLD's.

The output of this command can be directly included in the configuration files for the Bind and Unbound recursing nameservers as DNSSEC trust anchor.

dnskey-pull ignores the system's /etc/resolv.conf setting for domain appending, and treats all zone arguments as FQDN. It does use the system's resolver settings for recursive lookups.

OPTIONS

-a

Use a zone-transfer (AXFR) to find all NS records in a zone and return any DNSKEY records found for these NS records in trusted-key format. Note that AXFR is often blocked on nameservers.

-s <nameserver>

Use the specified nameserver to perform the zone-transfer (AXFR).

-t

Return the resulting DNSKEY's within a trusted-key { }; statement, compatible for including with a bind or unbound nameserver configuration.

EXAMPLES

Get all DNSKEY records for Top Level Domains (TLD's) in the Root (".") zone, using the F root-server that allows zone-transfers:

% dnskey-pull -t -a -s f.root-servers.net .

Get a trusted-key statement for the xelerance.com zone:

% dnskey-pull -t xelerance.com

Get the trusted keys for the TLD's of Sweden, Brasil and Bulgaria:

% dnskey-pull se. br. bg.

Find all secured ENUM zones:

% dnskey-pull -a -s ns-pri.ripe.net. e164.arpa.

Find the keys on the webpage of the Brasil NIC:

% dnskey-pull https://registro.br/ksk/index.html

EXIT STATUS

dnskey-pull returns 0 when it found one or more DNSKEY records, and non-zero upon finding no DNSKEY records.

SEE ALSO

dnssec-configure(1), system-config-dnssec(1), named.conf(8), unbound.conf(8), autotrust(8), unbound-host(8).

AUTHOR

Paul Wouters <paul@xelerance.com>