Rechercher une page de manuel
krfcheck.1p
Langue: en
Version: 2008-07-23 (debian - 07/07/09)
Section: 1 (Commandes utilisateur)
NAME
krfcheck - Check a DNSSEC-Tools keyrec file for problems and inconsistenciesSYNOPSIS
krfcheck [-zone | -set | -key] [-count] [-quiet]
[-verbose] [-Version] [-help] keyrec-file
DESCRIPTION
This script checks a keyrec file for problems, potential problems, and inconsistencies.Recognized problems include:
- •
- no zones defined
The keyrec file does not contain any zone keyrecs.
- •
- no sets defined
The keyrec file does not contain any set keyrecs.
- •
- no keys defined
The keyrec file does not contain any key keyrecs.
- •
- unknown zone keyrecs
A set keyrec or a key keyrec references a non-existent zone keyrec.
- •
- missing key from zone keyrec
A zone keyrec does not have both a KSK key and a ZSK key.
- •
- missing key from set keyrec
A key listed in a set keyrec does not have a key keyrec.
- •
- expired zone keyrecs
A zone has expired.
- •
- mislabeled key
A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite.
- •
- invalid zone data values
A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file, existence of the KSK file, existence of the KSK and ZSK directories, the end-time is greater than one day, and the seconds-count and date string match.
- •
- invalid key data values
A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match.
Recognized potential problems include:
- •
- imminent zone expiration
A zone will expire within one week.
- •
- odd zone-signing date
A zone's recorded signing date is later than the current system clock.
- •
- orphaned keys
A key keyrec is unreferenced by any set keyrec.
- •
- missing key directories
A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.
Recognized inconsistencies include:
- •
- key-specific fields in a zone keyrec
A zone keyrec contains key-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.
- •
- zone-specific fields in a key keyrec
A key keyrec contains zone-specific entries. To allow for site-specific extensibility, krfcheck does not check for undefined keyrec fields.
- •
- mismatched zone timestamp
A zone's seconds-count timestamp does not match its textual timestamp.
- •
- mismatched set timestamp
A set's seconds-count timestamp does not match its textual timestamp.
- •
- mismatched key timestamp
A key's seconds-count timestamp does not match its textual timestamp.
OPTIONS
- -zone
- Only perform checks of zone keyrecs. This option may not be combined with the -set or -key options.
- -set
- Only perform checks of set keyrecs. This option may not be combined with the -zone or -key options.
- -key
- Only perform checks of key keyrecs. This option may not be combined with the -set or -zone options.
- -count
- Display a final count of errors.
- -quiet
- Do not display messages. This option supersedes the setting of the -verbose option.
- -verbose
- Display many messages. This option is subordinate to the -quiet option.
- -Version
- Display the krfcheck version number and exit.
- -help
- Display a usage message.
COPYRIGHT
Copyright 2004-2008 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.AUTHOR
Wayne Morrison, tewok@users.sourceforge.netSEE ALSO
cleankrf(8), fixkrf(8), lskrf(1), zonesigner(8)Net::DNS::SEC::Tools::keyrec.pm(3)
file-keyrec(5)
Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre