<!-- Creator : groff version 1.20.1 --> <!-- CreationDate: Tue Mar 23 23:47:31 2010 --> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta name="generator" content="groff -Thtml, see www.gnu.org"> <meta http-equiv="Content-Type" content="text/html; charset=US-ASCII"> <meta name="Content-Style" content="text/css"> <style type="text/css"> p { margin-top: 0; margin-bottom: 0; vertical-align: top } pre { margin-top: 0; margin-bottom: 0; vertical-align: top } table { margin-top: 0; margin-bottom: 0; vertical-align: top } h1 { text-align: center } </style> <title>zkt−keyman</title> </head> <body> <h1 align="center">zkt−keyman</h1> <a href="#NAME">NAME</a><br> <a href="#SYNOPSYS">SYNOPSYS</a><br> <a href="#DESCRIPTION">DESCRIPTION</a><br> <a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br> <a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br> <a href="#SAMPLE USAGE">SAMPLE USAGE</a><br> <a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br> <a href="#FILES">FILES</a><br> <a href="#BUGS">BUGS</a><br> <a href="#AUTHORS">AUTHORS</a><br> <a href="#COPYRIGHT">COPYRIGHT</a><br> <a href="#SEE ALSO">SEE ALSO</a><br> <hr> <h2>NAME <a name="NAME"></a> </h2> <p style="margin-left:11%; margin-top: 1em">zkt−keyman — A DNSSEC key management tool</p> <h2>SYNOPSYS <a name="SYNOPSYS"></a> </h2> <p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman −C</b><label> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] [<b>−krpz</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>] <b><br> zkt−keyman −−create=</b><label> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] [<b>−krpz</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p> <p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman −</b>{<b>P</b>|<b>A</b>|<b>D</b>|<b>R</b>}<b><keytag></b> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>] <b><br> zkt−keyman −−published=</b><keytag> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>] <b><br> zkt−keyman −−active=</b><keytag> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>] <b><br> zkt−keyman −−depreciate=</b><keytag> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>] <b><br> zkt−keyman −−rename=</b><keytag> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p> <p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman −−destroy=</b><keytag> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] [<b>−r</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p> <p style="margin-left:11%; margin-top: 1em"><b>zkt−keyman −9 | −−ksk-rollover <br> zkt−keyman −1 | −−ksk-roll-phase1</b> <i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] <b><br> zkt−keyman −2 | −−ksk-roll-phase2</b> <i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] <b><br> zkt−keyman −3 | −−ksk-roll-phase3</b> <i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>] <b><br> zkt−keyman −0 | −−ksk-roll-stat</b> <i>do.ma.in.</i> [<b>−V|--view</b> <i>view</i>] [<b>−c</b> <i>file</i>]</p> <h2>DESCRIPTION <a name="DESCRIPTION"></a> </h2> <p style="margin-left:11%; margin-top: 1em">The <i>zkt−keyman</i> command is a wrapper around <i>dnssec-keygen(8)</i> to assist in dnssec zone key management.</p> <p style="margin-left:11%; margin-top: 1em">The command is useful in dns key management. It is suitable for modification of key status.</p> <h2>GENERAL OPTIONS <a name="GENERAL OPTIONS"></a> </h2> <p style="margin-left:11%; margin-top: 1em"><b>−V</b> <i>view</i><b>, −−view=</b><i>view</i></p> <p style="margin-left:22%;">Try to read the default configuration out of a file named <i>dnssec-<view>.conf .</i> Instead of specifying the −V or --view option every time, it is also possible to create a hard or softlink to the executable file to give it an additional name like <i>zkt−keyman−<view> .</i></p> <p style="margin-left:11%;"><b>−c</b> <i>file</i><b>, −−config=</b><i>file</i></p> <p style="margin-left:22%;">Read default values from the specified config file. Otherwise the default config file is read or build in defaults will be used.</p> <p style="margin-left:11%;"><b>−O</b> <i>optstr</i><b>, −−config-option=</b><i>optstr</i></p> <p style="margin-left:22%;">Set any config file option via the commandline. Several config file options could be specified at the argument string but have to be delimited by semicolon (or newline).</p> <p style="margin-left:11%;"><b>−d</b>, <b>−−directory</b></p> <p style="margin-left:22%;">Skip directory arguments. This will be useful in combination with wildcard arguments to prevent dnsssec-zkt to list all keys found in subdirectories. For example "zkt−keyman -d *" will print out a list of all keys only found in the current directory. Maybe it is easier to use "zkt−keyman ." instead (without -r set). The option works similar to the −d option of <i>ls(1)</i>.</p> <p style="margin-left:11%;"><b>−k</b>, <b>−−ksk</b></p> <p style="margin-left:22%;">Select key signing keys only (default depends on command mode).</p> <p style="margin-left:11%;"><b>−z</b>, <b>−−zsk</b></p> <p style="margin-left:22%;">Select zone signing keys only (default depends on command mode).</p> <p style="margin-left:11%;"><b>−r</b>, <b>−−recursive</b></p> <p style="margin-left:22%;">Recursive mode (default is off). <br> Also settable in the dnssec.conf file (Parameter: Recursive).</p> <p style="margin-left:11%;"><b>−F</b>, <b>−−setlifetime</b></p> <p style="margin-left:22%;">Set the key lifetime of all the selected keys. Use option -k, -z, -l or the file and dir argument for key selection.</p> <h2>COMMAND OPTIONS <a name="COMMAND OPTIONS"></a> </h2> <p style="margin-left:11%; margin-top: 1em"><b>−h</b>, <b>−−help</b></p> <p style="margin-left:22%;">Print out the online help.</p> <p style="margin-left:11%;"><b>−C</b> <i>zone</i><b>, −−create=</b><i>zone</i></p> <p style="margin-left:22%;">Create a new zone signing key for the given zone. Add option <b>−k</b> to create a key signing key. The key algorithm and key length will be examined from built-in default values or from the parameter settings in the <i>dnssec.conf</i> file. <br> The keyfile will be created in the current directory if the <b>−p</b> option is specified.</p> <p style="margin-left:11%;"><b>−R</b> <i>keyid</i><b>, −−revoke=</b><i>keyid</i></p> <p style="margin-left:22%;">Revoke the key signing key with the given keyid. A revoked key has bit 8 in the flags filed set (see RFC5011). The keyid is the numeric keytag with an optionally added zone name separated by a colon.</p> <p style="margin-left:11%;"><b>−−rename="</b><i>keyid</i></p> <p style="margin-left:22%;">Rename the key files of the key with the given keyid (Look at key file names starting with an lower ’k’). The keyid is the numeric keytag with an optionally added zone name separated by a colon.</p> <p style="margin-left:11%;"><b>−−destroy=</b><i>keyid</i></p> <p style="margin-left:22%;">Deletes the key with the given keyid. The keyid is the numeric keytag with an optionally added zone name separated by a colon. Beware that this deletes both private and public keyfiles, thus the key is unrecoverable lost.</p> <p style="margin-left:11%;"><b>−P|A|D</b> <i>keyid,</i> <b>−−published=</b><i>keyid,</i> <b>−−active=</b><i>keyid,</i> <b>−−depreciated=</b><i>keyid</i></p> <p style="margin-left:22%;">Change the status of the given dnssec key to published (<b>−P</b>), active (<b>−A</b>) or depreciated (<b>−D</b>). The <i>keyid</i> is the numeric keytag with an optionally added zone name separated by a colon. Setting the status to "published" or "depreciate" will change the filename of the private key file to ".published" or ".depreciated" respectivly. This prevents the usage of the key as a signing key by the use of <i>dnssec-signzone(8)</i>. The time of status change will be stored in the ’mtime’ field of the corresponding ".key" file. Key activation via option <b>−A</b> will restore the original timestamp and file name (".private").</p> <p style="margin-left:11%;"><b>−−ksk-roll-phase[123]</b> <i>do.ma.in.</i></p> <p style="margin-left:22%;">Initiate a key signing key rollover of the specified domain. This feature is currently in experimental status and is mainly for the use in an hierachical environment. Use --ksk-rollover for a little more detailed description.</p> <h2>SAMPLE USAGE <a name="SAMPLE USAGE"></a> </h2> <p style="margin-left:11%; margin-top: 1em"><b>zkt-keyman −C example.net −k −r ./zonedir</b></p> <p style="margin-left:22%;">Create a new key signing key for the zone "example.net". Store the key in the same directory below "zonedir" where the other "example.net" keys live.</p> <p style="margin-left:11%;"><b>zkt-keyman −D 123245 −r .</b></p> <p style="margin-left:22%;">Depreciate the key with tag "12345" below the current directory,</p> <p style="margin-left:11%;"><b>zkt-keyman --view intern −C example.net</b></p> <p style="margin-left:22%;">Create a new zone key for the internal zone example.net.</p> <p style="margin-left:11%;"><b>zkt-keyman-intern</b></p> <p style="margin-left:22%;">Same as above. The binary file <i>zkt−keyman</i> has another link, named <i>zkt-keyman-intern</i> made, and <i>zkt−keyman</i> examines argv[0] to find a view whose zones it proceeds to process.</p> <h2>ENVIRONMENT VARIABLES <a name="ENVIRONMENT VARIABLES"></a> </h2> <p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p> <p style="margin-left:22%;">Specifies the name of the default global configuration files.</p> <h2>FILES <a name="FILES"></a> </h2> <p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p> <p style="margin-left:22%;">Built-in default global configuration file. The name of the default global config file is settable via the environment variable ZKT_CONFFILE.</p> <p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p> <p style="margin-left:22%;">View specific global configuration file.</p> <p style="margin-left:11%;"><i>./dnssec.conf</i></p> <p style="margin-left:22%;">Local configuration file (only used in <b>−C</b> mode).</p> <h2>BUGS <a name="BUGS"></a> </h2> <h2>AUTHORS <a name="AUTHORS"></a> </h2> <p style="margin-left:11%; margin-top: 1em">Holger Zuleger</p> <h2>COPYRIGHT <a name="COPYRIGHT"></a> </h2> <p style="margin-left:11%; margin-top: 1em">Copyright (c) 2005 − 2008 by Holger Zuleger. Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.</p> <h2>SEE ALSO <a name="SEE ALSO"></a> </h2> <p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-ls(8), zkt-signer(8) <br> RFC4641 "DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman, <br> DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br> (http://www.nlnetlabs.nl/dnssec_howto/)</p> <hr> </body> </html>