.TH zkt-ls 8 "February 25, 2010" "ZKT 1.0" ""
\" turn off hyphenation
.\" if n .nh
.nh
.SH NAME
zkt\-ls \(em list dnskeys
.SH SYNOPSYS
.na
.B zkt\-ls
.B \-H
.B zkt\-ls
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-adefhkLprtz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B zkt\-ls
.B \-T
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-dhrz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B zkt\-ls
.B \-\-list-trustedkeys
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-dhrz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.B zkt\-ls
.B \-K
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-dhkrz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.br
.B zkt\-ls
.B \-\-list-dnskeys
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-l
.IR "list" ]
.RB [ \-dhkrz ]
.RI [{ keyfile | dir }
.RI "" ... ]
.SH DESCRIPTION
The
.I zkt-ls
command list all dnssec zone keys found in the given or predefined
default directory.
It is also possible to specify keyfiles (K*.key) as arguments.
With option
.B \-r
subdirectories will be searched recursively and all dnssec keys found
are listed, sorted by domain name, key type and generation time.
In that mode the use of option
.B \-p
may be helpful to find the location of the keyfile in the directory tree.
.PP
Other forms of the command, print out keys in a format suitable for
a trusted-key section
.RB ( \-T )
or as a DNSKEY
.RB ( \-K )
resource record.
.SH GENERAL OPTIONS
.TP
.BI \-V " view" ", \-\-view=" view
Try to read the default configuration out of a file named
.I dnssec-<view>.conf .
Instead of specifying the \-V or --view option every time,
it is also possible to create a hard or softlink to the
executable file to give it an additional name like
.I zkt-ls-<view> .
.TP
.BI \-c " file" ", \-\-config=" file
Read default values from the specified config file.
Otherwise the default config file is read or build in defaults
will be used.
.TP
.BI \-O " optstr" ", \-\-config-option=" optstr
Set any config file option via the commandline.
Several config file options could be specified at the argument string
but have to be delimited by semicolon (or newline).
.TP
.BI \-l " list" ", \-\-label=" list
Print out information solely about domains given in the comma or space separated
list.
Take care of, that every domain name has a trailing dot.
.TP
.BR \-d ", " \-\-directory
Skip directory arguments.
This will be useful in combination with wildcard arguments
to prevent dnsssec-zkt to list all keys found in subdirectories.
For example "zkt-ls -d *" will print out a list of all keys only found in
the current directory.
Maybe it is easier to use "zkt-ls ." instead (without -r set).
The option works similar to the \-d option of
.IR ls(1) .
.TP
.BR \-L ", " \-\-left-justify
Print out the domain name left justified.
.TP
.BR \-k ", " \-\-ksk
Select and print key signing keys only (default depends on command mode).
.TP
.BR \-z ", " \-\-zsk
Select and print zone signing keys only (default depends on command mode).
.TP
.BR \-r ", " \-\-recursive
Recursive mode (default is off).
.br
Also settable in the dnssec.conf file (Parameter: Recursive).
.TP
.BR \-p ", " \-\-path
Print pathname in listing mode.
In -C mode, don't create the new key in the same directory as (already existing)
keys with the same label.
.TP
.BR \-a ", " \-\-age
Print age of key in weeks, days, hours, minutes and seconds (default is off).
.br
Also settable in the dnssec.conf file (Parameter: PrintAge).
.TP
.BR \-f ", " \-\-lifetime
Print the key lifetime.
.TP
.BR \-e ", " \-\-exptime
Print the key expiration time.
.TP
.BR \-t ", " \-\-time
Print the key generation time (default is on).
.br
Also settable in the dnssec.conf file (Parameter: PrintTime).
.TP
.B \-h
No header or trusted-key section header and trailer in -T mode
.SH COMMAND OPTIONS
.TP
.BR \-H ", " \-\-help
Print out the online help.
.TP
.BR \-T ", " \-\-list-trustedkeys
List all key signing keys as a
.I named.conf
trusted-key section.
Use
.B \-h
to supress the section header/trailer.
.TP
.BR \-K ", " \-\-list-dnskeys
List the public part of all the keys in DNSKEY resource record format.
Use
.B \-h
to suppress comment lines.
.SH SAMPLE USAGE
.TP
.fam C
.B "zkt\-ls \-r .
.fam T
Print out a list of all zone keys found below the current directory.
.TP
.fam C
.B "zkt\-ls \-Z \-c """"
.fam T
Print out the compiled in default parameters.
.TP
.fam C
.B "zkt\-ls \-T ./zonedir/example.net
.fam T
Print out a trusted-key section containing the key signing keys of "example.net".
.TP
.fam C
.B "zkt\-ls --view intern
.fam T
Print out a list of all zone keys found below the directory where all
the zones of view intern live.
There should be a seperate dnssec config file
.I dnssec-intern.conf
with a directory option to take affect of this.
.TP
.fam C
.B "zkt\-ls\-intern
.fam T
Same as above.
The binary file
.I zkt\-ls
has another link, named
.I zkt\-ls\-intern
made, and
.I zkt\-ls
examines argv[0] to find a view whose zones it proceeds to process.
.SH ENVIRONMENT VARIABLES
.TP
ZKT_CONFFILE
Specifies the name of the default global configuration files.
.SH FILES
.TP
.I /var/named/dnssec.conf
Built-in default global configuration file.
The name of the default global config file is settable via
the environment variable ZKT_CONFFILE.
.TP
.I /var/named/dnssec-<view>.conf
View specific global configuration file.
.TP
.I ./dnssec.conf
Local configuration file (only used in
.B \-C
mode).
.SH BUGS
.PP
Some of the general options will not be meaningful in all of the command modes.
.br
The option
.B \-l
and the ksk rollover options
insist on domain names ending with a dot.
.SH AUTHORS
Holger Zuleger
.SH COPYRIGHT
Copyright (c) 2005 \- 2010 by Holger Zuleger.
Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
.\"--------------------------------------------------
.SH SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-keyman(8), zkt-signer(8)
.br
RFC4641
"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
.br
DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
.br
(http://www.nlnetlabs.nl/dnssec_howto/)