1*00b67f09SDavid van Moolenbroek<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 2*00b67f09SDavid van Moolenbroek "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" 3*00b67f09SDavid van Moolenbroek [<!ENTITY mdash "—">]> 4*00b67f09SDavid van Moolenbroek<!-- 5*00b67f09SDavid van Moolenbroek - Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") 6*00b67f09SDavid van Moolenbroek - 7*00b67f09SDavid van Moolenbroek - Permission to use, copy, modify, and/or distribute this software for any 8*00b67f09SDavid van Moolenbroek - purpose with or without fee is hereby granted, provided that the above 9*00b67f09SDavid van Moolenbroek - copyright notice and this permission notice appear in all copies. 10*00b67f09SDavid van Moolenbroek - 11*00b67f09SDavid van Moolenbroek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12*00b67f09SDavid van Moolenbroek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13*00b67f09SDavid van Moolenbroek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14*00b67f09SDavid van Moolenbroek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15*00b67f09SDavid van Moolenbroek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16*00b67f09SDavid van Moolenbroek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17*00b67f09SDavid van Moolenbroek - PERFORMANCE OF THIS SOFTWARE. 18*00b67f09SDavid van Moolenbroek--> 19*00b67f09SDavid van Moolenbroek 20*00b67f09SDavid van Moolenbroek<refentry id="man.dnssec-coverage"> 21*00b67f09SDavid van Moolenbroek <refentryinfo> 22*00b67f09SDavid van Moolenbroek <date>January 11, 2014</date> 23*00b67f09SDavid van Moolenbroek </refentryinfo> 24*00b67f09SDavid van Moolenbroek 25*00b67f09SDavid van Moolenbroek <refmeta> 26*00b67f09SDavid van Moolenbroek <refentrytitle><application>dnssec-coverage</application></refentrytitle> 27*00b67f09SDavid van Moolenbroek <manvolnum>8</manvolnum> 28*00b67f09SDavid van Moolenbroek <refmiscinfo>BIND9</refmiscinfo> 29*00b67f09SDavid van Moolenbroek </refmeta> 30*00b67f09SDavid van Moolenbroek 31*00b67f09SDavid van Moolenbroek <refnamediv> 32*00b67f09SDavid van Moolenbroek <refname><application>dnssec-coverage</application></refname> 33*00b67f09SDavid van Moolenbroek <refpurpose>checks future DNSKEY coverage for a zone</refpurpose> 34*00b67f09SDavid van Moolenbroek </refnamediv> 35*00b67f09SDavid van Moolenbroek 36*00b67f09SDavid van Moolenbroek <docinfo> 37*00b67f09SDavid van Moolenbroek <copyright> 38*00b67f09SDavid van Moolenbroek <year>2013</year> 39*00b67f09SDavid van Moolenbroek <year>2014</year> 40*00b67f09SDavid van Moolenbroek <holder>Internet Systems Consortium, Inc. ("ISC")</holder> 41*00b67f09SDavid van Moolenbroek </copyright> 42*00b67f09SDavid van Moolenbroek </docinfo> 43*00b67f09SDavid van Moolenbroek 44*00b67f09SDavid van Moolenbroek <refsynopsisdiv> 45*00b67f09SDavid van Moolenbroek <cmdsynopsis> 46*00b67f09SDavid van Moolenbroek <command>dnssec-coverage</command> 47*00b67f09SDavid van Moolenbroek <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg> 48*00b67f09SDavid van Moolenbroek <arg><option>-l <replaceable class="parameter">length</replaceable></option></arg> 49*00b67f09SDavid van Moolenbroek <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg> 50*00b67f09SDavid van Moolenbroek <arg><option>-d <replaceable class="parameter">DNSKEY TTL</replaceable></option></arg> 51*00b67f09SDavid van Moolenbroek <arg><option>-m <replaceable class="parameter">max TTL</replaceable></option></arg> 52*00b67f09SDavid van Moolenbroek <arg><option>-r <replaceable class="parameter">interval</replaceable></option></arg> 53*00b67f09SDavid van Moolenbroek <arg><option>-c <replaceable class="parameter">compilezone path</replaceable></option></arg> 54*00b67f09SDavid van Moolenbroek <arg><option>-k</option></arg> 55*00b67f09SDavid van Moolenbroek <arg><option>-z</option></arg> 56*00b67f09SDavid van Moolenbroek <arg choice="opt">zone</arg> 57*00b67f09SDavid van Moolenbroek </cmdsynopsis> 58*00b67f09SDavid van Moolenbroek </refsynopsisdiv> 59*00b67f09SDavid van Moolenbroek 60*00b67f09SDavid van Moolenbroek <refsect1> 61*00b67f09SDavid van Moolenbroek <title>DESCRIPTION</title> 62*00b67f09SDavid van Moolenbroek <para><command>dnssec-coverage</command> 63*00b67f09SDavid van Moolenbroek verifies that the DNSSEC keys for a given zone or a set of zones 64*00b67f09SDavid van Moolenbroek have timing metadata set properly to ensure no future lapses in DNSSEC 65*00b67f09SDavid van Moolenbroek coverage. 66*00b67f09SDavid van Moolenbroek </para> 67*00b67f09SDavid van Moolenbroek <para> 68*00b67f09SDavid van Moolenbroek If <option>zone</option> is specified, then keys found in 69*00b67f09SDavid van Moolenbroek the key repository matching that zone are scanned, and an ordered 70*00b67f09SDavid van Moolenbroek list is generated of the events scheduled for that key (i.e., 71*00b67f09SDavid van Moolenbroek publication, activation, inactivation, deletion). The list of 72*00b67f09SDavid van Moolenbroek events is walked in order of occurrence. Warnings are generated 73*00b67f09SDavid van Moolenbroek if any event is scheduled which could cause the zone to enter a 74*00b67f09SDavid van Moolenbroek state in which validation failures might occur: for example, if 75*00b67f09SDavid van Moolenbroek the number of published or active keys for a given algorithm drops 76*00b67f09SDavid van Moolenbroek to zero, or if a key is deleted from the zone too soon after a new 77*00b67f09SDavid van Moolenbroek key is rolled, and cached data signed by the prior key has not had 78*00b67f09SDavid van Moolenbroek time to expire from resolver caches. 79*00b67f09SDavid van Moolenbroek </para> 80*00b67f09SDavid van Moolenbroek <para> 81*00b67f09SDavid van Moolenbroek If <option>zone</option> is not specified, then all keys in the 82*00b67f09SDavid van Moolenbroek key repository will be scanned, and all zones for which there are 83*00b67f09SDavid van Moolenbroek keys will be analyzed. (Note: This method of reporting is only 84*00b67f09SDavid van Moolenbroek accurate if all the zones that have keys in a given repository 85*00b67f09SDavid van Moolenbroek share the same TTL parameters.) 86*00b67f09SDavid van Moolenbroek </para> 87*00b67f09SDavid van Moolenbroek </refsect1> 88*00b67f09SDavid van Moolenbroek 89*00b67f09SDavid van Moolenbroek <refsect1> 90*00b67f09SDavid van Moolenbroek <title>OPTIONS</title> 91*00b67f09SDavid van Moolenbroek 92*00b67f09SDavid van Moolenbroek <variablelist> 93*00b67f09SDavid van Moolenbroek <varlistentry> 94*00b67f09SDavid van Moolenbroek <term>-K <replaceable class="parameter">directory</replaceable></term> 95*00b67f09SDavid van Moolenbroek <listitem> 96*00b67f09SDavid van Moolenbroek <para> 97*00b67f09SDavid van Moolenbroek Sets the directory in which keys can be found. Defaults to the 98*00b67f09SDavid van Moolenbroek current working directory. 99*00b67f09SDavid van Moolenbroek </para> 100*00b67f09SDavid van Moolenbroek </listitem> 101*00b67f09SDavid van Moolenbroek </varlistentry> 102*00b67f09SDavid van Moolenbroek 103*00b67f09SDavid van Moolenbroek <varlistentry> 104*00b67f09SDavid van Moolenbroek <term>-f <replaceable class="parameter">file</replaceable></term> 105*00b67f09SDavid van Moolenbroek <listitem> 106*00b67f09SDavid van Moolenbroek <para> 107*00b67f09SDavid van Moolenbroek If a <option>file</option> is specified, then the zone is 108*00b67f09SDavid van Moolenbroek read from that file; the largest TTL and the DNSKEY TTL are 109*00b67f09SDavid van Moolenbroek determined directly from the zone data, and the 110*00b67f09SDavid van Moolenbroek <option>-m</option> and <option>-d</option> options do 111*00b67f09SDavid van Moolenbroek not need to be specified on the command line. 112*00b67f09SDavid van Moolenbroek </para> 113*00b67f09SDavid van Moolenbroek </listitem> 114*00b67f09SDavid van Moolenbroek </varlistentry> 115*00b67f09SDavid van Moolenbroek 116*00b67f09SDavid van Moolenbroek <varlistentry> 117*00b67f09SDavid van Moolenbroek <term>-l <replaceable class="parameter">duration</replaceable></term> 118*00b67f09SDavid van Moolenbroek <listitem> 119*00b67f09SDavid van Moolenbroek <para> 120*00b67f09SDavid van Moolenbroek The length of time to check for DNSSEC coverage. Key events 121*00b67f09SDavid van Moolenbroek scheduled further into the future than <option>duration</option> 122*00b67f09SDavid van Moolenbroek will be ignored, and assumed to be correct. 123*00b67f09SDavid van Moolenbroek </para> 124*00b67f09SDavid van Moolenbroek <para> 125*00b67f09SDavid van Moolenbroek The value of <option>duration</option> can be set in seconds, 126*00b67f09SDavid van Moolenbroek or in larger units of time by adding a suffix: 'mi' for minutes, 127*00b67f09SDavid van Moolenbroek 'h' for hours, 'd' for days, 'w' for weeks, 'mo' for months, 128*00b67f09SDavid van Moolenbroek 'y' for years. 129*00b67f09SDavid van Moolenbroek </para> 130*00b67f09SDavid van Moolenbroek </listitem> 131*00b67f09SDavid van Moolenbroek </varlistentry> 132*00b67f09SDavid van Moolenbroek 133*00b67f09SDavid van Moolenbroek <varlistentry> 134*00b67f09SDavid van Moolenbroek <term>-m <replaceable class="parameter">maximum TTL</replaceable></term> 135*00b67f09SDavid van Moolenbroek <listitem> 136*00b67f09SDavid van Moolenbroek <para> 137*00b67f09SDavid van Moolenbroek Sets the value to be used as the maximum TTL for the zone or 138*00b67f09SDavid van Moolenbroek zones being analyzed when determining whether there is a 139*00b67f09SDavid van Moolenbroek possibility of validation failure. When a zone-signing key is 140*00b67f09SDavid van Moolenbroek deactivated, there must be enough time for the record in the 141*00b67f09SDavid van Moolenbroek zone with the longest TTL to have expired from resolver caches 142*00b67f09SDavid van Moolenbroek before that key can be purged from the DNSKEY RRset. If that 143*00b67f09SDavid van Moolenbroek condition does not apply, a warning will be generated. 144*00b67f09SDavid van Moolenbroek </para> 145*00b67f09SDavid van Moolenbroek <para> 146*00b67f09SDavid van Moolenbroek The length of the TTL can be set in seconds, or in larger units 147*00b67f09SDavid van Moolenbroek of time by adding a suffix: 'mi' for minutes, 'h' for hours, 148*00b67f09SDavid van Moolenbroek 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years. 149*00b67f09SDavid van Moolenbroek </para> 150*00b67f09SDavid van Moolenbroek <para> 151*00b67f09SDavid van Moolenbroek This option is mandatory unless the <option>-f</option> has 152*00b67f09SDavid van Moolenbroek been used to specify a zone file. (If <option>-f</option> has 153*00b67f09SDavid van Moolenbroek been specified, this option may still be used; it will override 154*00b67f09SDavid van Moolenbroek the value found in the file.) 155*00b67f09SDavid van Moolenbroek </para> 156*00b67f09SDavid van Moolenbroek </listitem> 157*00b67f09SDavid van Moolenbroek </varlistentry> 158*00b67f09SDavid van Moolenbroek 159*00b67f09SDavid van Moolenbroek <varlistentry> 160*00b67f09SDavid van Moolenbroek <term>-d <replaceable class="parameter">DNSKEY TTL</replaceable></term> 161*00b67f09SDavid van Moolenbroek <listitem> 162*00b67f09SDavid van Moolenbroek <para> 163*00b67f09SDavid van Moolenbroek Sets the value to be used as the DNSKEY TTL for the zone or 164*00b67f09SDavid van Moolenbroek zones being analyzed when determining whether there is a 165*00b67f09SDavid van Moolenbroek possibility of validation failure. When a key is rolled (that 166*00b67f09SDavid van Moolenbroek is, replaced with a new key), there must be enough time 167*00b67f09SDavid van Moolenbroek for the old DNSKEY RRset to have expired from resolver caches 168*00b67f09SDavid van Moolenbroek before the new key is activated and begins generating 169*00b67f09SDavid van Moolenbroek signatures. If that condition does not apply, a warning 170*00b67f09SDavid van Moolenbroek will be generated. 171*00b67f09SDavid van Moolenbroek </para> 172*00b67f09SDavid van Moolenbroek <para> 173*00b67f09SDavid van Moolenbroek The length of the TTL can be set in seconds, or in larger units 174*00b67f09SDavid van Moolenbroek of time by adding a suffix: 'mi' for minutes, 'h' for hours, 175*00b67f09SDavid van Moolenbroek 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years. 176*00b67f09SDavid van Moolenbroek </para> 177*00b67f09SDavid van Moolenbroek <para> 178*00b67f09SDavid van Moolenbroek This option is mandatory unless the <option>-f</option> has 179*00b67f09SDavid van Moolenbroek been used to specify a zone file, or a default key TTL was 180*00b67f09SDavid van Moolenbroek set with the <option>-L</option> to 181*00b67f09SDavid van Moolenbroek <command>dnssec-keygen</command>. (If either of those is true, 182*00b67f09SDavid van Moolenbroek this option may still be used; it will override the value found 183*00b67f09SDavid van Moolenbroek in the zone or key file.) 184*00b67f09SDavid van Moolenbroek </para> 185*00b67f09SDavid van Moolenbroek </listitem> 186*00b67f09SDavid van Moolenbroek </varlistentry> 187*00b67f09SDavid van Moolenbroek 188*00b67f09SDavid van Moolenbroek <varlistentry> 189*00b67f09SDavid van Moolenbroek <term>-r <replaceable class="parameter">resign interval</replaceable></term> 190*00b67f09SDavid van Moolenbroek <listitem> 191*00b67f09SDavid van Moolenbroek <para> 192*00b67f09SDavid van Moolenbroek Sets the value to be used as the resign interval for the zone 193*00b67f09SDavid van Moolenbroek or zones being analyzed when determining whether there is a 194*00b67f09SDavid van Moolenbroek possibility of validation failure. This value defaults to 195*00b67f09SDavid van Moolenbroek 22.5 days, which is also the default in 196*00b67f09SDavid van Moolenbroek <command>named</command>. However, if it has been changed 197*00b67f09SDavid van Moolenbroek by the <option>sig-validity-interval</option> option in 198*00b67f09SDavid van Moolenbroek <filename>named.conf</filename>, then it should also be 199*00b67f09SDavid van Moolenbroek changed here. 200*00b67f09SDavid van Moolenbroek </para> 201*00b67f09SDavid van Moolenbroek <para> 202*00b67f09SDavid van Moolenbroek The length of the interval can be set in seconds, or in larger 203*00b67f09SDavid van Moolenbroek units of time by adding a suffix: 'mi' for minutes, 'h' for hours, 204*00b67f09SDavid van Moolenbroek 'd' for days, 'w' for weeks, 'mo' for months, 'y' for years. 205*00b67f09SDavid van Moolenbroek </para> 206*00b67f09SDavid van Moolenbroek </listitem> 207*00b67f09SDavid van Moolenbroek </varlistentry> 208*00b67f09SDavid van Moolenbroek 209*00b67f09SDavid van Moolenbroek <varlistentry> 210*00b67f09SDavid van Moolenbroek <term>-k</term> 211*00b67f09SDavid van Moolenbroek <listitem> 212*00b67f09SDavid van Moolenbroek <para> 213*00b67f09SDavid van Moolenbroek Only check KSK coverage; ignore ZSK events. Cannot be 214*00b67f09SDavid van Moolenbroek used with <option>-z</option>. 215*00b67f09SDavid van Moolenbroek </para> 216*00b67f09SDavid van Moolenbroek </listitem> 217*00b67f09SDavid van Moolenbroek </varlistentry> 218*00b67f09SDavid van Moolenbroek 219*00b67f09SDavid van Moolenbroek <varlistentry> 220*00b67f09SDavid van Moolenbroek <term>-z</term> 221*00b67f09SDavid van Moolenbroek <listitem> 222*00b67f09SDavid van Moolenbroek <para> 223*00b67f09SDavid van Moolenbroek Only check ZSK coverage; ignore KSK events. Cannot be 224*00b67f09SDavid van Moolenbroek used with <option>-k</option>. 225*00b67f09SDavid van Moolenbroek </para> 226*00b67f09SDavid van Moolenbroek </listitem> 227*00b67f09SDavid van Moolenbroek </varlistentry> 228*00b67f09SDavid van Moolenbroek 229*00b67f09SDavid van Moolenbroek 230*00b67f09SDavid van Moolenbroek <varlistentry> 231*00b67f09SDavid van Moolenbroek <term>-c <replaceable class="parameter">compilezone path</replaceable></term> 232*00b67f09SDavid van Moolenbroek <listitem> 233*00b67f09SDavid van Moolenbroek <para> 234*00b67f09SDavid van Moolenbroek Specifies a path to a <command>named-compilezone</command> binary. 235*00b67f09SDavid van Moolenbroek Used for testing. 236*00b67f09SDavid van Moolenbroek </para> 237*00b67f09SDavid van Moolenbroek </listitem> 238*00b67f09SDavid van Moolenbroek </varlistentry> 239*00b67f09SDavid van Moolenbroek </variablelist> 240*00b67f09SDavid van Moolenbroek </refsect1> 241*00b67f09SDavid van Moolenbroek 242*00b67f09SDavid van Moolenbroek <refsect1> 243*00b67f09SDavid van Moolenbroek <title>SEE ALSO</title> 244*00b67f09SDavid van Moolenbroek <para> 245*00b67f09SDavid van Moolenbroek <citerefentry> 246*00b67f09SDavid van Moolenbroek <refentrytitle>dnssec-checkds</refentrytitle><manvolnum>8</manvolnum> 247*00b67f09SDavid van Moolenbroek </citerefentry>, 248*00b67f09SDavid van Moolenbroek <citerefentry> 249*00b67f09SDavid van Moolenbroek <refentrytitle>dnssec-dsfromkey</refentrytitle><manvolnum>8</manvolnum> 250*00b67f09SDavid van Moolenbroek </citerefentry>, 251*00b67f09SDavid van Moolenbroek <citerefentry> 252*00b67f09SDavid van Moolenbroek <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> 253*00b67f09SDavid van Moolenbroek </citerefentry>, 254*00b67f09SDavid van Moolenbroek <citerefentry> 255*00b67f09SDavid van Moolenbroek <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> 256*00b67f09SDavid van Moolenbroek </citerefentry> 257*00b67f09SDavid van Moolenbroek </para> 258*00b67f09SDavid van Moolenbroek </refsect1> 259*00b67f09SDavid van Moolenbroek 260*00b67f09SDavid van Moolenbroek <refsect1> 261*00b67f09SDavid van Moolenbroek <title>AUTHOR</title> 262*00b67f09SDavid van Moolenbroek <para><corpauthor>Internet Systems Consortium</corpauthor> 263*00b67f09SDavid van Moolenbroek </para> 264*00b67f09SDavid van Moolenbroek </refsect1> 265*00b67f09SDavid van Moolenbroek 266*00b67f09SDavid van Moolenbroek</refentry><!-- 267*00b67f09SDavid van Moolenbroek - Local variables: 268*00b67f09SDavid van Moolenbroek - mode: sgml 269*00b67f09SDavid van Moolenbroek - End: 270*00b67f09SDavid van Moolenbroek--> 271