NAME¶
getdnskeys - Manage lists of DNSKEYs from DNS zones
SYNOPSIS¶
getdnskeys [-i file] [-o file] [-k] [-T] [-t] [-v] [zones]
DESCRIPTION¶
getdnskeys manages lists of DNSKEYs from DNS zones. It may be used to
retrieve and compare DNSKEYs. The output from
getdnskeys may be
included (directly or indirectly) in a
named.conf file.
OPTIONS¶
getdnskeys takes the following options:
- -i path
- Reads path as a named.conf with which to
compare key lists.
- -k
- Only looks for Key Signing Keys (KSKs); all other keys are
ignored.
- -o file
- Writes the results to file.
- -T
- Checks the current trusted key list from
named.conf.
- -t
- Encloses output in needed named.conf syntax
markers.
- -v
- Turns on verbose mode for additional output.
- -Version
- Displays the version information for getdnskeys and
the DNSSEC-Tools package.
- -h
- Gives a help message.
EXAMPLES¶
This
getdnskeys will retrieve the KSK for example.com:
getdnskeys -o /etc/named.trustkeys.conf -k -v -t example.com
This
getdnskeys will check saved keys against a live set of keys:
getdnskeys -i /etc/named.trustkeys.conf -T -k -v -t
This
getdnskeys will automatically update a set of saved keys:
getdnskeys -i /etc/named.trustkeys.conf -k -t -T -v
-o /etc/named.trustkeys.conf
SECURITY ISSUES¶
Currently this does not validate new keys placed in the file in any way, nor
does it validate change over keys which have been added.
It also does not handle revocation of keys.
It should prompt you before adding a new key so that you can always run the
auto-update feature.