NAME¶
lskrf - List the keyrecs in a DNSSEC-Tools keyrec file
SYNOPSIS¶
lskrf [options] <keyrec-files>
DESCRIPTION¶
lskrf lists the contents of the specified
keyrec files. All
keyrec files are loaded before the output is displayed. If any
keyrecs have duplicated names, whether within one file or across
multiple files, the later
keyrec will be the one whose data are
displayed.
lskrf has three base output formats. In ascending levels of detail, these
formats are terse output, default format, and long format. Terse output is
given when the
-terse option is specified; long output is given when
the
-long option is specified.
The output displayed for each record in a
keyrec file depends on the
selected records, the selected attributes, and the selected output format.
Each option in these option groups is described in detail in the OPTIONS
section; the three basic output formats are described in the OUTPUT FORMATS
section.
keyrec files hold three types of
keyrec records: zone records,
signing set records, and key records. Each type of
keyrec record
contains
keyrec fields related to that type. Zone
keyrec records
contain data about all the keys associated with a particular zone; set
keyrec records contain data about all the keys associated with a
particular signing set; key
keyrec records contain key lengths and
algorithms for each particular key. (There is the case of subordinate revoked
and obsolete signing sets. These are stored in key
keyrec records, but
they contain the
set_type entry which key
keyrecs do not.) The
data to be printed must be specified by selecting some combination of the
-zone,
-sets,
-keys, and
-all options. There are
also options for specifying specific types of keys to be printed.
The three base output formats are the default format, the terse format, and the
long format. The
-terse option indicates that a minimal amount of
output is desired; the
-long option indicates that a great deal of
output is desired. The record-selection and attribute-selection options may be
used in conjunction with
-terse to display exactly the set of
keyrec fields needed. The default output format is a middle ground
between terse and long output and is that used when neither
-terse nor
-long is given.
Zone keyrec Output¶
The table below shows the zone
keyrec fields displayed for each output
format.
keyrec field default terse long
------------ ------- ----- ----
keyrec type yes no yes
zone name yes yes yes
zone file yes no yes
signed zonefile yes no yes
signing date yes no yes
expiration date no no yes
archive directory no no yes
KSK count no no yes
KSK directory no no yes
current KSK set no no yes
published KSK set no no yes
ZSK count no no yes
ZSK directory no no yes
current ZSK set no no yes
published ZSK set no no yes
new ZSK set no no yes
Set keyrec Output¶
The table below shows the signing set
keyrec fields displayed for each
output format.
keyrec field default terse long
------------ ------- ----- ----
keyrec type yes no yes
set name yes yes yes
zone name yes no yes
type yes no yes
keys no no yes
last modification date no no yes
Key keyrec Output¶
The table below shows the key
keyrec fields displayed for each output
format.
keyrec field default terse long
------------ ------- ----- ----
keyrec type yes no yes
key name yes yes yes
algorithm no no yes
end date no no yes
generation date yes no yes
key length no no yes
key life no no yes
key path no no yes
keys no no yes
random number generator no no yes
zone name yes no yes
OPTIONS¶
lskrf takes three types of options: record-selection options,
record-attribute options, and output-style options. These option sets are
detailed below.
Record-selection options are required options; at least one record-selection
option
must be selected. Record-attribute options and output-style
options are optional options; any number of these option
may be
selected.
Record-Selection Options¶
These options select the types of
keyrec that will be displayed.
- -all
- This option displays all the records in a keyrec
file.
- -zones
- This option displays the zones in a keyrec
file.
- -sets
- This option displays the signing sets in a keyrec
file.
- -keys
- This option displays the keys in a keyrec file.
The key data are sorted by key type in the following order: Current KSKs,
Published KSKs, Current ZSKs, Published ZSKs, New ZSKs, Obsolete KSKs, and
Obsolete ZSKs.
- -ksk
- This option displays the KSK keys in a keyrec
file.
- -kcur
- This option displays the Current KSK keys in a
keyrec file.
- -kpub
- This option displays the Published KSK keys in a
keyrec file.
- -kobs
- This option displays the obsolete KSK keys in a
keyrec file. This option must be give if obsolete KSK keys are to
be displayed.
- -krev
- This option displays the revoked KSK keys in a
keyrec file. This option must be give if revoked KSK keys are to be
displayed.
- -zsk
- This option displays the ZSK keys in a keyrec file.
It does not include obsolete ZSK keys; the -obs option must be
specified to display obsolete keys.
- -cur
- This option displays the Current ZSK keys in a
keyrec file.
- -new
- This option displays the New ZSK keys in a keyrec
file.
- -pub
- This option displays the Published ZSK keys in a
keyrec file.
- -zobs
- This option displays the obsolete ZSK keys in a
keyrec file. This option must be give if obsolete ZSK keys are to
be displayed.
- -zrev
- This option displays the revoked ZSK keys in a
keyrec file. This option must be give if revoked ZSK keys are to be
displayed.
- -obs
- This option displays the obsolete KSK and ZSK keys in a
keyrec file. This option is a shorthand method specifying the
-kobs and -zobs options.
- -rev
- This option displays the revoked KSK and ZSK keys in a
keyrec file. This option is a shorthand method specifying the
-krev and -zrev options.
- -invalid
- This option displays the obsolete and revoked KSK and ZSK
keys in a keyrec file. This option is a shorthand method specifying
the -obs and -rev options.
Record-Attribute Options¶
These options select subsets of the
keyrecs chosen by the
record-selection options.
- -valid
- This option displays the valid zones in a keyrec
file. It implies the -zones option.
- -expired>
- This option displays the expired zones in a keyrec
file. It implies the -zones option.
- -ref
- This option displays the referenced signing set
keyrecs and the referenced key keyrecs in a keyrec
file, depending upon other selected options.
Referenced state depends on the following:
* Signing sets are considered to be referenced if they
are listed in a zone keyrec.
* KSKs are considered to be referenced if they are listed
in a signing set keyrec that is listed in a zone keyrec.
* ZSKs are considered to be referenced if they are listed
in a signing set keyrec that is listed in a zone keyrec.
This option may be used with either the -sets or -keys
options. If it isn't used with any record-selection options, then it is
assumed that both -sets and -keys have been specified.
- -unref
- This option displays the unreferenced signing set
keyrecs or the unreferenced key keyrecs in a keyrec
file, depending upon other selected options.
Unreferenced state depends on the following:
* Signing sets are considered to be unreferenced if they
are not listed in a zone keyrec.
* KSKs are considered to be unreferenced if they are not listed
in a signing set keyrec that is listed in a zone keyrec.
* ZSKs are considered to be unreferenced if they are not listed
in a signing set keyrec that is listed in a zone keyrec.
* Obsolete ZSKs are checked, whether or not the -obs flag
was specified.
This option may be used with either the -sets or -keys
options. If it isn't used with any record-selection options, then it is
assumed that both -sets and -keys have been specified.
Zone-Attribute Options¶
These options allow specific zone fields to be included in the output. If
combined with the
-terse option, only those fields specifically desired
will be printed. These options must be used with the
-zone option.
- -z-archdir
- Display the zone's archive directory. If an archive
directory is not explicitly set for the zone, the default directory will
be listed.
- -z-dates
- Display the zone's time-stamps. These are the signing date
and the expiration date.
- -z-dirs
- Display the zone's directories. These directories are the
KSK directory, the ZSK directory, and the key archive directory.
- -z-expdate
- Display the zone's expiration date.
- -z-ksk
- Display the zone's KSK data. This is the equivalent of
specifying the -z-kskcount, -z-kskcur, -z-kskdir, and
-z-kskpub options.
- -z-kskcount
- Display the zone's KSK count.
- -z-kskcur
- Display the zone's Current KSK signing set. If this is not
defined, then "<unset>" will be given.
- -z-kskdir
- Display the zone's KSK directory. If this is not defined,
then "." will be given.
- -z-kskpub
- Display the zone's Published KSK signing set. If this is
not defined, then "<unset>" will be given.
- -z-sets
- Display the zone's signing sets. This is the equivalent of
specifying the -z-kskcur, -z-kskpub, -z-zskcur,
-z-zsknew, and -z-zskpub options.
- -z-signdate
- Display the zone's signing date.
- -z-signfile
- Display the zone's signed zonefile.
- -z-zonefile
- Display the zone's zonefile.
- -z-zsk
- Display the zone's ZSK data. This is the equivalent of
specifying the -z-zskcount, -z-zskcur, -z-zskdir,
-z-zsknew, and -z-zskpub options.
- -z-zskcount
- Display the zone's ZSK count.
- -z-zskcur
- Display the zone's Current ZSK signing set. If this is not
defined, then "<unset>" will be given.
- -z-zskdir
- Display the zone's ZSK directory. If this is not defined,
then "." will be given.
- -z-zsknew
- Display the zone's New ZSK signing set. If this is not
defined, then "<unset>" will be given.
- -z-zskpub
- Display the zone's Published ZSK signing set. If this is
not defined, then "<unset>" will be given.
Set-Attribute Options¶
These options allow specific set fields to be included in the output. If
combined with the
-terse option, only those fields specifically desired
will be printed. These options must be used with the
-sets option.
If RFC5011 processing is enabled, there is special handling of the zone's set
keyrec of revoked KSK keys. The "kskrev" field in the zone's
keyrec points to a set
keyrec, marked as being of type
"kskrev". This set
keyrec, in turn, points to a number of
other set
keyrecs, all of which are also marked as being of type
"kskrev". The group of all revoked KSK keys is found by consulting
that subsidiary set of "kskrev" set
keyrecs. When the ages of
these revoked keys exceeds their revocation periods, they are marked as being
obsolete ("kskobs"). If this happens as part of normal rollover,
these revoked key and set
keyrecs are all removed from the chain of
active, revoked
keyrecs. If this happens to a key that's part of a
larger set of keys, it is removed from that signing set and put in its own new
signing set.
lskrf displays the type of the "kskrev" set
(listed in the zone
keyrec) as "KSK-REV", and all other
revoked KSK
keyrecs are listed as "KSK-rev".
- -s-keys
- Display the set's keys.
- -s-lastmod
- Display the set's date of last modification.
- -s-type
- Display the set's type.
- -s-zone
- Display the set's zone name.
- -s-ksk
- Display KSK signing sets. This option implies the
-sets option.
- -s-kcur
- Display current KSK signing sets. This option implies the
-sets option.
- -s-kobs
- Display obsolete KSK signing sets. This option implies the
-sets option.
- -s-kpub
- Display published KSK signing sets. This option implies the
-sets option.
- -s-krev
- Display revoked KSK signing sets. This option implies the
-sets option.
- -s-zsk
- Display ZSK signing sets. This option implies the
-sets option.
- -s-zcur
- Display current ZSK signing sets. This option implies the
-sets option.
- -s-znew
- Display new ZSK signing sets. This option implies the
-sets option.
- -s-zobs
- Display obsolete ZSK signing sets. This option implies the
-sets option.
- -s-zpub
- Display published ZSK signing sets. This option implies the
-sets option.
- -s-zrev
- Display revoked ZSK signing sets. This option implies the
-sets option.
Key-Attribute Options¶
These options allow specific key fields to be included in the output. If
combined with the
-terse option, only those fields specifically desired
will be printed. These options must be used with the
-key option.
- -k-algorithm
- Display the key's encryption algorithm.
- -k-enddate
- Display the key's end-date, calculated by adding the key's
lifespan to its signing date.
- -k-length
- Display the key's length.
- -k-lifespan
- Display the key's lifespan (in seconds.) This lifespan is
only related to the time between key rollover. There is no other
lifespan associated with a key.
- -k-path
- Display the key's path.
- -k-random
- Display the key's random number generator.
- -k-signdate
- Display the key's signing date.
- -k-zone
- Display the key's zonefile.
These options define how the
keyrec information will be displayed.
Without any of these options, the zone name, zone file, zone-signing date, and a
label will be displayed for zones. For types, the key name, the key's zone,
the key's generation date, and a label will be displayed if these options
aren't given.
- -count
- The count of matching records will be displayed, but the
matching records will not be.
- -nodate
- The key's generation date will not be printed if this flag
is given.
- -headers
- Display explanatory column headers. If this flag is given,
then entry labels will not be printed unless explicitly requested by use
of the -label option.
- -label
- A label for the keyrec's type will be given.
- -long
- The long form of output will be given. See the OUTPUT
FORMATS section for details on data printed for each type of keyrec
record.
Long zone output can get very wide, depending on the data.
- -terse
- This options displays only the name of the zones or keys
selected by other options.
- -Version
- Displays the version information for lskrf and the
DNSSEC-Tools package.
- -help
- Display a usage message and exit.
- -h-zones
- Display the zone-attribute options and exit.
- -h-sets
- Display the set-attribute options and exit.
- -h-keys
- Display the key-attribute options and exit.
COPYRIGHT¶
Copyright 2005-2012 SPARTA, Inc. All rights reserved. See the COPYING file
included with the DNSSEC-Tools package for details.
AUTHOR¶
Wayne Morrison, tewok@tislabs.com
SEE ALSO¶
zonesigner(8)
Net::DNS::SEC::Tools::keyrec.pm(3)
file-keyrec(5)