keyrec-check - Check a DNSSEC-Tools keyrec file for problems and inconsistencies.
keyrec-check [-z | -k] [-c] [-q] [-verbose] [-h] keyrec-file
This script checks a keyrec file for problems, potential problems, and inconsistencies.
Recognized problems include:
The keyrec file does not contain any zone keyrecs.
The keyrec file does not contain any key keyrecs.
A key keyrec references a non-existent zone keyrec.
A zone keyrec does not have both a KSK key and a ZSK key.
A zone has expired.
A key is labeled as a KSK (or ZSK) and its owner zone has it labeled as the opposite.
A zone's keyrec data are checked to ensure that they are valid. The following conditions are checked: existence of the zone file, existence of the KSK file, existence of the ZSK file, the end-time is greater than one day, and the seconds-count and date string match.
A key's keyrec data are checked to ensure that they are valid. The following conditions are checked: valid encryption algorithm, key length falls within algorithm's size range, random generator file exists, and the seconds-count and date string match.
Recognized potential problems include:
A zone will expire within one week.
A zone's recorded signing date is later than the current system clock.
A key keyrec is unreferenced by any zone keyrec.
A zone keyrec's key directories (kskdirectory or zskdirectory) does not exist.
Recognized inconsistencies include:
A zone keyrec contains key-specific entries. To allow for site-specific extensibility, keyrec-check does not check for undefined keyrec fields.
A key keyrec contains zone-specific entries. To allow for site-specific extensibility, keyrec-check does not check for undefined keyrec fields.
Only perform checks of key keyrecs. This option may not be combined with the -z option.
Only perform checks of zone keyrecs. This option may not be combined with the -k option.
Display a final count of errors.
Do not display messages. This option supersedes the setting of the -v option.
Display many messages. This option is subordinate to the -q option.
Display a usage message.
Copyright 2004-2006 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
Wayne Morrison, tewok@users.sourceforge.net
Net::DNS::SEC::Tools::keyrec.pm(3)