dnssec-coverage command

Purpose

Checks future DNSKEY coverage for a zone.

Syntax

dnssec-coverage [-K directory] [-l length] [-f file] [-d DNSKEY TTL] [-m maximum TTL] [-r interval] [-c compilezone path] [-k] [-z] [zone…]

Description

The dnssec-coverage command is a high-level Python3 wrapper that verifies whether timing metadata is set properly for the DNSSEC keys for a given zone, or a set of zones to ensure no future lapses in DNSSEC coverage.

If zone is specified, keys that are found in the key repository that matches the zone are scanned, and an ordered list of the events that are scheduled for that key (that is, publication, activation, inactivation, deletion) is generated. The list of events is run in order of occurrence. Warning message is are generated if any event might cause the zone to enter a state in which validation failures might occur. For example, if the number of published or active keys for a given algorithm drops to zero, or if a key is deleted from the zone too soon after a new key is rolled, and cached data signed by the prior key has not had time to expire from resolver caches.

If zone is not specified, all keys in the key repository are scanned, and all zones for which keys are available are analyzed. (Note: This method of reporting is accurate only if all the zones that have keys in a specified repository share the same TTL parameters).

Flags

-K directorty

Sets the directory in which keys can be found. Defaults to the current working directory.

-f file

If a file is specified, the zone is read from that file. The largest TTL and the DNSKEY TTL are determined directly from the zone data, and the -m and -d options need not be specified.

-l duration

The duration of time to check for DNSSEC coverage. Key events scheduled after the specified duration is ignored and assumed to be correct.

The value of duration can be set in seconds, or in units of time by adding a suffix: mi for minutes, h for hours, d for days, w for weeks, mo for months, y for years.

-m maximum TTL

Sets the value to be used as the maximum TTL for the zone or zones that are analyzed for determining a possibility of validation failure. When a zone-signing key is deactivated, there must be enough time for the record in the zone with the longest TTL to expire from resolver caches before that key can be purged from the DNSKEY RRset. If that condition does not apply, a warning is generated.

The length of the TTL can be set in seconds, or in units of time by adding a suffix: mi for minutes, h for hours, d for days, w for weeks, mo for months, y for years.

This option is not necessary if the -f flag has been used to specify a zone file. If -f flag is specified, this option can still be used; it overrides the value that is found in the file.

If this option is not used and the maximum TTL cannot be retrieved from a zone file, a warning is generated, and a default value of 1 week is used.

-d DNSKEY TTL

Sets the value to be used as the DNSKEY TTL for the zone or zones that are analyzed for determining a possibility of validation failure. When a key is rolled (that is, replaced with a new key), there must be enough time for the old DNSKEY RRset to expire from resolver caches before the new key is activated and starts generating signatures. If that condition does not apply, a warning is generated.

The length of the TTL can be set in seconds, or in units of time by adding a suffix: mi for minutes, h for hours, d for days, w for weeks, mo for months, y for years.

This option is not necessary if the -f flag is used to specify a zone file from which the TTL of the DNSKEY RRset can be read, or if a default key TTL was set by using the -L flag with the dnssec-keygen command. If either of those conditions are true, this option can still be used. It overrides the values that are found in the zone file or the key file.

If this option is not used and the key TTL cannot be retrieved from the zone file or the key file, a warning is generated and a default value of 1 day is used.

-r resign interval

Sets the value to be used as the resign interval for the zone or zones that are analyzed for determining a possibility of validation failure. This value defaults to 22.5 days, which is also the default value in the named.conf file . However, if this value has been changed by the sig-validity-interval option in the named.conf file, then the value must also be updated by using the -r flag.

The duration of the interval can be set in seconds, or in units of time by adding a suffix: mi for minutes, h for hours, d for days, w for weeks, mo for months, y for years.

-k

Checks KSK coverage only and ignores ZSK events. Cannot be used with the -z flag.

-z

Check ZSK coverage only and ignores KSK events. Cannot be used with the -k flag.

-c compilezone path

Specifies a path to the named-compilezone binary. Used for testing.