cleankrf - Man Page

Clean a DNSSEC-Tools keyrec files of old data


  cleankrf [options] <keyrec-files>


cleankrf cleans old data out of a set of DNSSEC-Tools keyrec files. The old data are obsolete signing sets, orphaned keys, and obsolete keys.

Obsolete signing sets are set keyrecs unreferenced by a zone keyrec. Revoked signing sets are considered obsolete by cleankrf.

Orphaned keys are KSK and ZSK key keyrecs unreferenced by a set keyrec.

Obsolete keys are key keyrecs with a keyrec_type of kskobs or zskobs.

cleankrf's exit code is the count of orphaned and obsolete keyrecs found.



Display a final count of old keyrecs found in the keyrec files.  This option allows the count to be displayed even if the -quiet option is given.


The key keyrecs are checked for old keyrecs, but they are not removed from the keyrec file.  The names of the old keyrecs are displayed.


Delete the key files, both .key and .private, from orphaned and expired keyrecs.


Display no output.


Display output about referenced keys and unreferenced keys.


Displays the version information for cleankrf and the DNSSEC-Tools package.


Display a usage message.


Wayne Morrison,

See Also

fixkrf(8), lskrf(8), zonesigner(8)


2024-01-24 perl v5.38.2 User Contributed Perl Documentation