keyarch - Man Page

DNSSEC-Tools daemon to archive old KSK and ZSK keys

Synopsis

  keyarch [options] <keyrec_file | rollrec_file>

Description

The keyarch program archives old KSK and ZSK keys.  Keys are considered old if they are revoked or obsolete.  Keys marked as either kskrev or zskrev are revoked; keys marked as either kskobs or zskobs are obsolete. Archived keys are prefixed with the seconds-since-epoch as a means of distinguishing a zone's keys that have the same five digit number.

If the required file argument is a keyrec file, then expired keys listed in that file are archived.  If the file argument is a rollrec file, the keyrec files of the zones in that file are checked for expired keys.

If the -zone option is given, then only revoked and obsolete keys belonging to the specified zone will be archived.

The archive directory is either zone-specific (listed in the zone's keyrec record in the zone's keyrec file) or the default archive directory given in the DNSSEC-Tools configuration file.

The count of archived keys is given as the program's exit code.  Error exit codes are negative.

Options

The following options are recognized:

-zone zone_file

Name of the zone whose KSKs will be archived.  If this is not given, then all the zones defined in the rollrec file will be checked.

-kskonly

Only archive KSK keys.

-zskonly

Only archive ZSK keys.

-dtconfig config_file

Name of an alternate DNSSEC-Tools configuration file to be processed. If specified, this configuration file is used in place of the normal DNSSEC-Tools configuration file not in addition to it.  Also, it will be handled prior to keyrec files, rollrec files, and command-line options.

-quiet

No output will be given.

-verbose

Verbose output will be given.

-help

Display a usage message.

-Version

Displays the version information for keyarch and the DNSSEC-Tools package.

Exit Values

On success, keyarch's exit code is the number of keys archived.

keyarch has a 0 exit code if the help message is given.

keyarch has a negative exit code if an error is encountered.

Author

Wayne Morrison, tewok@tislabs.com

See Also

rollerd(8), zonesigner(8)

Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::dnssectools.pm(3), Net::DNS::SEC::Tools::defaults.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3), Net::DNS::SEC::Tools::rollrec.pm(3)

keyrec(5), rollrec(5)

Info

2024-06-10 perl v5.40.0 User Contributed Perl Documentation