dnssec-keymgr — Ensures correct DNSKEY coverage for a zone based on a defined policy
dnssec-keymgr
[-K ]
[directory-c ]
[file-f]
[-k]
[-q]
[-v]
[-z]
[-g ]
[path-r ]
[path-s ]
[zone...]
path
dnssec-keymgr is a high level Python wrapper to facilitate the key rollover process for zones handled by BIND. It uses the BIND commands for manipulating DNSSEC key metadata: dnssec-keygen and dnssec-settime.
DNSSEC policy can be read from a configuration file (default
/etc/dnssec-policy.conf), from which the key
parameters, publication and rollover schedule, and desired
coverage duration for any given zone can be determined. This
file may be used to define individual DNSSEC policies on a
per-zone basis, or to set a default policy used for all zones.
When dnssec-keymgr runs, it examines the DNSSEC keys for one or more zones, comparing their timing metadata against the policies for those zones. If key settings do not conform to the DNSSEC policy (for example, because the policy has been changed), they are automatically corrected.
A zone policy can specify a duration for which we want to
ensure the key correctness (coverage). It can
also specify a rollover period (roll-period).
If policy indicates