zkt−ls — list dnskeys
zkt−ls −H
zkt−ls [−V|--view view] [−c file] [−l list] [−adefhkLprtz] [{keyfile|dir} ...]
zkt−ls
−T [−V|--view view]
[−c file] [−l list]
[−dhrz] [{keyfile|dir}
...]
zkt−ls −−list-trustedkeys
[−V|--view view] [−c
file] [−l list]
[−dhrz] [{keyfile|dir}
...]
zkt−ls
−K [−V|--view view]
[−c file] [−l list]
[−dhkrz] [{keyfile|dir}
...]
zkt−ls −−list-dnskeys
[−V|--view view] [−c
file] [−l list]
[−dhkrz] [{keyfile|dir}
...]
The zkt-ls command list all dnssec zone keys found in the given or predefined default directory. It is also possible to specify keyfiles (K*.key) as arguments. With option −r subdirectories will be searched recursively and all dnssec keys found are listed, sorted by domain name, key type and generation time. In that mode the use of option −p may be helpful to find the location of the keyfile in the directory tree.
Other forms of the command, print out keys in a format suitable for a trusted-key section (−T) or as a DNSKEY (−K) resource record.
−V view, −−view=view
Try to read the default configuration out of a file named dnssec-<view>.conf . Instead of specifying the −V or --view option every time, it is also possible to create a hard or softlink to the executable file to give it an additional name like zkt-ls-<view> .
−c file, −−config=file
Read default values from the specified config file. Otherwise the default config file is read or build in defaults will be used.
−O optstr, −−config-option=optstr
Set any config file option via the commandline. Several config file options could be specified at the argument string but have to be delimited by semicolon (or newline).
−l list, −−label=list
Print out information solely about domains given in the comma or space separated list. Take care of, that every domain name has a trailing dot.
−d, −−directory
Skip directory arguments. This will be useful in combination with wildcard arguments to prevent dnsssec-zkt to list all keys found in subdirectories. For example "zkt-ls -d *" will print out a list of all keys only found in the current directory. Maybe it is easier to use "zkt-ls ." instead (without -r set). The option works similar to the −d option of ls(1).
−L, −−left-justify
Print out the domain name left justified.
−k, −−ksk
Select and print key signing keys only (default depends on command mode).
−z, −−zsk
Select and print zone signing keys only (default depends on command mode).
−r, −−recursive
Recursive mode (default is
off).
Also settable in the dnssec.conf file (Parameter:
Recursive).
−p, −−path
Print pathname in listing mode. In -C mode, don’t create the new key in the same directory as (already existing) keys with the same label.
−a, −−age
Print age of key in weeks,
days, hours, minutes and seconds (default is off).
Also settable in the dnssec.conf file (Parameter:
PrintAge).
−f, −−lifetime
Print the key lifetime.
−e, −−exptime
Print the key expiration time.
−t, −−time
Print the key generation time
(default is on).
Also settable in the dnssec.conf file (Parameter:
PrintTime).
|
−h |
No header or trusted-key section header and trailer in -T mode |
−H, −−help
Print out the online help.
−T, −−list-trustedkeys
List all key signing keys as a named.conf trusted-key section. Use −h to supress the section header/trailer.
−K, −−list-dnskeys
List the public part of all the keys in DNSKEY resource record format. Use −h to suppress comment lines.
zkt−ls −r .
Print out a list of all zone keys found below the current directory.
zkt−ls −Z −c ""
Print out the compiled in default parameters.
zkt−ls −T ./zonedir/example.net
Print out a trusted-key section containing the key signing keys of "example.net".
zkt−ls --view intern
Print out a list of all zone keys found below the directory where all the zones of view intern live. There should be a seperate dnssec config file dnssec-intern.conf with a directory option to take affect of this.
zkt−ls−intern
Same as above. The binary file zkt−ls has another link, named zkt−ls−intern made, and zkt−ls examines argv[0] to find a view whose zones it proceeds to process.
ZKT_CONFFILE
Specifies the name of the default global configuration files.
/var/named/dnssec.conf
Built-in default global configuration file. The name of the default global config file is settable via the environment variable ZKT_CONFFILE.
/var/named/dnssec-<view>.conf
View specific global configuration file.
./dnssec.conf
Local configuration file (only used in −C mode).
Some of the
general options will not be meaningful in all of the command
modes.
The option −l and the ksk rollover options
insist on domain names ending with a dot.
Holger Zuleger
Copyright (c) 2005 − 2010 by Holger Zuleger. Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
dnssec-keygen(8),
dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8),
zkt-keyman(8), zkt-signer(8)
RFC4641 "DNSSEC Operational Practices" by Miek
Gieben and Olaf Kolkman,
DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
(http://www.nlnetlabs.nl/dnssec_howto/)