Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
KEYMGR(8)			   Knot	DNS			     KEYMGR(8)

NAME
       keymgr -	Knot DNS key management	utility

SYNOPSIS
       keymgr basic_option [parameters...]

       keymgr [config_option config_storage] zone command argument...

DESCRIPTION
       The keymgr utility serves for manual key	management in Knot DNS server.

       Functions  for  DNSSEC keys and KASP (Key And Signature Policy) manage-
       ment are	provided.

       The DNSSEC and KASP configuration is stored in a	so called  KASP	 data-
       base.  The database is backed by	LMDB.

   Basic options
       -h, --help
	      Print the	program	help.

       -V, --version
	      Print the	program	version.

       -t, --tsig tsig_name [tsig_algorithm] [tsig_bits]
	      Generates	 a TSIG	key. TSIG algorithm can	be specified by	string
	      (default:	hmac-sha256), bit length of the	 key  by  number  (de-
	      fault:  optimal  length  given by	algorithm). The	generated TSIG
	      key is only displayed on stdout: the command does	not  create  a
	      file, nor	include	the key	in a keystore.

   Config options
       -c, --config file
	      Use   a	textual	  configuration	  file	(default  is  /usr/lo-
	      cal/etc/knot/knot.conf).

       -C, --confdb directory
	      Use  a  binary  configuration  database  directory  (default  is
	      /var/db/knot/confdb).   The  default  configuration database, if
	      exists, has a preference to the default configuration file.

       -d, --dir path
	      Use specified KASP database path and default configuration.

       NOTE:
	  Keymgr runs with the same user privileges as configured  for	knotd.
	  For  example,	 if  keymgr is run as root, but	the configured user is
	  knot,	it won't be able to read files (PEM files, KASP	db, ...) read-
	  able only by root.

   Commands
       list [timestamp_format]
	      Prints  the  list	of key IDs and parameters of keys belonging to
	      the zone.

       generate	[arguments...]
	      Generates	new DNSSEC key and stores it in	KASP database.	Prints
	      the key ID.  This	action takes some number of arguments (see be-
	      low). Values for unspecified arguments  are  taken  from	corre-
	      sponding	policy	(if -c or -C options used) or from Knot	policy
	      defaults.

       import-bind BIND_key_file
	      Imports a	BIND-style key into KASP database  (converting	it  to
	      PEM format).  Takes one argument:	path to	BIND key file (private
	      or public, but both MUST exist).

       import-pub BIND_pubkey_file
	      Imports a	public key into	 KASP  database.  This	key  won't  be
	      rollovered  nor  used  for signing.  Takes one argument: path to
	      BIND public key file.

       import-pem PEM_file [arguments...]
	      Imports a	DNSSEC key from	PEM file. The key parameters (same  as
	      for the generate action) need to be specified (mainly algorithm,
	      timers...) because they are not contained	in the PEM format.

       import-pkcs11 key_id [arguments...]
	      Imports a	DNSSEC key from	PKCS #11 storage. The  key  parameters
	      (same  as	 for the generate action) need to be specified (mainly
	      algorithm, timers...) because they are not available.  In	 fact,
	      no key data is imported, only KASP database metadata is created.

       nsec3-salt [new_salt]
	      Prints  the  current NSEC3 salt used for signing.	If new_salt is
	      specified, the salt is overwritten.  The salt is printed and ex-
	      pected in	hexadecimal, or	dash if	empty.

       local-serial [new_serial]
	      Print  SOA  serial  stored  in KASP database when	using on-slave
	      DNSSEC signing. If new_serial is specified, the serial is	 over-
	      written.	After updating the serial, expire the zone (zone-purge
	      +expire +zonefile	+journal) if the server	is running, or	remove
	      corresponding  zone  file	 and journal contents if the server is
	      stopped.

       set key_spec [arguments...]
	      Changes a	timing argument	(or ksk/zsk) of	an existing key	 to  a
	      new value. Key_spec is either the	key tag	or a prefix of the key
	      ID, with an optional [id=|keytag=] prefix;  arguments  are  like
	      for generate, but	just the related ones.

       ds [key_spec]
	      Generate	DS  record (all	digest algorithms together) for	speci-
	      fied key.	Key_spec is like for set, if unspecified, all KSKs are
	      used.

       dnskey [key_spec]
	      Generate	DNSKEY	record for specified key. Key_spec is like for
	      ds, if unspecified, all KSKs are used.

       delete key_spec
	      Remove the specified key from zone. If the key was  not  shared,
	      it is also deleted from keystore.

       share key_ID zone_from
	      Import  a	 key  (specified  by full key ID) from another zone as
	      shared. After this, the key is owned by both zones equally.

   Commands related to Offline KSK feature
       pregenerate timestamp
	      Pre-generate ZSKs	for use	with offline KSK,  for	the  specified
	      period starting from now.

       show-offline timestamp-from [timestamp-to]
	      Print  pre-generated  offline  key-related records for specified
	      time interval. If	timestamp_to is	omitted, it will be to	infin-
	      ity.

       del-offline timestamp-from timestamp-to
	      Delete  pre-generated  offline  key-related records in specified
	      time interval.

       del-all-old
	      Delete old keys that are in state	'removed'.

       generate-ksr timestamp-from timestamp-to
	      Print to stdout KeySigningRequest	based  on  pre-generated  ZSKs
	      for specified period.

       sign-ksr	ksr_file
	      Read KeySigingRequest from a text	file, sign it using local key-
	      set and print SignedKeyResponse to stdout.

       import-skr skr_file
	      Read SignedKeyResponse from a text file and  import  the	signa-
	      tures  for later use in zone. (The signatures are	not checked at
	      import time, but they will be ignored at	signing	 time  if  in-
	      valid.) If some signatures have already been imported, they will
	      be deleted for the period	from beginning of the SKR to infinity.

   Generate arguments
       Arguments  are  separated  by  space,  each  of	them  is   in	format
       'name=value'.

       algorithm
	      Either  an  algorithm  number  (e.g.  14),  or text name without
	      dashes (e.g. ECDSAP384SHA384).

       size   Key length in bits.

       ksk    If set to	yes, the key will be used for  signing	DNSKEY	rrset.
	      The generated key	will also have the Secure Entry	Point flag set
	      to 1.

       zsk    If set to	yes, the key will be used  for	signing	 zone  (except
	      DNSKEY  rrset).  This  flag can be set concurrently with the ksk
	      flag.

       sep    Overrides	the standard setting of	the Secure  Entry  Point  flag
	      for the generated	key.

       The  following arguments	are timestamps of key lifetime (see DNSSEC Key
       states):

       pre_active
	      Key started to be	used for signing, not published	(only for  al-
	      gorithm rollover).

       publish
	      Key published.

       ready  Key  used	for signing and	submitted to the parent	zone (only for
	      KSK).

       active Key used for signing.

       retire_active
	      Key still	used for signing, but another key is active (only  for
	      KSK or algorithm rollover).

       retire Key still	published, but no longer used for signing.

       post_active
	      Key  no  longer  published, but still used for signing (only for
	      algorithm	rollover).

       remove Key deleted.

   Timestamps
       0      Zero timestamp means infinite future.

       UNIX_time
	      Positive number of seconds since 1970 UTC.

       YYYYMMDDHHMMSS
	      Date and time in this format without any punctuation.

       relative_timestamp
	      A	sign character (+, -), a number, and an	optional time unit (y,
	      mo,  d,  h,  mi, s). The default unit is one second.  E.g. +1mi,
	      -2mo.

   Output timestamp formats
       (none) The timestamps are printed as UNIX timestamp.

       human  The timestamps are printed relatively to now  using  time	 units
	      (e.g. -2y5mo, +1h13s).

       iso    The   timestamps	 are  printed  in  the	ISO8601	 format	 (e.g.
	      2016-12-31T23:59:00).

EXIT VALUES
       Exit status of 0	means successful operation. Any	other exit status  in-
       dicates an error.

EXAMPLES
       1. Generate new TSIG key:

	     $ keymgr -t my_name hmac-sha384

       2. Generate new DNSSEC key:

	     $ keymgr example.com. generate algorithm=ECDSAP256SHA256 size=256 \
	       ksk=true	created=1488034625 publish=20170223205611 retire=+10mo remove=+1y

       3. Import a DNSSEC key from BIND:

	     $ keymgr example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key

       4. Configure key	timing:

	     $ keymgr example.com. set 4208 active=+2mi	retire=+4mi remove=+5mi

       5. Share	a KSK from another zone:

	     $ keymgr example.com. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9 another-zone.com.

SEE ALSO
       RFC  6781  -  DNSSEC  Operational  Practices.   RFC  7583  - DNSSEC Key
       Rollover	Timing Considerations.

       knot.conf(5), knotc(8), knotd(8).

AUTHOR
       CZ.NIC Labs <https://www.knot-dns.cz>

COPYRIGHT
       Copyright 2010a2020, CZ.NIC, z.s.p.o.

2.9.5				  2020-05-25			     KEYMGR(8)

NAME | SYNOPSIS | DESCRIPTION | EXIT VALUES | EXAMPLES | SEE ALSO | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=keymgr&sektion=8&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help