Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KEYMGR(8)			   Knot	DNS			     KEYMGR(8)

       keymgr -	Knot DNS key management	utility

       keymgr basic_option [parameters...]

       keymgr [config_option config_storage] zone command argument...

       The keymgr utility serves for manual key	management in Knot DNS server.

       Functions  for  DNSSEC keys and KASP (Key And Signature Policy) manage-
       ment are	provided.

       The DNSSEC and KASP configuration is stored in a	so called  KASP	 data-
       base.  The database is backed by	LMDB.

   Basic options
       -h, --help
	      Print the	program	help.

       -V, --version
	      Print the	program	version.

       -t, --tsig tsig_name [tsig_algorithm] [tsig_bits]
	      Generates	 a TSIG	key. TSIG algorithm can	be specified by	string
	      (default:	hmac-sha256), bit length of the	 key  by  number  (de-
	      fault:  optimal  length  given by	algorithm). The	generated TSIG
	      key is only displayed on stdout: the command does	not  create  a
	      file, nor	include	the key	in a keystore.

       -b, --brief
	      List keys	briefly. Output	to a terminal is colorized by default.

       -l, --list
	      Print the	list of	zones that have	at least one key stored	in the
	      configured KASP database.

       -x, --mono
	      Don't generate colorized output.

       -X, --color
	      Force colorized output in	the --brief mode.

   Config options
       -c, --config file
	      Use  a  textual  configuration   file   (default	 is   /usr/lo-

       -C, --confdb directory
	      Use  a  binary  configuration  database  directory  (default  is
	      /var/db/knot/confdb).  The default  configuration	 database,  if
	      exists, has a preference to the default configuration file.

       -D, --dir path
	      Use specified KASP database path and default configuration.

	  Keymgr  runs	with the same user privileges as configured for	knotd.
	  For example, if keymgr is run	as root, but the  configured  user  is
	  knot,	it won't be able to read files (PEM files, KASP	database, ...)
	  readable only	by root.

       list [timestamp_format]
	      Prints the list of key IDs and parameters	of keys	 belonging  to
	      the zone.

       generate	[arguments...]
	      Generates	 new DNSSEC key	and stores it in KASP database.	Prints
	      the key ID.  This	action takes some number of arguments (see be-
	      low).  Values  for  unspecified  arguments are taken from	corre-
	      sponding policy (if -c or	-C options used) or from  Knot	policy

       import-bind BIND_key_file
	      Imports  a  BIND-style  key into KASP database (converting it to
	      PEM format).  Takes one argument:	path to	BIND key file (private
	      or public, but both MUST exist).

       import-pub BIND_pubkey_file
	      Imports  a  public  key  into  KASP  database. This key won't be
	      rollovered nor used for signing.	Takes one  argument:  path  to
	      BIND public key file.

       import-pem PEM_file [arguments...]
	      Imports  a DNSSEC	key from PEM file. The key parameters (same as
	      for the generate action) need to be specified (mainly algorithm,
	      timers...) because they are not contained	in the PEM format.

       import-pkcs11 key_id [arguments...]
	      Imports  a  DNSSEC key from PKCS #11 storage. The	key parameters
	      (same as for the generate	action)	need to	be  specified  (mainly
	      algorithm,  timers...)  because they are not available. In fact,
	      no key data is imported, only KASP database metadata is created.

       nsec3-salt [new_salt]
	      Prints the current NSEC3 salt used for signing. If  new_salt  is
	      specified, the salt is overwritten.  The salt is printed and ex-
	      pected in	hexadecimal, or	dash if	empty.

       local-serial [new_serial]
	      Print SOA	serial stored in KASP database when using on-secondary
	      DNSSEC signing.  If new_serial is	specified, the serial is over-
	      written. After updating the serial, expire the zone  (zone-purge
	      +expire  +zonefile +journal) if the server is running, or	remove
	      corresponding zone file and journal contents if  the  server  is

       master-serial [new_serial]
	      Print  SOA  serial  of the remote	master stored in KASP database
	      when using on-secondary DNSSEC signing.  If new_serial is	speci-
	      fied, the	serial is overwritten (not recommended).

       set key_spec [arguments...]
	      Changes  a  timing argument (or ksk/zsk) of an existing key to a
	      new value. Key_spec is either the	key tag	or a prefix of the key
	      ID,  with	 an  optional [id=|keytag=] prefix; arguments are like
	      for generate, but	just the related ones.

       ds [key_spec]
	      Generate DS record (all digest algorithms	together)  for	speci-
	      fied key.	Key_spec is like for set, if unspecified, all KSKs are

       dnskey [key_spec]
	      Generate DNSKEY record for specified key.	Key_spec is  like  for
	      ds, if unspecified, all KSKs are used.

       delete key_spec
	      Remove  the  specified key from zone. If the key was not shared,
	      it is also deleted from keystore.

       share key_ID zone_from
	      Import a key (specified by full key ID)  from  another  zone  as
	      shared. After this, the key is owned by both zones equally.

   Commands related to Offline KSK feature
       pregenerate [timestamp-from] timestamp-to
	      Pre-generate  ZSKs  for  use with	offline	KSK, for the specified
	      period starting from now or specified time.

       show-offline timestamp-from [timestamp-to]
	      Print pre-generated offline key-related  records	for  specified
	      time  interval. If timestamp_to is omitted, it will be to	infin-

       del-offline timestamp-from timestamp-to
	      Delete pre-generated offline key-related	records	 in  specified
	      time interval.

	      Delete old keys that are in state	'removed'.

       generate-ksr timestamp-from timestamp-to
	      Print  to	 stdout	 KeySigningRequest based on pre-generated ZSKs
	      for specified period.

       sign-ksr	ksr_file
	      Read KeySigingRequest from a text	file, sign it using local key-
	      set and print SignedKeyResponse to stdout.

       validate-skr skr_file
	      Read  SignedKeyResponse from a text file and validate the	RRSIGs
	      in it if not corrupt.

       import-skr skr_file
	      Read SignedKeyResponse from a text file and  import  the	signa-
	      tures  for  later	 use  in zone. If some signatures have already
	      been imported, they will be deleted for the period  from	begin-
	      ning of the SKR to infinity.

   Generate arguments
       Arguments   are	 separated  by	space,	each  of  them	is  in	format

	      Either an	algorithm number  (e.g.	 14),  or  text	 name  without
	      dashes (e.g. ECDSAP384SHA384).

       size   Key length in bits.

       ksk    If  set  to  yes,	the key	will be	used for signing DNSKEY	rrset.
	      The generated key	will also have the Secure Entry	Point flag set
	      to 1.

       zsk    If  set  to  yes,	 the key will be used for signing zone (except
	      DNSKEY rrset). This flag can be set concurrently	with  the  ksk

       sep    Overrides	the standard setting of	the Secure Entry Point flag.

       The  following arguments	are timestamps of key lifetime (see DNSSEC Key

	      Key started to be	used for signing, not published	(only for  al-
	      gorithm rollover).

	      Key published.

       ready  Key  used	for signing and	submitted to the parent	zone (only for

       active Key used for signing.

	      Key still	used for signing, but another key is active (only  for
	      KSK or algorithm rollover).

       retire Key still	published, but no longer used for signing.

	      Key  no  longer  published, but still used for signing (only for
	      algorithm	rollover).

       revoke Key revoked according to RFC 5011	trust anchor roll-over.

       remove Key deleted.

       0      Zero timestamp means infinite future.

	      Positive number of seconds since 1970 UTC.

	      Date and time in this format without any punctuation.

	      A	sign character (+, -), a number, and an	optional time unit (y,
	      mo,  d,  h,  mi, s). The default unit is one second.  E.g. +1mi,

   Output timestamp formats
       (none) The timestamps are printed as UNIX timestamp.

       human  The timestamps are printed relatively to now  using  time	 units
	      (e.g. -2y5mo, +1h13s).

       iso    The   timestamps	 are  printed  in  the	ISO8601	 format	 (e.g.

       Exit status of 0	means successful operation. Any	other exit status  in-
       dicates an error.

       1. Generate new TSIG key:

	     $ keymgr -t my_name hmac-sha384

       2. Generate new DNSSEC key:

	     $ keymgr generate algorithm=ECDSAP256SHA256 size=256 \
	       ksk=true	created=1488034625 publish=20170223205611 retire=+10mo remove=+1y

       3. Import a DNSSEC key from BIND:

	     $ keymgr import-bind ~/bind/Kharbinge4d5.+007+63089.key

       4. Configure key	timing:

	     $ keymgr set 4208 active=+2mi	retire=+4mi remove=+5mi

       5. Share	a KSK from another zone:

	     $ keymgr share e687cf927029e9db7184d2ece6d663f5d1e5b0e9

       RFC  6781  -  DNSSEC  Operational  Practices.   RFC  7583  - DNSSEC Key
       Rollover	Timing Considerations.

       knot.conf(5), knotc(8), knotd(8).

       CZ.NIC Labs <>

       Copyright 2010a2021, CZ.NIC, z.s.p.o.

3.1.2				  2021-09-08			     KEYMGR(8)


Want to link to this manual page? Use this URL:

home | help