keyrec - Zone and key data used by DNSSEC-Tools programs.
keyrec files contain data about zones signed by and keys generated by the DNSSEC-Tools programs. A keyrec file is organized in sets of keyrec records. Each keyrec must be either of zone type, set type, or key type. Zone keyrecs describe how the zones were signed. Set keyrecs describe sets of key keyrecs. Key keyrecs describe how encryption keys were generated. A keyrec consists of a set of keyword/value entries.
The DNSSEC-Tools keyrec.pm module manipulates the contents of a keyrec file. Module interfaces exist for looking up keyrec records, creating new records, and modifying existing records.
Comment lines and blank lines are ignored by the DNSSEC-Tools programs. Comment lines start with either a '#' character or a ';' character.
A keyrec's name may consist of alphabetic characters, numbers, and several special characters. The special characters are the minus sign, the plus sign, the underscore, the comma, the period, and the colon.
The values in a keyrec's entries may consist of alphabetic characters, numbers, and several special characters. The special characters are the minus sign, the plus sign, the underscore, the comma, the period, the colon, the forward-slash, the space, and the tab.
The fields in a keyrec record are described in this section. The fields in each type of record (zone, set, key) are described in their own subsection.
* archivedir
The name of the key archive directory for this zone.
* endtime
The time when the zone's SIG records expire. This field is passed to dnssec-signzone as the argument to the -e option.
* gends
Boolean value to indicate whether or not DS records should be generated for the zone.
* keyrec_signdate
The textual timestamp of the zone keyrec's last update. This is a translation of the keyrec_signsecs field.
* keyrec_signsecs
The numeric timestamp of the zone keyrec's last update. This is measured in seconds since the epoch.
* ksdir
The name of the directory to hold the zone's keyset files.
* kskcount
The number of KSKs to generate for the zone.
* kskcur
The name of the zone's Current KSK signing set. This is used as the name of the signing set of KSK keys keyrec fields.
* kskpub
The name of the zone's Published KSK signing set.
* kskdirectory
The directory that holds the KSK keys.
* lastset
The most recently generated signing set for the zone.
* serial
The most recent serial number for the zone.
* szopts
Optional arguments passed to the dnssec-signzone command.
* signedzone
The name of the signed zone file for this zone.
* zonefile
The name of the zone file for this zone.
* zskcount
The number of ZSKs to generate for the zone.
* zskcur
The name of the signing set for the current ZSK keys. This is the name of the signing set's set keyrec.
* zskdirectory
The directory that holds the ZSK keys.
* zskpub
The name of the signing set for the current ZSK keys. This is the name of the signing set's set keyrec.
* zsknew
The name of the signing set for the current ZSK keys. This is the name of the signing set's set keyrec.
* keys
The list of keys in this signing set. Each key listed should have a corresponding key keyrec whose name matches the key name.
* keyrec_setdate
The textual timestamp of the signing set's last modification. This is a translation of the keyrec_setsecs field.
* keyrec_setsecs
The numeric timestamp of the signing set's last modification. This is measured in seconds since the epoch.
* zonename
The name of the zone for which this signing set was generated.
* algorithm
The encryption algorithm used to generate this key.
* keypath
The path to the key. This may be an absolute or relative path, but it should be one which zonesigner may use (in conjunction with other keyrec fields to find the key.
* keyrec_gendate
The textual timestamp of the key's creation. This is a translation of the keyrec_gensecs field.
* keyrec_gensecs
The numeric timestamp of the key's creation. This is measured in seconds since the epoch.
* kgopts
Additional options to pass to the dnssec-keygen command.
* ksklength
The length of a KSK key. This is only included in keyrecs for KSK keys.
* ksklife
The life of a KSK key. This is only included in keyrecs for KSK keys.
* random
The random number generator used to generate this key.
* zonename
The name of the zone for which this key was generated.
* zsklength
The length of a ZSK key. This is only included in keyrecs for ZSK keys.
* zsklife
The life of a ZSK key. This is only included in keyrecs for ZSK keys.
The following is an example of a zone keyrec:
zone "example.com"
zonefile "db.example.com"
signedzone "db.example.com.signed"
endtime "+604800"
archivedir "/usr/etc/dnssec-tools/key-vault"
kskcur "signing-set-41"
kskdirectory "keydir"
zskcur "signing-set-42"
zskpub "signing-set-43"
zsknew "signing-set-44"
lastset "signing-set-44"
keyrec_signsecs "1123771721"
keyrec_signdate "Thu Aug 11 14:48:41 2005"
The following is an example of a set keyrec:
set "signing-set-42"
zonename "example.com"
keys "Kexample.com.+005+88888"
keyrec_setsecs "1123771350"
keyrec_setdate "Thu Aug 11 14:42:30 2005"
The following is an example of a key keyrec:
key "Kexample.com.+005+88888"
zonename "example.com"
keyrec_type "kskcur"
algorithm "rsasha1"
random "/dev/urandom"
keypath "./Kexample.com.+005+88888.key"
ksklength "1024"
keyrec_gensecs "1123771354"
keyrec_gendate "Thu Aug 11 14:42:34 2005"
Copyright 2004-2008 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
Wayne Morrison, tewok@users.sourceforge.net
lskrf(1)
dnssec-signzone(8), keyarch(8) signset-editor(8), zonesigner(8)
Net::DNS::SEC::Tools::keyrec(3)