DNSSEC Zone Key Tool
ZKT is a tool to manage keys and
signatures for DNSSEC-zones. The Zone Key Tool set consist
of four commands:
- zkt-conf for managing the config file
- zkt-ls to list dnssec zone keys
- zkt-keyman to manage dnssec zone keys
manually (seldom used) and
- zkt-signer to
sign a zone and manage the lifetime and rollover of the zone
Before release 1.0 the tools
where named dnssec-zkt(8) and dnssec-signer(8).
Most of the commands are simple
wrapper commands around the dnssec-keygen(8) and
dnssec-signzone(8) commands provided since BIND 9.3.
They are designed to solve some (especially my) problems in
maintaining a few dnssec aware zones. Before using the Zone
Key Tool it is highly recommended to read the following
There are some minor
requirements if you want to use the zkt-signer
command for automated key management and signing of your
- Every zone config should be in a separate directory,
named just like the zone
- The SOA-Record have to be
written in a special format (see
This is not a requirement if you are using a BIND version of
9.4 (or greater) in conjunction with the unixtime soa serial
format (see option "Serialformat" in the
zkt-signer command must be run at least every
resigning interval (best done with a small
script run by cron(8))
automated KSK rollover is done if the parent zone is on the
same host and a hierarchical directory structure is used.
Otherwise the KSK rollover procedure is working in a
semi-automated fashion (use zkt-keyman
--ksk-rollover for that)
- All the state about
keys, time of resigning and so on, will be stored in the
filesystem. There is no online checking or any other form of
alignment with the published keys.
- Support of views
is still experimental.
The zkt-ls command is not
primary designed for environments with many secure zones.
However, some tests with round about 12000 zones, stored in
a two level directory structure
(zonedir/<firstletter>/<domain>) shows that this
could be a working scenario. I did some perfomance
improvements and changed the internal data structure from a
single linked list to a binary tree (which is used by
default) to speed things up.
There is an intro about ZKT
compilation and initial setup
on the .SE website.
The source code of ZKT stands
under the BSD License.
All commands use the
dnssec.conf config file.
You can access the software at
github or at
the following links:
- zkt-1.1.4.tar.gz (09.
May 2016) Some bug fixes and a new command
(21. Nov 2014) Bug fix in BIND version parsing (9.10.0 was
parsed as 9.1.0); Option -e in keygen is removed;
(05. Dec 2012) Bug fix in inc_serial()
- zkt-1.1.1.tar.gz (27. Nov 2012) Withdrawn Dec 5
(29. Jan 2012) Change of default timers; Bug fixes; New
option -M for zkt-ls; New release numbering style
- zkt-1.0.tar.gz (15.
June 2010) zkt-ls has option -s and -T; Compability option
-C for zkt-conf;
(1. Apr 2010) dnssec-signer renamed to zkt-signer; Split off
dnssec-zkt into zkt-conf, zkt-ls and zkt-keyman;
zkt-conf parses zone file for MAX_TTL parameter; Per domain
logging; color mode for zkt-ls;
- zkt-0.99d.tar (14.
Jan 2010) Not public released
- zkt-0.99c.tar.gz (1.
Aug 2009) Support of named change root environments; bug
fixes; Config file syntax and install directory changed!
(28. Dec 2008) Support of the new BIND 9.6.0 features NSEC3
and dynamic zone signing
(5. Aug 2008) Licence changed to BSD; Compressed tar file;
Use of configure for compile time config settings; automated
(19. June 2008) Better (error) logging; Support of RFC5011
- zkt-0.95.tar (19. Apr 2008) Not public released
(6. Dec 2007) Support of views
(1. Nov 2007) Basic support of revoke bit; KSK registration
disabled by default; New command dnssec-soaserial added
(1. Oct 2007) Unixtime serial number support
(1. Apr 2007) ksk-rollover added to dnssec-zkt; Experimental
support of dynamic zones
(6. Dec 2006) Automatic zsk rollover added; Long opt support
(11. Sep 2005) btree support added
(1. Apr 2005) First public release
For FreeBSD users a port is
available at the
zkt port maintainer site
or via the official
(Thanks to Frank Behrens for maintaining the port)
OpenBSD users will find a port
(Thanks to Jakob Schlyter for maintaining the port)
ZKT is also contributed with the
BIND source code since BIND 9.6.0a1
Last modified: 09. May 2016 18:49 CEST