DNSSEC Zone Key Tool

ZKT is a tool to manage keys and signatures for DNSSEC-zones. The Zone Key Tool set consist of four commands:

zkt-conf for managing the config file
zkt-ls to list dnssec zone keys
zkt-keyman to manage dnssec zone keys manually (seldom used) and
zkt-signer to sign a zone and manage the lifetime and rollover of the zone signing keys

Before release 1.0 the tools where named dnssec-zkt(8) and dnssec-signer(8).

Most of the commands are simple wrapper commands around the dnssec-keygen(8) and dnssec-signzone(8) commands provided since BIND 9.3.
They are designed to solve some (especially my) problems in maintaining a few dnssec aware zones. Before using the Zone Key Tool it is highly recommended to read the following documents:

DNSSEC Howto by Olaf Kolkman, NLnetlabs
RFC4641 DNSSEC Operational Practices by Olaf Kolkman and Miek Gieben
The DNSSEC Zone Management with ZKT presentation gives an overview about the steps required for signing a zone, and a very short introduction in the usage of the zone key tool (prio 1.0 release).
If you are interested in some more details about the Zone Key Tool please have a look at the presentation given at .SE

There are some minor requirements if you want to use the zkt-signer command for automated key management and signing of your zone:

Every zone config should be in a separate directory, named just like the zone
The SOA-Record have to be written in a special format (see zonedir/example.net/zone.db)
This is not a requirement if you are using a BIND version of 9.4 (or greater) in conjunction with the unixtime soa serial format (see option "Serialformat" in the dnssec.conf file)
The zkt-signer command must be run at least every resigning interval (best done with a small script run by cron(8))
An automated KSK rollover is done if the parent zone is on the same host and a hierarchical directory structure is used. Otherwise the KSK rollover procedure is working in a semi-automated fashion (use zkt-keyman --ksk-rollover for that)
All the state about keys, time of resigning and so on, will be stored in the filesystem. There is no online checking or any other form of alignment with the published keys.
Support of views is still experimental.

The zkt-ls command is not primary designed for environments with many secure zones. However, some tests with round about 12000 zones, stored in a two level directory structure (zonedir/<firstletter>/<domain>) shows that this could be a working scenario. I did some perfomance improvements and changed the internal data structure from a single linked list to a binary tree (which is used by default) to speed things up.

There is an intro about ZKT (0.96) compilation and initial setup on the .SE website.

The source code of ZKT stands under the BSD License.

Manpages

zkt-conf(8) html / pdf
zkt-ls(8) html / pdf
zkt-keyman(8) html / pdf
zkt-signer(8) html / pdf

All commands use the dnssec.conf config file.

Download

You can access the software at github or at the following links:

zkt-1.1.6.tar.gz (06. January 2023) Housekeeping and adoptions for newer gcc support
zkt-1.1.5.tar.gz (17. June 2019) Some minor bug fixes and changes required for newer BIND versions
zkt-1.1.4.tar.gz (09. May 2016) Some bug fixes and a new command "zkt-delegate"
zkt-1.1.3.tar.gz (21. Nov 2014) Bug fix in BIND version parsing (9.10.0 was parsed as 9.1.0); Option -e in keygen is removed;
zkt-1.1.2.tar.gz (05. Dec 2012) Bug fix in inc_serial()
zkt-1.1.1.tar.gz (27. Nov 2012) Withdrawn Dec 5 2012
zkt-1.1.0.tar.gz (29. Jan 2012) Change of default timers; Bug fixes; New option -M for zkt-ls; New release numbering style
zkt-1.0.tar.gz (15. June 2010) zkt-ls has option -s and -T; Compability option -C for zkt-conf;
zkt-1.0rc1.tar.gz (1. Apr 2010) dnssec-signer renamed to zkt-signer; Split off dnssec-zkt into zkt-conf, zkt-ls and zkt-keyman;
zkt-conf parses zone file for MAX_TTL parameter; Per domain logging; color mode for zkt-ls;
zkt-0.99d.tar (14. Jan 2010) Not public released
zkt-0.99c.tar.gz (1. Aug 2009) Support of named change root environments; bug fixes; Config file syntax and install directory changed!
zkt-0.98.tar.gz (28. Dec 2008) Support of the new BIND 9.6.0 features NSEC3 and dynamic zone signing
zkt-0.97.tar.gz (5. Aug 2008) Licence changed to BSD; Compressed tar file; Use of configure for compile time config settings; automated KSK rollover
zkt-0.96.tar (19. June 2008) Better (error) logging; Support of RFC5011
zkt-0.95.tar (19. Apr 2008) Not public released
zkt-0.94.tar (6. Dec 2007) Support of views
zkt-0.93.tar (1. Nov 2007) Basic support of revoke bit; KSK registration disabled by default; New command dnssec-soaserial added
zkt-0.92.tar (1. Oct 2007) Unixtime serial number support
zkt-0.91.tar (1. Apr 2007) ksk-rollover added to dnssec-zkt; Experimental support of dynamic zones
zkt-0.90.tar (6. Dec 2006) Automatic zsk rollover added; Long opt support
zkt-0.70.tar (11. Sep 2005) btree support added
zkt-0.5.tar (1. Apr 2005) First public release

For FreeBSD users a port is available at the zkt port maintainer site or via the official FreeBSD ports repository.
(Thanks to Frank Behrens for maintaining the port)

OpenBSD users will find a port at openports.se
(Thanks to Jakob Schlyter for maintaining the port)

ZKT is also contributed with the BIND source code since BIND 9.6.0a1