Horizontal rule

DNSSEC Zone Key Tool

ZKT is a tool to manage keys and signatures for DNSSEC-zones. The Zone Key Tool set consist of four commands:

Before release 1.0 the tools where named dnssec-zkt(8) and dnssec-signer(8).

Most of the commands are simple wrapper commands around the dnssec-keygen(8) and dnssec-signzone(8) commands provided since BIND 9.3.
They are designed to solve some (especially my) problems in maintaining a few dnssec aware zones. Before using the Zone Key Tool it is highly recommended to read the following documents:

There are some minor requirements if you want to use the zkt-signer command for automated key management and signing of your zone:

The zkt-ls command is not primary designed for environments with many secure zones. However, some tests with round about 12000 zones, stored in a two level directory structure (zonedir/<firstletter>/<domain>) shows that this could be a working scenario. I did some perfomance improvements and changed the internal data structure from a single linked list to a binary tree (which is used by default) to speed things up.

There is an intro about ZKT (0.96) compilation and initial setup on the .SE website.

The source code of ZKT stands under the BSD License.


All commands use the dnssec.conf config file.


You can access the software at github or at the following links:

For FreeBSD users a port is available at the zkt port maintainer site or via the official FreeBSD ports repository.
(Thanks to Frank Behrens for maintaining the port)

OpenBSD users will find a port at openports.se
(Thanks to Jakob Schlyter for maintaining the port)

ZKT is also contributed with the BIND source code since BIND 9.6.0a1


Last modified: 06. Jan 2023 10:49 CEST