
DNSSEC Zone Key Tool
ZKT is a tool to manage keys and
signatures for DNSSEC-zones. The Zone Key Tool set consist
of four commands:
- zkt-conf for managing the config file
- zkt-ls to list dnssec zone keys
- zkt-keyman
to manage dnssec zone keys manually (seldom used) and
- zkt-signer to sign a zone and manage the lifetime
and rollover of the zone signing keys
Before release 1.0 the tools
where named dnssec-zkt(8) and dnssec-signer(8).
Most of the commands are simple
wrapper commands around the dnssec-keygen(8) and
dnssec-signzone(8) commands provided since BIND 9.3.
They are designed to solve some (especially my) problems in
maintaining a few dnssec aware zones. Before using the Zone
Key Tool it is highly recommended to read the following
documents:
There are some minor
requirements if you want to use the zkt-signer command for
automated key management and signing of your zone:
- Every zone config should be in a separate directory,
named just like the zone
- The SOA-Record have to be
written in a special format (see
zonedir/example.net/zone.db)
This is not a requirement if you are using a BIND version of
9.4 (or greater) in conjunction with the unixtime soa serial
format (see option "Serialformat" in the
dnssec.conf file) - The
zkt-signer command must be run at least every resigning
interval (best done with a small
script run by cron(8))
- An
automated KSK rollover is done if the parent zone is on the
same host and a hierarchical directory structure is used.
Otherwise the KSK rollover procedure is working in a
semi-automated fashion (use zkt-keyman --ksk-rollover for
that)
- All the state about keys, time of resigning
and so on, will be stored in the filesystem. There is no
online checking or any other form of alignment with the
published keys.
- Support of views is still
experimental.
The zkt-ls command is not
primary designed for environments with many secure zones.
However, some tests with round about 12000 zones, stored in
a two level directory structure
(zonedir/<firstletter>/<domain>) shows that this
could be a working scenario. I did some perfomance
improvements and changed the internal data structure from a
single linked list to a binary tree (which is used by
default) to speed things up.
There is an intro about ZKT
(0.96)
compilation and initial setup
on the .SE website.
The source code of ZKT stands
under the BSD License.
Manpages
All commands use the
dnssec.conf config file.
Download
You can access the software at
github or at
the following links:
- zkt-1.1.6.tar.gz (06.
January 2023) Houeskeeping and adoptions for newer gcc
support
- zkt-1.1.5.tar.gz
(17. June 2019) Some minor bug fixes and changes required
for newer BIND versions
- zkt-1.1.4.tar.gz
(09. May 2016) Some bug fixes and a new command
"zkt-delegate"
- zkt-1.1.3.tar.gz
(21. Nov 2014) Bug fix in BIND version parsing (9.10.0 was
parsed as 9.1.0); Option -e in keygen is removed;
- zkt-1.1.2.tar.gz
(05. Dec 2012) Bug fix in inc_serial()
- zkt-1.1.1.tar.gz (27. Nov 2012) Withdrawn Dec 5
2012
- zkt-1.1.0.tar.gz
(29. Jan 2012) Change of default timers; Bug fixes; New
option -M for zkt-ls; New release numbering style
- zkt-1.0.tar.gz (15.
June 2010) zkt-ls has option -s and -T; Compability option
-C for zkt-conf;
- zkt-1.0rc1.tar.gz
(1. Apr 2010) dnssec-signer renamed to zkt-signer; Split off
dnssec-zkt into zkt-conf, zkt-ls and zkt-keyman;
zkt-conf parses zone file for MAX_TTL parameter; Per domain
logging; color mode for zkt-ls; - zkt-0.99d.tar (14.
Jan 2010) Not public released
- zkt-0.99c.tar.gz (1.
Aug 2009) Support of named change root environments; bug
fixes; Config file syntax and install directory changed!
- zkt-0.98.tar.gz
(28. Dec 2008) Support of the new BIND 9.6.0 features NSEC3
and dynamic zone signing
- zkt-0.97.tar.gz
(5. Aug 2008) Licence changed to BSD; Compressed tar file;
Use of configure for compile time config settings; automated
KSK rollover
- zkt-0.96.tar
(19. June 2008) Better (error) logging; Support of RFC5011
- zkt-0.95.tar (19. Apr 2008) Not public released
- zkt-0.94.tar
(6. Dec 2007) Support of views
- zkt-0.93.tar
(1. Nov 2007) Basic support of revoke bit; KSK registration
disabled by default; New command dnssec-soaserial added
- zkt-0.92.tar
(1. Oct 2007) Unixtime serial number support
- zkt-0.91.tar
(1. Apr 2007) ksk-rollover added to dnssec-zkt; Experimental
support of dynamic zones
- zkt-0.90.tar
(6. Dec 2006) Automatic zsk rollover added; Long opt support
- zkt-0.70.tar
(11. Sep 2005) btree support added
- zkt-0.5.tar
(1. Apr 2005) First public release
For FreeBSD users a port is
available at the
zkt port maintainer site
or via the official
FreeBSD ports
repository.
(Thanks to Frank Behrens for maintaining the port)
OpenBSD users will find a port
at
openports.se
(Thanks to Jakob Schlyter for maintaining the port)
ZKT is also contributed with the
BIND source code since BIND 9.6.0a1
Links
Last modified: 06. Jan 2023 10:49 CEST