SYNOPSIS
cleankrf [options] <keyrec-files>
DESCRIPTION
cleankrf cleans old data out of a set of DNSSEC-Tools keyrec files. The old data are obsolete signing sets, orphaned keys, and obsolete keys.Obsolete signing sets are set keyrecs unreferenced by a zone keyrec. Revoked signing sets are considered obsolete by cleankrf.
Orphaned keys are KSK and ZSK key keyrecs unreferenced by a set keyrec.
Obsolete keys are key keyrecs with a keyrec_type of kskobs or zskobs.
cleankrf's exit code is the count of orphaned and obsolete keyrecs found.
OPTIONS
- -count
- Display a final count of old keyrecs found in the keyrec files. This option allows the count to be displayed even if the -quiet option is given.
- -list
- The key keyrecs are checked for old keyrecs, but they are not removed from the keyrec file. The names of the old keyrecs are displayed.
- -rm
- Delete the key files, both .key and .private, from orphaned and expired keyrecs.
- -quiet
- Display no output.
- -verbose
- Display output about referenced keys and unreferenced keys.
- -Version
- Displays the version information for cleankrf and the DNSSEC-Tools package.
- -help
- Display a usage message.