Copyright (C) 2000 Internet Software Consortium.

Permission to use, copy, modify, and distribute this document for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

$Id: dnssec-signzone.8,v 1.4 2000/07/26 00:47:17 bwelling Exp $

.Dd Jun 30, 2000 .Dt DNSSEC-SIGNZONE 8 .Os BIND9 9 .Sh NAME .Nm dnssec-signzone .Nd DNSSEC zone signing tool .Sh SYNOPSIS .Nm dnssec-signzone .Op Fl a .Op Fl c Ar cycle-time .Op Fl s Ar start-time .Op Fl e Ar end-time .Op Fl o Ar origin .Op Fl f Ar output-file .Op Fl p .Op Fl r Ar randomdev .Op Fl v Ar level .Ar zonefile .Op keyfile .... .Sh DESCRIPTION

p .Nm dnssec-signzone is used to sign a zone. Any .Ar .signedkey files for the zone to be signed should be present in the current directory, along with the keys that will be used to sign the zone. If no .Ar keyfile arguments are supplied, the default behaviour is to use all of the zone's keys that are present in the current directory. Providing specific .Ar keyfile arguments constrains .Nm dnssec-signzone to only use those keys for signing the zone. Each .Ar keyfile argument would be an identification string for a key created with .Xr dnssec-keygen 8 . If the zone to be signed has any secure subzones, the .Ar .signedkey files for those subzones need to be available in the current working directory used by .Nm dnssec-signzone .

p .Ar zonefile is the name of the unsigned zone file. Unless the file name is the same as the name of the zone, the .Fl o option should be given. .Ar origin will be the fully qualified domain origin for the zone.

p .Nm dnssec-signzone will generate NXT and SIG records for the zone and produce a signed version of the zone. If there is a .Ar signedkey file from the zone's parent, the parent's signatures will be incorporated into the generated signed zone file. Any delegation points in the signed zone will have their security status defined - i.e. whether they are DNSSEC-aware or not.

p By default, .Nm dnssec-signzone generates a file called .Ar zonefile.signed containing the signed zone file. This can be overridden by the .Fl f option. Instead of this default file name, the signed zone file will be written to .Ar output-file . Don't hyphenate YYYYMMDDHHMMSS

p .Nm dnssec-signzone does not verify the signatures by default. The .Fl a option makes it verify the signatures it generated.

p The date and time when the generated SIG records become valid can be specified with the .Fl s option. .Ar start-time can either be an absolute or relative date. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is supplied when .Ar start-time is given as +N: N seconds from the current time. If no .Fl s option is supplied, the current date and time is used for the start time of the SIG records.

p The expiry date for the SIG records can be set by the .Fl e option. Note that in this context, the expiry date specifies when the SIG records are no longer valid, not when they are deleted from caches on name servers. .Ar end-date also represents an absolute or relative date. YYYYMMDDHHMMSS notation is used as before to indicate an absolute date and time. When .Ar end-date is +N, it indicates that the SIG records will expire in N seconds after their start date. If .Ar end-date is supplied as now+N, the SIG records will expire in N seconds after the current time. When no expiry date is set for the SIG records, .Nm dnssec-signzone defaults to an expire time of 30 days from the start time of the SIG records.

p .Nm dnssec-signzone can automatically re-sign records if their signatures expire before the expiry date that applies for the current zone signing activity. This would apply to a zone that has previously been signed. The decision to generate a new SIG record is determined by the cycle time. If the current SIG record expires after the cycle time, it is left alone. If it expires before the cycle time, the SIG record is considered to be close to expiry. Therefore .Nm dnssec-signzone creates a new SIG record to replace then one that is about to expire.

p The default cycle time is quarter of the difference between the signature end and start dates for the current invocation of .Nm dnssec-signzone . So if the .Fl e and .Fl s options are not specified, .Nm dnssec-signzone generates signatures that are valid for 30 days from the current date by default. The cycle time would be 7.5 days from the current date. Therefore any SIG records that were due to expire in that time would be replaced with new ones.

p The .Fl c option can be used to change the cycle time. .Ar cycle-time indicates the number of seconds from the current time that should be used to set the cycle time and determine when fresh SIG records should be generated.

p The .Fl p option instructs .Nm dnssec-signkey to use pseudo-random data when signing the keys. This is faster, but less secure, than using genuinely random data for signing. This option may be useful when there are many child zone keysets to sign or if the entropy source is limited. It could also be used for short-lived keys and signatures that don't require as much protection against cryptanalysis, such as when the key will be discarded long before it could be compromised.

p .Nm dnssec-signzone may need random numbers in the process of signing the zone. If the system does not have a

a /dev/random device that can be used for generating random numbers, .Nm dnssec-signzone will prompt for keyboard input and use the time intervals between keystrokes to provide randomness. The .Fl r option overrides this behaviour, making .Nm dnssec-signzone use .Ar randomdev as a source of random data.

p An option of .Fl h makes .Nm dnssec-signzone print a short summary of its command line options and arguments.

p The .Fl v option can be used to make .Nm dnssec-signzone more verbose. As the debugging/tracing level .Ar level increases, .Nm dnssec-signzone generates increasingly detailed reports about what it is doing. The default level is zero. .Sh EXAMPLE The example below shows how .Nm dnssec-signzone could be used to sign the .Dv example.com zone with the key that was generated in the example given in the man page for .Xr dnssec-keygen 8 . The zone file for this zone is .Dv example.com and it can be assumed to contain fully qualified domain names which means there is no need to use the .Fl o option to set the domain origin. This zone file contains the keyset for .Dv example.com that was created by .Xr dnssec-makekeyset 8 . The zone's keys were either appended to the zone file or incorporated using a .Dv $INCLUDE statement. If there was a .Ar .signedkey file from the parent zone - i.e. .Dv example.com.signedkey - it should be present in the current directory. This allows the parent zone's signature to be included in the signed version of the .Dv example.com zone.

p .Dl # dnssec-signzone example.com Kexample.com.+003+26160

p .Nm dnssec-signzone will create a file called .Dv example.com.signed , the signed version of the .Dv example.com zone. This file can then be referenced in a .Dv zone{} statement in

a /etc/named.conf so that it can be loaded by the name server. .Sh FILES

a /dev/random .Sh SEE ALSO .Xr RFC2535, .Xr dnssec-keygen 8 , .Xr dnssec-makekeyset 8 , .Xr dnssec-signkey 8 .