dnssec-signzone.8 revision cffe50abf66495ee08084f8e1081278a9b589985
Copyright (C) 2000 Internet Software Consortium.

Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
$Id: dnssec-signzone.8,v 1.15 2000/11/18 02:57:38 bwelling Exp $
.Dd Jun 30, 2000 .Dt DNSSEC-SIGNZONE 8 .Os BIND9 9 .Sh NAME .Nm dnssec-signzone .Nd DNSSEC zone signing tool .Sh SYNOPSIS .Nm dnssec-signzone .Op Fl a .Op Fl c Ar class .Op Fl d Ar directory .Op Fl s Ar start-time .Op Fl e Ar end-time .Op Fl i Ar interval .Op Fl o Ar origin .Op Fl f Ar output-file .Op Fl p .Op Fl r Ar randomdev .Op Fl t .Op Fl v Ar level .Ar zonefile .Op keyfile .... .Sh DESCRIPTION

p .Nm dnssec-signzone is used to sign a zone. Any .Ar signedkey files for the zone to be signed should be present in the current directory, along with the keys that will be used to sign the zone. If no .Ar keyfile arguments are supplied, the default behaviour is to use all of the zone's keys that are present in the current directory. Providing specific .Ar keyfile arguments constrains .Nm dnssec-signzone to only use those keys for signing the zone. Each .Ar keyfile argument would be an identification string for a key created with .Xr dnssec-keygen 8 . If the zone to be signed has any secure subzones, the .Ar signedkey files for those subzones need to be available in the current working directory used by .Nm dnssec-signzone .

p .Ar zonefile is the name of the unsigned zone file. Unless the file name is the same as the name of the zone, the .Fl o option should be given. .Ar origin will be the fully qualified domain origin for the zone.

p .Nm dnssec-signzone will generate NXT and SIG records for the zone and produce a signed version of the zone. If there is a .Ar signedkey file from the zone's parent, the parent's signatures will be incorporated into the generated signed zone file. The security status of delegations from the the signed zone - i.e. whether the child zones are DNSSEC-aware or not - is set according to the presence or absence of a .Ar signedkey file for the child in case.

p By default, .Nm dnssec-signzone generates a file called .Ar zonefile.signed containing the signed zone file. The output file name can be overridden usign the .Fl f option. Don't hyphenate YYYYMMDDHHMMSS

p .Nm dnssec-signzone does not verify the signatures by default. The .Fl a option makes it verify the signatures it generated.

p The date and time when the generated SIG records become valid can be specified with the .Fl s option. .Ar start-time can either be an absolute or relative date. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is supplied when .Ar start-time is given as +N: N seconds from the current time. If no .Fl s option is supplied, the current date and time is used for the start time of the SIG records.

p The expiry date for the SIG records can be set by the .Fl e option. Note that in this context, the expiry date specifies when the SIG records are no longer valid, not when they are deleted from caches on name servers. .Ar end-date also represents an absolute or relative date. YYYYMMDDHHMMSS notation is used as before to indicate an absolute date and time. When .Ar end-date is +N, it indicates that the SIG records will expire in N seconds after their start date. If .Ar end-date is supplied as now+N, the SIG records will expire in N seconds after the current time. When no expiry date is set for the SIG records, .Nm dnssec-signzone defaults to an expire time of 30 days from the start time of the SIG records.

p When a previously signed zone is passed as input to .Nm dnssec-signzone , records may be resigned. Whether or not to resign records is configurable by using the .Fl i option, which specifies the cycle interval as an offset from the current time (in seconds). If a SIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and .Nm dnssec-signzone will remove it and generate a new SIG record to replace it.

p The default cycle interval is one quarter of the difference between the specified signature end and start dates. So if the .Fl e and .Fl s options are not specified, .Nm dnssec-signzone generates signatures that are valid for 30 days from the current date by default, with a cycle interval of 7.5 days. Therefore, if any SIG records are due to expire in less than 7.5 days, they would be replaced with new ones.

p .Nm dnssec-signzone may need random numbers in the process of signing the zone. If the system does not have a

a /dev/random device that can be used for generating random numbers, .Nm dnssec-signzone will prompt for keyboard input and use the time intervals between keystrokes to provide randomness. The .Fl r option overrides this behaviour, making .Nm dnssec-signzone use .Ar randomdev as a source of random data.

p The .Fl p option instructs .Nm dnssec-signzone to use pseudo-random data when signing the keys. This is faster, but less secure, than using genuinely random data for signing. This option may be useful when signing large zones or when the entropy source is limited.

p The .Fl t option causes .Nm dnssec-signzone to print various statistics after signing the zone.

p The .Fl c option specifies that the KEY records in the input and output key sets should have the specified class instead of IN.

p The .Fl d option specifies that .Nm dnssec-signzone should look in a directory other than the current directory for signedkey files.

p An option of .Fl h makes .Nm dnssec-signzone print a short summary of its command line options and arguments.

p The .Fl v option can be used to make .Nm dnssec-signzone more verbose. As the debugging/tracing level .Ar level increases, .Nm dnssec-signzone generates increasingly detailed reports about what it is doing. The default level is zero. .Sh EXAMPLE The example below shows how .Nm dnssec-signzone could be used to sign the .Dv example.com zone with the key that was generated in the example given in the man page for .Xr dnssec-keygen 8 . The zone file for this zone is .Dv example.com , which is the same as the origin, so there is no need to use the .Fl o option to set the origin. The zone's keys were either appended to the zone file or incorporated using a .Dv $INCLUDE statement. If there was a .Ar signedkey file from the parent zone - i.e. .Dv signedkey-example.com. - it should be present in the current directory. This allows the parent zone's signature to be included in the signed version of the .Dv example.com zone.

p .Dl # dnssec-signzone example.com Kexample.com.+003+26160

p .Nm dnssec-signzone will create a file called .Dv example.com.signed , the signed version of the .Dv example.com zone. This file can then be referenced in a .Dv zone{} statement in

a /etc/named.conf so that it can be loaded by the name server. .Sh FILES

a /dev/random .Sh SEE ALSO .Xr RFC2535, .Xr dnssec-keygen 8 , .Xr dnssec-signkey 8 .