dnssec-signzone.docbook revision 0bbe3273a224aa07b6af4165a26fd26d6f30c0ad
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
5cd4555ad444fd391002ae32450572054369fd42Rob Austein "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [<!ENTITY mdash "—">]>
39844d471080b2de4f8bb9d81f7e136ef80f0ae2Automatic Updater - Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt<!-- $Id: dnssec-signzone.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle><application>dnssec-signzone</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refname><application>dnssec-signzone</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refpurpose>DNSSEC zone signing tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refnamediv>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </cmdsynopsis>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signs a zone. It generates
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington NSEC and RRSIG records and produces a signed version of the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zone. The security status of delegations from the signed zone
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington (that is, whether the child zones are secure or not) is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington determined by the presence or absence of a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>keyset</filename> file for each child zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <variablelist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Verify all generated signatures.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-c <replaceable class="parameter">class</replaceable></term>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt Specifies the DNS class of the zone.
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt </varlistentry>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt <varlistentry>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt Compatibility mode: Generate a
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt <filename>keyset-<replaceable>zonename</replaceable></filename>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt file in addition to
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt <filename>dsset-<replaceable>zonename</replaceable></filename>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews when signing a zone, for use by older versions of
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-d <replaceable class="parameter">directory</replaceable></term>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <filename>keyset-</filename> files in <option>directory</option>.
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont </varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont Output only those record types automatically managed by
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
50105afc551903541608b11851d73278b23579a3Mark Andrews NSEC3 and NSEC3PARAM records. If smart signing
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt (<option>-S</option>) is used, DNSKEY records are also
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein included. The resulting file can be included in the original
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein zone file with <command>$INCLUDE</command>. This option
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <option>-O map</option>, or serial number updating.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
50105afc551903541608b11851d73278b23579a3Mark Andrews <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-E <replaceable class="parameter">engine</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Uses a crypto hardware (OpenSSL engine) for the crypto operations
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt it supports, for instance signing with private keys from
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt a secure key store. When compiled with PKCS#11 support
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein it defaults to pkcs11; the empty name resets it to no engine.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Generate DS records for child zones from
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <filename>dsset-</filename> or <filename>keyset-</filename>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt file. Existing DS records will be removed.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Key repository: Specify a directory to search for DNSSEC keys.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If not specified, defaults to the current directory.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-k <replaceable class="parameter">key</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Treat specified key as a key signing key ignoring any
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein key flags. This option may be specified multiple times.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-l <replaceable class="parameter">domain</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Generate a DLV set in addition to the key (DNSKEY) and DS sets.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The domain is appended to the name of the records.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-s <replaceable class="parameter">start-time</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specify the date and time when the generated RRSIG records
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt become valid. This can be either an absolute or relative
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt time. An absolute start time is indicated by a number
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in YYYYMMDDHHMMSS notation; 20000530144500 denotes
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein 14:45:00 UTC on May 30th, 2000. A relative start time is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington indicated by +N, which is N seconds from the current time.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If no <option>start-time</option> is specified, the current
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt time minus 1 hour (to allow for clock skew) is used.
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt </varlistentry>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt <varlistentry>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt <term>-e <replaceable class="parameter">end-time</replaceable></term>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt Specify the date and time when the generated RRSIG records
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt expire. As with <option>start-time</option>, an absolute
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt time is indicated in YYYYMMDDHHMMSS notation. A time relative
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt to the start time is indicated with +N, which is N seconds from
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt the start time. A time relative to the current time is
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt indicated with now+N. If no <option>end-time</option> is
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt specified, 30 days from the start time is used as a default.
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt </varlistentry>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt <varlistentry>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specify the date and time when the generated RRSIG records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for the DNSKEY RRset will expire. This is to be used in cases
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein when the DNSKEY signatures need to persist longer than
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein signatures on other records; e.g., when the private component
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein of the KSK is kept offline and the KSK signature is to be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein refreshed manually.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein As with <option>start-time</option>, an absolute
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time is indicated in YYYYMMDDHHMMSS notation. A time relative
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to the start time is indicated with +N, which is N seconds from
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the start time. A time relative to the current time is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington indicated with now+N. If no <option>extended end-time</option> is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein specified, the value of <option>end-time</option> is used as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the default. (<option>end-time</option>, in turn, defaults to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein 30 days from the start time.) <option>extended end-time</option>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-f <replaceable class="parameter">output-file</replaceable></term>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews The name of the output file containing the signed zone. The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein default is to append <filename>.signed</filename> to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the input filename. If <option>output-file</option> is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein set to <literal>"-"</literal>, then the signed zone is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein written to the standard output, with a default output
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein format of "full".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Prints a short summary of the options and arguments to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews <term>-i <replaceable class="parameter">interval</replaceable></term>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews When a previously-signed zone is passed as input, records
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews may be resigned. The <option>interval</option> option
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews specifies the cycle interval as an offset from the current
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews time (in seconds). If a RRSIG record expires after the
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews cycle interval, it is retained. Otherwise, it is considered
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews to be expiring soon, and it will be replaced.
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews The default cycle interval is one quarter of the difference
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews between the signature end and start times. So if neither
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews <option>end-time</option> or <option>start-time</option>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews are specified, <command>dnssec-signzone</command>
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews signatures that are valid for 30 days, with a cycle
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein interval of 7.5 days. Therefore, if any existing RRSIG records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein are due to expire in less than 7.5 days, they would be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-I <replaceable class="parameter">input-format</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The format of the input zone file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Possible formats are <command>"text"</command> (default),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <command>"raw"</command>, and <command>"map"</command>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This option is primarily intended to be used for dynamic
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein signed zones so that the dumped zone file in a non-text
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein format containing updates can be signed directly.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The use of this option does not make much sense for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein non-dynamic zones.
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-j <replaceable class="parameter">jitter</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When signing a zone with a fixed signature lifetime, all
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein RRSIG records issued at the time of signing expires
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein simultaneously. If the zone is incrementally signed, i.e.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein a previously-signed zone is passed as input to the signer,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington all expired signatures have to be regenerated at about the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington same time. The <option>jitter</option> option specifies a
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins jitter window that will be used to randomize the signature
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins expire time, thus spreading incremental signature
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins regeneration over time.
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins Signature lifetime jitter also to some extent benefits
170938fdfc065eb9629b1dc2793f883e2d6cc565Mark Andrews validators and servers by spreading out cache expiration,
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins i.e. if large numbers of RRSIGs don't expire at the same time
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins from all caches there will be less congestion than if all
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins validators need to refetch at mostly the same time.
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins </varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins <varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins <term>-L <replaceable class="parameter">serial</replaceable></term>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins When writing a signed zone to "raw" or "map" format, set the
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins "source serial" value in the header to the specified serial
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins number. (This is expected to be used primarily for testing
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins </varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins <varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins <term>-n <replaceable class="parameter">ncpus</replaceable></term>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins Specifies the number of threads to use. By default, one
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins thread is started for each detected CPU.
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins </varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins <varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The SOA serial number format of the signed zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Possible formats are <command>"keep"</command> (default),
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews <para>Do not modify the SOA serial number.</para>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews </varlistentry>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews <varlistentry>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews <para>Increment the SOA serial number using RFC 1982
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews arithmetics.</para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para>Set the SOA serial number to the number of seconds
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein since epoch.</para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </variablelist>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews </varlistentry>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews <varlistentry>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews <term>-o <replaceable class="parameter">origin</replaceable></term>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews The zone origin. If not specified, the name of the zone file
6a550cb83cc2196f8af0592a258f75985cdcb5ebJeremy Reed is assumed to be the origin.
6a550cb83cc2196f8af0592a258f75985cdcb5ebJeremy Reed </varlistentry>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews <varlistentry>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews <term>-O <replaceable class="parameter">output-format</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The format of the output file containing the signed zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Possible formats are <command>"text"</command> (default),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein which is the standard textual representation of the zone;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <command>"full"</command>, which is text output in a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein format suitable for processing by external scripts;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and <command>"map"</command>, <command>"raw"</command>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and <command>"raw=N"</command>, which store the zone in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein binary formats for rapid loading by <command>named</command>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <command>"raw=N"</command> specifies the format version of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the raw zone file: if N is 0, the raw file can be read by
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein any version of <command>named</command>; if N is 1, the file
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein can be read by release 9.9.0 or higher; the default is 1.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Use pseudo-random data when signing the zone. This is faster,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt but less secure, than using real random data. This option
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt may be useful when signing large zones or when the entropy
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt source is limited.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Disable post sign verification tests.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt The post sign verification test ensures that for each algorithm
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt in use there is at least one non revoked self signed KSK key,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt that all revoked KSK keys are self signed, and that all records
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt in the zone are signed by the algorithm.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt This option skips these tests.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Remove signatures from keys that are no longer active.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Normally, when a previously-signed zone is passed as input
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt to the signer, and a DNSKEY record has been removed and
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt replaced with a new one, signatures from the old key
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt that are still within their validity period are retained.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt This allows the zone to continue to validate with cached
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt copies of the old DNSKEY RRset. The <option>-Q</option>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt forces <command>dnssec-signzone</command> to remove
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt signatures from keys that are no longer active. This
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt enables ZSK rollover using the procedure described in
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Remove signatures from keys that are no longer published.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt This option is similar to <option>-Q</option>, except it
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt forces <command>dnssec-signzone</command> to signatures from
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt keys that are no longer published. This enables ZSK rollover
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt using the procedure described in RFC 4641, section 4.2.1.2
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt ("Double Signature Zone Signing Key Rollover").
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-r <replaceable class="parameter">randomdev</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Specifies the source of randomness. If the operating
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt system does not provide a <filename>/dev/random</filename>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt or equivalent device, the default source of randomness
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt the name of a character device or file containing random
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt data to be used instead of the default. The special value
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt <filename>keyboard</filename> indicates that keyboard
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt input should be used.
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Smart signing: Instructs <command>dnssec-signzone</command> to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein search the key repository for keys that match the zone being
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein signed, and to include them in the zone if appropriate.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When a key is found, its timing metadata is examined to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington determine how it should be used, according to the following
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington rules. Each successive rule takes priority over the prior
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt <variablelist>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt <varlistentry>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt If no timing metadata has been set for the key, the key is
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt published in the zone and used to sign the zone.
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt </varlistentry>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If the key's publication date is set and is in the past, the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein key is published in the zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt If the key's activation date is set and in the past, the
3727725bb7d63605b68a644060857013d563b67fEvan Hunt key is published (regardless of publication date) and
3727725bb7d63605b68a644060857013d563b67fEvan Hunt used to sign the zone.
8e4f3f1cbceef520ba889270c993de0ac376a2a7Evan Hunt </varlistentry>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt <varlistentry>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt If the key's revocation date is set and in the past, and the
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews key is published, then the key is revoked, and the revoked key
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews is used to sign the zone.
3727725bb7d63605b68a644060857013d563b67fEvan Hunt </varlistentry>
c00929ed9f5234a0f2d79bd338fa931de85f4bb2Evan Hunt <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If either of the key's unpublication or deletion dates are set
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and in the past, the key is NOT published or used to sign the
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews zone, regardless of any other metadata.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews </varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews </variablelist>
a93a66f61872a92ef4a272ca998aaff954ab4fedEvan Hunt </varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews <varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews <term>-T <replaceable class="parameter">ttl</replaceable></term>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Specifies a TTL to be used for new DNSKEY records imported
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews into the zone from the key repository. If not
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews specified, the default is the TTL value from the zone's SOA
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews record. This option is ignored when signing without
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews <option>-S</option>, since DNSKEY records are not imported
a93a66f61872a92ef4a272ca998aaff954ab4fedEvan Hunt from the key repository in that case. It is also ignored if
a93a66f61872a92ef4a272ca998aaff954ab4fedEvan Hunt there are any pre-existing DNSKEY records at the zone apex,
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews in which case new records' TTL values will be set to match
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews them, or if any of the imported DNSKEY records had a default
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews TTL value. In the event of a a conflict between TTL values in
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews imported keys, the shortest one is used.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews </varlistentry>
a93a66f61872a92ef4a272ca998aaff954ab4fedEvan Hunt <varlistentry>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt Print statistics at completion.
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt </varlistentry>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Update NSEC/NSEC3 chain when re-signing a previously signed
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zone. With this option, a zone signed with NSEC can be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein switched to NSEC3, or a zone signed with NSEC3 can
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein be switch to NSEC or to NSEC3 with different parameters.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Without this option, <command>dnssec-signzone</command> will
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein retain the existing chain when re-signing.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-v <replaceable class="parameter">level</replaceable></term>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews Sets the debugging level.
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Only sign the DNSKEY RRset with key-signing keys, and omit
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signatures from zone-signing keys. (This is similar to the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <command>dnssec-dnskey-kskonly yes;</command> zone option in
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews </varlistentry>
77b8f88f144928eddcca144c348d6ef53e7d5c43Evan Hunt <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Ignore KSK flag on key when determining what to sign. This
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews causes KSK-flagged keys to sign all records, not just the
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews DNSKEY RRset. (This is similar to the
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews <command>update-check-ksk no;</command> zone option in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-3 <replaceable class="parameter">salt</replaceable></term>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews Generate an NSEC3 chain with the given hex encoded salt.
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews A dash (<replaceable class="parameter">salt</replaceable>) can
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews be used to indicate that no salt is to be used when generating the NSEC3 chain.
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-H <replaceable class="parameter">iterations</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When generating an NSEC3 chain, use this many iterations. The
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington default is 10.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington When generating an NSEC3 chain set the OPTOUT flag on all
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington NSEC3 records and do not generate NSEC3 records for insecure
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Using this option twice (i.e., <option>-AA</option>)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington turns the OPTOUT flag off for all records. This is useful
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington when using the <option>-u</option> option to modify an NSEC3
Kexample.com.+003+17247