dnssec-signzone.docbook revision 2534a73a5914470f7ffe00663b6bbaff5e411e57
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
c92c50783e4e93699f2a42643b8f200b9b719c87Automatic Updater "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<!ENTITY mdash "—">]>
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - purpose with or without fee is hereby granted, provided that the above
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - copyright notice and this permission notice appear in all copies.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!-- $Id: dnssec-signzone.docbook,v 1.32 2009/06/04 02:13:37 marka Exp $ -->
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <refentryinfo>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </refentryinfo>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <refentrytitle><application>dnssec-signzone</application></refentrytitle>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <refnamediv>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <refname><application>dnssec-signzone</application></refname>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <refpurpose>DNSSEC zone signing tool</refpurpose>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </copyright>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <refsynopsisdiv>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <cmdsynopsis>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </cmdsynopsis>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </refsynopsisdiv>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signs a zone. It generates
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews NSEC and RRSIG records and produces a signed version of the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone. The security status of delegations from the signed zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews (that is, whether the child zones are secure or not) is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews determined by the presence or absence of a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <filename>keyset</filename> file for each child zone.
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater <variablelist>
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Verify all generated signatures.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-c <replaceable class="parameter">class</replaceable></term>
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews Specifies the DNS class of the zone.
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews </varlistentry>
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews <varlistentry>
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews <term>-k <replaceable class="parameter">key</replaceable></term>
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews Treat specified key as a key signing key ignoring any
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key flags. This option may be specified multiple times.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-l <replaceable class="parameter">domain</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate a DLV set in addition to the key (DNSKEY) and DS sets.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The domain is appended to the name of the records.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-d <replaceable class="parameter">directory</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater Generate DS records for child zones from keyset files.
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater Existing DS records will be removed.
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater </varlistentry>
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater <varlistentry>
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater <term>-s <replaceable class="parameter">start-time</replaceable></term>
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater Specify the date and time when the generated RRSIG records
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater become valid. This can be either an absolute or relative
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater time. An absolute start time is indicated by a number
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater in YYYYMMDDHHMMSS notation; 20000530144500 denotes
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater 14:45:00 UTC on May 30th, 2000. A relative start time is
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater indicated by +N, which is N seconds from the current time.
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater If no <option>start-time</option> is specified, the current
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater time minus 1 hour (to allow for clock skew) is used.
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater </varlistentry>
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-e <replaceable class="parameter">end-time</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specify the date and time when the generated RRSIG records
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews expire. As with <option>start-time</option>, an absolute
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to the start time is indicated with +N, which is N seconds from
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the start time. A time relative to the current time is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews indicated with now+N. If no <option>end-time</option> is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews specified, 30 days from the start time is used as a default.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-f <replaceable class="parameter">output-file</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The name of the output file containing the signed zone. The
2a1d6afad5c725cbc796c10f1d2b9041eda9f077Automatic Updater default is to append <filename>.signed</filename> to
2a1d6afad5c725cbc796c10f1d2b9041eda9f077Automatic Updater input filename.
2a1d6afad5c725cbc796c10f1d2b9041eda9f077Automatic Updater </varlistentry>
2a1d6afad5c725cbc796c10f1d2b9041eda9f077Automatic Updater <varlistentry>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews Prints a short summary of the options and arguments to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-i <replaceable class="parameter">interval</replaceable></term>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews When a previously-signed zone is passed as input, records
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may be resigned. The <option>interval</option> option
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews specifies the cycle interval as an offset from the current
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews time (in seconds). If a RRSIG record expires after the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews cycle interval, it is retained. Otherwise, it is considered
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to be expiring soon, and it will be replaced.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews The default cycle interval is one quarter of the difference
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews between the signature end and start times. So if neither
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <option>end-time</option> or <option>start-time</option>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews are specified, <command>dnssec-signzone</command>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signatures that are valid for 30 days, with a cycle
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews are due to expire in less than 7.5 days, they would be
824f38c0310fddef55f0f691580154022a7852f5Automatic Updater </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-I <replaceable class="parameter">input-format</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The format of the input zone file.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Possible formats are <command>"text"</command> (default)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This option is primarily intended to be used for dynamic
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signed zones so that the dumped zone file in a non-text
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews format containing updates can be signed directly.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The use of this option does not make much sense for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews non-dynamic zones.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User <term>-j <replaceable class="parameter">jitter</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When signing a zone with a fixed signature lifetime, all
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews RRSIG records issued at the time of signing expires
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews simultaneously. If the zone is incrementally signed, i.e.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a previously-signed zone is passed as input to the signer,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews all expired signatures have to be regenerated at about the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews same time. The <option>jitter</option> option specifies a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews jitter window that will be used to randomize the signature
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews expire time, thus spreading incremental signature
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews regeneration over time.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Signature lifetime jitter also to some extent benefits
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews validators and servers by spreading out cache expiration,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews i.e. if large numbers of RRSIGs don't expire at the same time
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews from all caches there will be less congestion than if all
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews validators need to refetch at mostly the same time.
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-n <replaceable class="parameter">ncpus</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the number of threads to use. By default, one
a9a054302dd8a52fa9023cc98cc565e9c0008527Automatic Updater thread is started for each detected CPU.
a9a054302dd8a52fa9023cc98cc565e9c0008527Automatic Updater </varlistentry>
a9a054302dd8a52fa9023cc98cc565e9c0008527Automatic Updater <varlistentry>
a9a054302dd8a52fa9023cc98cc565e9c0008527Automatic Updater <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The SOA serial number format of the signed zone.
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User Possible formats are <command>"keep"</command> (default),
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <variablelist>
18fa75b694d056da4be3ebfc2185d007d4882752Automatic Updater <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <para>Do not modify the SOA serial number.</para>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <para>Increment the SOA serial number using RFC 1982
1224c3b69b3d18f7127aa042644936af25a2d679Mark Andrews arithmetics.</para>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
f051d76c87e055c6ea3879e0c97a76609df915ccMark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <para>Set the SOA serial number to the number of seconds
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews since epoch.</para>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </variablelist>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-o <replaceable class="parameter">origin</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The zone origin. If not specified, the name of the zone file
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater is assumed to be the origin.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-O <replaceable class="parameter">output-format</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The format of the output file containing the signed zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Possible formats are <command>"text"</command> (default)
(Kexample.com.+003+17247). The zone's keys must be in the master
Kexample.com.+003+17247