dnssec-signzone.docbook revision 268a4475065fe6a8cd7cc707820982cf5e98f430
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe [<!ENTITY mdash "&#8212;">]>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<!--
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - Copyright (C) 2000-2003 Internet Software Consortium.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe -
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - Permission to use, copy, modify, and distribute this software for any
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - purpose with or without fee is hereby granted, provided that the above
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - copyright notice and this permission notice appear in all copies.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe -
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe - PERFORMANCE OF THIS SOFTWARE.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe-->
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<!-- $Id: dnssec-signzone.docbook,v 1.16 2005/05/11 05:55:36 sra Exp $ -->
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<refentry>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refentryinfo>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <date>June 30, 2000</date>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </refentryinfo>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refmeta>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refentrytitle><application>dnssec-signzone</application></refentrytitle>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <manvolnum>8</manvolnum>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refmiscinfo>BIND9</refmiscinfo>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </refmeta>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refnamediv>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refname><application>dnssec-signzone</application></refname>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refpurpose>DNSSEC zone signing tool</refpurpose>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </refnamediv>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <docinfo>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <copyright>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <year>2004</year>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <year>2005</year>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </copyright>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <copyright>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <year>2000</year>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <year>2001</year>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <year>2002</year>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <year>2003</year>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <holder>Internet Software Consortium</holder>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </copyright>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </docinfo>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refsynopsisdiv>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <cmdsynopsis>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <command>dnssec-signzone</command>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-a</option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-g</option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-h</option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-p</option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-t</option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg><option>-z</option></arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg choice="req">zonefile</arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <arg rep="repeat">key</arg>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </cmdsynopsis>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </refsynopsisdiv>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refsect1>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <title>DESCRIPTION</title>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <para><command>dnssec-signzone</command>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe signs a zone. It generates
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe NSEC and RRSIG records and produces a signed version of the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe zone. The security status of delegations from the signed zone
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe (that is, whether the child zones are secure or not) is
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe determined by the presence or absence of a
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <filename>keyset</filename> file for each child zone.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </para>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </refsect1>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <refsect1>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <title>OPTIONS</title>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <variablelist>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <varlistentry>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <term>-a</term>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <listitem>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <para>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe Verify all generated signatures.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </para>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </listitem>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </varlistentry>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <varlistentry>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <term>-c <replaceable class="parameter">class</replaceable></term>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <listitem>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <para>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe Specifies the DNS class of the zone.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </para>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </listitem>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </varlistentry>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <varlistentry>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <term>-k <replaceable class="parameter">key</replaceable></term>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <listitem>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <para>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe Treat specified key as a key signing key ignoring any
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe key flags. This option may be specified multiple times.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </para>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </listitem>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </varlistentry>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <varlistentry>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <term>-l <replaceable class="parameter">domain</replaceable></term>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <listitem>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <para>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe Generate a DLV set in addition to the key (DNSKEY) and DS sets.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe The domain is appended to the name of the records.
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </para>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for <filename>keyset</filename> files in
<option>directory</option> as the directory
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Generate DS records for child zones from keyset files.
Existing DS records will be removed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <option>start-time</option> is specified, the current
time minus 1 hour (to allow for clock skew) is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e <replaceable class="parameter">end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
expire. As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">output-file</replaceable></term>
<listitem>
<para>
The name of the output file containing the signed zone. The
default is to append <filename>.signed</filename> to
the
input file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
When a previously signed zone is passed as input, records
may be resigned. The <option>interval</option> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
</para>
<para>
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
<option>end-time</option> or <option>start-time</option>
are specified, <command>dnssec-signzone</command>
generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be
replaced.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j <replaceable class="parameter">jitter</replaceable></term>
<listitem>
<para>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
same time. The <option>jitter</option> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</para>
<para>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">ncpus</replaceable></term>
<listitem>
<para>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">origin</replaceable></term>
<listitem>
<para>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t</term>
<listitem>
<para>
Print statistics at completion.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Ignore KSK flag on key when determining what to sign.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonefile</term>
<listitem>
<para>
The file containing the zone to be signed.
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>key</term>
<listitem>
<para>
The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
current directory.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated in the <command>dnssec-keygen</command>
man page. The zone's keys must be in the zone. If there are
<filename>keyset</filename> files associated with child
zones,
they must be in the current directory.
<userinput>example.com</userinput>, the following command would be
issued:
</para>
<para><userinput>dnssec-signzone -o example.com db.example.com
Kexample.com.+003+26160</userinput>
</para>
<para>
The command would print a string of the form:
</para>
<para>
In this example, <command>dnssec-signzone</command> creates
the file <filename>db.example.com.signed</filename>. This
file
should be referenced in a zone statement in a
<filename>named.conf</filename> file.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2535</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->