dnssec-signzone.docbook revision 39844d471080b2de4f8bb9d81f7e136ef80f0ae2
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin [<!ENTITY mdash "—">]>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - Copyright (C) 2000-2003 Internet Software Consortium.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - Permission to use, copy, modify, and/or distribute this software for any
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - purpose with or without fee is hereby granted, provided that the above
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - copyright notice and this permission notice appear in all copies.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - PERFORMANCE OF THIS SOFTWARE.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin<!-- $Id: dnssec-signzone.docbook,v 1.33 2009/06/04 02:56:47 tbox Exp $ -->
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <refentryinfo>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </refentryinfo>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <refentrytitle><application>dnssec-signzone</application></refentrytitle>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <refnamediv>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <refname><application>dnssec-signzone</application></refname>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </refnamediv>
ac3c34a9df3a980148993a91a2b6e630b59b5274rjung <copyright>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </copyright>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <copyright>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </copyright>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <refsynopsisdiv>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <cmdsynopsis>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </cmdsynopsis>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </refsynopsisdiv>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin signs a zone. It generates
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin NSEC and RRSIG records and produces a signed version of the
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin zone. The security status of delegations from the signed zone
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin (that is, whether the child zones are secure or not) is
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin determined by the presence or absence of a
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <filename>keyset</filename> file for each child zone.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </refsect1>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <variablelist>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Verify all generated signatures.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-c <replaceable class="parameter">class</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Specifies the DNS class of the zone.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-k <replaceable class="parameter">key</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Treat specified key as a key signing key ignoring any
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin key flags. This option may be specified multiple times.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-l <replaceable class="parameter">domain</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Generate a DLV set in addition to the key (DNSKEY) and DS sets.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The domain is appended to the name of the records.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-d <replaceable class="parameter">directory</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Generate DS records for child zones from keyset files.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Existing DS records will be removed.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
fc251eb7714d158c2952bc2ddbbcfb9169098212sf <term>-s <replaceable class="parameter">start-time</replaceable></term>
fc251eb7714d158c2952bc2ddbbcfb9169098212sf <listitem>
fc251eb7714d158c2952bc2ddbbcfb9169098212sf Specify the date and time when the generated RRSIG records
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin become valid. This can be either an absolute or relative
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin time. An absolute start time is indicated by a number
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin in YYYYMMDDHHMMSS notation; 20000530144500 denotes
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin 14:45:00 UTC on May 30th, 2000. A relative start time is
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin indicated by +N, which is N seconds from the current time.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin If no <option>start-time</option> is specified, the current
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin time minus 1 hour (to allow for clock skew) is used.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-e <replaceable class="parameter">end-time</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Specify the date and time when the generated RRSIG records
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin expire. As with <option>start-time</option>, an absolute
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin time is indicated in YYYYMMDDHHMMSS notation. A time relative
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin to the start time is indicated with +N, which is N seconds from
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin the start time. A time relative to the current time is
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin indicated with now+N. If no <option>end-time</option> is
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin specified, 30 days from the start time is used as a default.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-f <replaceable class="parameter">output-file</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The name of the output file containing the signed zone. The
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin default is to append <filename>.signed</filename> to
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin input filename.
c4160662d93c5c24b234650f9914b3aea20276cetrawick </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Prints a short summary of the options and arguments to
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-i <replaceable class="parameter">interval</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin When a previously-signed zone is passed as input, records
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin may be resigned. The <option>interval</option> option
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin specifies the cycle interval as an offset from the current
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin time (in seconds). If a RRSIG record expires after the
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin cycle interval, it is retained. Otherwise, it is considered
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin to be expiring soon, and it will be replaced.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The default cycle interval is one quarter of the difference
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin between the signature end and start times. So if neither
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <option>end-time</option> or <option>start-time</option>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin signatures that are valid for 30 days, with a cycle
ac3c34a9df3a980148993a91a2b6e630b59b5274rjung interval of 7.5 days. Therefore, if any existing RRSIG records
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin are due to expire in less than 7.5 days, they would be
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-I <replaceable class="parameter">input-format</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The format of the input zone file.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Possible formats are <command>"text"</command> (default)
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin This option is primarily intended to be used for dynamic
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin signed zones so that the dumped zone file in a non-text
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin format containing updates can be signed directly.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The use of this option does not make much sense for
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin non-dynamic zones.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-j <replaceable class="parameter">jitter</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin When signing a zone with a fixed signature lifetime, all
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin RRSIG records issued at the time of signing expires
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin simultaneously. If the zone is incrementally signed, i.e.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin a previously-signed zone is passed as input to the signer,
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin all expired signatures have to be regenerated at about the
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin same time. The <option>jitter</option> option specifies a
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin jitter window that will be used to randomize the signature
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin expire time, thus spreading incremental signature
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin regeneration over time.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Signature lifetime jitter also to some extent benefits
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin validators and servers by spreading out cache expiration,
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin i.e. if large numbers of RRSIGs don't expire at the same time
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin from all caches there will be less congestion than if all
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin validators need to refetch at mostly the same time.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-n <replaceable class="parameter">ncpus</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Specifies the number of threads to use. By default, one
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin thread is started for each detected CPU.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The SOA serial number format of the signed zone.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Possible formats are <command>"keep"</command> (default),
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <variablelist>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <para>Increment the SOA serial number using RFC 1982
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin arithmetics.</para>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <para>Set the SOA serial number to the number of seconds
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin since epoch.</para>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </variablelist>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-o <replaceable class="parameter">origin</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The zone origin. If not specified, the name of the zone file
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin is assumed to be the origin.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
9d3e8ab5391fb11d3d2f295a602279c70a78d957jailletc </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-O <replaceable class="parameter">output-format</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The format of the output file containing the signed zone.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Possible formats are <command>"text"</command> (default)
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Use pseudo-random data when signing the zone. This is faster,
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin but less secure, than using real random data. This option
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin may be useful when signing large zones or when the entropy
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin source is limited.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Disable post sign verification tests.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The post sign verification test ensures that for each algorithm
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin in use there is at least one non revoked self signed KSK key.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin That all revoked KSK keys are self signed. That all records
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin in the zone are signed by the algorithm.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-r <replaceable class="parameter">randomdev</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Specifies the source of randomness. If the operating
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin system does not provide a <filename>/dev/random</filename>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin or equivalent device, the default source of randomness
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin the name of a character device or file containing random
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin data to be used instead of the default. The special value
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <filename>keyboard</filename> indicates that keyboard
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin input should be used.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Print statistics at completion.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-v <replaceable class="parameter">level</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Sets the debugging level.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Ignore KSK flag on key when determining what to sign.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-3 <replaceable class="parameter">salt</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Generate a NSEC3 chain with the given hex encoded salt.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin A dash (<replaceable class="parameter">salt</replaceable>) can
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin be used to indicate that no salt is to be used when generating the NSEC3 chain.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term>-H <replaceable class="parameter">iterations</replaceable></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin When generating a NSEC3 chain use this many interations. The
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin default is 100.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin When generating a NSEC3 chain set the OPTOUT flag on all
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin NSEC3 records and do not generate NSEC3 records for insecure
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin delegations.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The file containing the zone to be signed.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Specify which keys should be used to sign the zone. If
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin no keys are specified, then the zone will be examined
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin for DNSKEY records at the zone apex. If these are found and
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin there are matching private keys, in the current directory,
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin then these will be used for signing.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </variablelist>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </refsect1>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The following command signs the <userinput>example.com</userinput>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin zone with the DSA key generated by <command>dnssec-keygen</command>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin (Kexample.com.+003+17247). The zone's keys must be in the master
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin file (<filename>db.example.com</filename>). This invocation looks
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin for <filename>keyset</filename> files, in the current directory,
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin so that DS records can be generated from them (<command>-g</command>).
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin<programlisting>% dnssec-signzone -g -o example.com db.example.com \
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin%</programlisting>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin In the above example, <command>dnssec-signzone</command> creates
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin the file <filename>db.example.com.signed</filename>. This
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin file should be referenced in a zone statement in a
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin This example re-signs a previously signed zone with default parameters.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The private keys are assumed to be in the current directory.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin<programlisting>% cp db.example.com.signed db.example.com
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin%</programlisting>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </refsect1>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </citerefentry>,
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </refsect1>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <para><corpauthor>Internet Systems Consortium</corpauthor>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin </refsect1>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - Local variables:
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin - mode: sgml