bin/dnssec/dnssec-signzone.docbook

	dnssec-signzone.docbook revision 43b94483957d3168796a816ed86cf097518817dc
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
5cd4555ad444fd391002ae32450572054369fd42Rob Austein               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           [<!ENTITY mdash "&#8212;">]>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<!--
43b94483957d3168796a816ed86cf097518817dcTinderbox User - Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - Copyright (C) 2000-2003  Internet Software Consortium.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington -
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington -
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington-->
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt<!-- $Id: dnssec-signzone.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
b5ad6dfea4cc3e7d1d322ac99f1e5a31096837c4Mark Andrews<refentry id="man.dnssec-signzone">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refentryinfo>
6a550cb83cc2196f8af0592a258f75985cdcb5ebJeremy Reed    <date>June 05, 2009</date>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refmeta>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refentrytitle><application>dnssec-signzone</application></refentrytitle>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins   <manvolnum>8</manvolnum>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refmiscinfo>BIND9</refmiscinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refmeta>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refname><application>dnssec-signzone</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refpurpose>DNSSEC zone signing tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  <docinfo>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2004</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2005</year>
4b3f3cc67135e676a9b3b688685fb59e3494b0e6Mark Andrews      <year>2006</year>
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews      <year>2007</year>
3398334b3acda24b086957286288ca9852662b12Automatic Updater      <year>2008</year>
39844d471080b2de4f8bb9d81f7e136ef80f0ae2Automatic Updater      <year>2009</year>
0e27506ce3135f9bd49e12564ad0e15256135118Automatic Updater      <year>2011</year>
3b398443f0dca316ba7a6e057ba2d1b8ab4ddf70Tinderbox User      <year>2012</year>
43b94483957d3168796a816ed86cf097518817dcTinderbox User      <year>2013</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2000</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2001</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2002</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2003</year>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews      <holder>Internet Software Consortium.</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  </docinfo>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <command>dnssec-signzone</command>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-a</option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews      <arg><option>-D</option></arg>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      <arg><option>-g</option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-h</option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt      <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
50105afc551903541608b11851d73278b23579a3Mark Andrews      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews      <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins      <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews      <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews      <arg><option>-P</option></arg>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt      <arg><option>-p</option></arg>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt      <arg><option>-R</option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <arg><option>-S</option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-t</option></arg>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt      <arg><option>-u</option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt      <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt      <arg><option>-x</option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      <arg><option>-z</option></arg>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      <arg><option>-A</option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg choice="req">zonefile</arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg rep="repeat">key</arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>DESCRIPTION</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para><command>dnssec-signzone</command>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      signs a zone.  It generates
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      NSEC and RRSIG records and produces a signed version of the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      zone. The security status of delegations from the signed zone
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      (that is, whether the child zones are secure or not) is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      determined by the presence or absence of a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <filename>keyset</filename> file for each child zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>OPTIONS</title>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-a</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Verify all generated signatures.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-c <replaceable class="parameter">class</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the DNS class of the zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt      <varlistentry>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt        <term>-C</term>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt        <listitem>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt          <para>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            Compatibility mode: Generate a
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            <filename>keyset-<replaceable>zonename</replaceable></filename>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            file in addition to
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            <filename>dsset-<replaceable>zonename</replaceable></filename>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            when signing a zone, for use by older versions of
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            <command>dnssec-signzone</command>.
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt          </para>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt        </listitem>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt      </varlistentry>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-d <replaceable class="parameter">directory</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            Look for <filename>dsset-</filename> or
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            <filename>keyset-</filename> files in <option>directory</option>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      </varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews      <varlistentry>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews        <term>-D</term>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews        <listitem>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews          <para>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews        Output only those record types automatically managed by
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews        <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews        NSEC3 and NSEC3PARAM records. If smart signing
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews        (<option>-S</option>) is used, DNSKEY records are also
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews        included. The resulting file can be included in the original
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews        zone file with <command>$INCLUDE</command>. This option
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt        cannot be combined with <option>-O raw</option>,
c9611b45736af157e2993c6ef852e55e8e24ca83Evan Hunt            <option>-O map</option>, or serial number updating.
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews          </para>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews        </listitem>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews      </varlistentry>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont      <varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont        <term>-E <replaceable class="parameter">engine</replaceable></term>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont        <listitem>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont          <para>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont            Uses a crypto hardware (OpenSSL engine) for the crypto operations
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont            it supports, for instance signing with private keys from
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont            a secure key store. When compiled with PKCS#11 support
f80b665135127a12ca503c8830aa465aa1ddd17dEvan Hunt            it defaults to pkcs11; the empty name resets it to no engine.
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont          </para>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont        </listitem>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont      </varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont
50105afc551903541608b11851d73278b23579a3Mark Andrews      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-g</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            Generate DS records for child zones from
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            <filename>dsset-</filename> or <filename>keyset-</filename>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            file.  Existing DS records will be removed.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
50105afc551903541608b11851d73278b23579a3Mark Andrews      </varlistentry>
50105afc551903541608b11851d73278b23579a3Mark Andrews
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-K <replaceable class="parameter">directory</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            Key repository: Specify a directory to search for DNSSEC keys.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            If not specified, defaults to the current directory.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-k <replaceable class="parameter">key</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            Treat specified key as a key signing key ignoring any
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            key flags.  This option may be specified multiple times.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-l <replaceable class="parameter">domain</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            The domain is appended to the name of the records.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews      </varlistentry>
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-s <replaceable class="parameter">start-time</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specify the date and time when the generated RRSIG records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            become valid.  This can be either an absolute or relative
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            time.  An absolute start time is indicated by a number
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            14:45:00 UTC on May 30th, 2000.  A relative start time is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            indicated by +N, which is N seconds from the current time.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            If no <option>start-time</option> is specified, the current
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            time minus 1 hour (to allow for clock skew) is used.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-e <replaceable class="parameter">end-time</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specify the date and time when the generated RRSIG records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            expire.  As with <option>start-time</option>, an absolute
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            to the start time is indicated with +N, which is N seconds from
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            the start time.  A time relative to the current time is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            indicated with now+N.  If no <option>end-time</option> is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            specified, 30 days from the start time is used as a default.
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            <option>end-time</option> must be later than
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            <option>start-time</option>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt      <varlistentry>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt        <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt        <listitem>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt          <para>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            Specify the date and time when the generated RRSIG records
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            for the DNSKEY RRset will expire.  This is to be used in cases
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            when the DNSKEY signatures need to persist longer than
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            signatures on other records; e.g., when the private component
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            of the KSK is kept offline and the KSK signature is to be
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            refreshed manually.
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt          </para>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt          <para>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            As with <option>start-time</option>, an absolute
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            to the start time is indicated with +N, which is N seconds from
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            the start time.  A time relative to the current time is
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            indicated with now+N.  If no <option>extended end-time</option> is
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            specified, the value of <option>end-time</option> is used as
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            the default.  (<option>end-time</option>, in turn, defaults to
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            30 days from the start time.) <option>extended end-time</option>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt            must be later than <option>start-time</option>.
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt          </para>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt        </listitem>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt      </varlistentry>
61271cdee65f3313e98f382b07e6674861d9020aEvan Hunt
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-f <replaceable class="parameter">output-file</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            The name of the output file containing the signed zone.  The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            default is to append <filename>.signed</filename> to
d9eebc08497af272b2d44c07f4eb85153dec4253Evan Hunt            the input filename.  If <option>output-file</option> is
d9eebc08497af272b2d44c07f4eb85153dec4253Evan Hunt            set to <literal>"-"</literal>, then the signed zone is
d9eebc08497af272b2d44c07f4eb85153dec4253Evan Hunt            written to the standard output, with a default output
d9eebc08497af272b2d44c07f4eb85153dec4253Evan Hunt            format of "full".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-h</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Prints a short summary of the options and arguments to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <command>dnssec-signzone</command>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-i <replaceable class="parameter">interval</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews            When a previously-signed zone is passed as input, records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            may be resigned.  The <option>interval</option> option
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            specifies the cycle interval as an offset from the current
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            time (in seconds).  If a RRSIG record expires after the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            cycle interval, it is retained.  Otherwise, it is considered
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            to be expiring soon, and it will be replaced.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            The default cycle interval is one quarter of the difference
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            between the signature end and start times.  So if neither
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <option>end-time</option> or <option>start-time</option>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            are specified, <command>dnssec-signzone</command>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            generates
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            signatures that are valid for 30 days, with a cycle
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            interval of 7.5 days.  Therefore, if any existing RRSIG records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            are due to expire in less than 7.5 days, they would be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            replaced.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews      <varlistentry>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews        <term>-I <replaceable class="parameter">input-format</replaceable></term>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews        <listitem>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews          <para>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews            The format of the input zone file.
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt        Possible formats are <command>"text"</command> (default),
c9611b45736af157e2993c6ef852e55e8e24ca83Evan Hunt        <command>"raw"</command>, and <command>"map"</command>.
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews        This option is primarily intended to be used for dynamic
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews            signed zones so that the dumped zone file in a non-text
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews            format containing updates can be signed directly.
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews        The use of this option does not make much sense for
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews        non-dynamic zones.
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews          </para>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews        </listitem>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews      </varlistentry>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-j <replaceable class="parameter">jitter</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            When signing a zone with a fixed signature lifetime, all
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            RRSIG records issued at the time of signing expires
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            simultaneously.  If the zone is incrementally signed, i.e.
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews            a previously-signed zone is passed as input to the signer,
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews            all expired signatures have to be regenerated at about the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            same time.  The <option>jitter</option> option specifies a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            jitter window that will be used to randomize the signature
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            expire time, thus spreading incremental signature
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            regeneration over time.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Signature lifetime jitter also to some extent benefits
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            validators and servers by spreading out cache expiration,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            i.e. if large numbers of RRSIGs don't expire at the same time
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            from all caches there will be less congestion than if all
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            validators need to refetch at mostly the same time.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews      </varlistentry>
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt      <varlistentry>
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt        <term>-L <replaceable class="parameter">serial</replaceable></term>
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt        <listitem>
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt          <para>
c9611b45736af157e2993c6ef852e55e8e24ca83Evan Hunt            When writing a signed zone to "raw" or "map" format, set the
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            "source serial" value in the header to the specified serial
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            number.  (This is expected to be used primarily for testing
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            purposes.)
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt          </para>
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt        </listitem>
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt      </varlistentry>
f30785f506a522ed6a5e394af2bb13b6f883927eEvan Hunt
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-n <replaceable class="parameter">ncpus</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the number of threads to use.  By default, one
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            thread is started for each detected CPU.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins      <varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins        <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins        <listitem>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins          <para>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins            The SOA serial number format of the signed zone.
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins        Possible formats are <command>"keep"</command> (default),
170938fdfc065eb9629b1dc2793f883e2d6cc565Mark Andrews            <command>"increment"</command> and
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins        <command>"unixtime"</command>.
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins          </para>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins          <variablelist>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins        <varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins          <term><command>"keep"</command></term>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins              <listitem>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins                <para>Do not modify the SOA serial number.</para>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins          </listitem>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins            </varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins        <varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins          <term><command>"increment"</command></term>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins              <listitem>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins                <para>Increment the SOA serial number using RFC 1982
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins                      arithmetics.</para>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins          </listitem>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins            </varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins        <varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins          <term><command>"unixtime"</command></term>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins              <listitem>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins                <para>Set the SOA serial number to the number of seconds
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins            since epoch.</para>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins          </listitem>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins            </varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins     </variablelist>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins        </listitem>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins      </varlistentry>
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-o <replaceable class="parameter">origin</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            The zone origin.  If not specified, the name of the zone file
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            is assumed to be the origin.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews      <varlistentry>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews        <term>-O <replaceable class="parameter">output-format</replaceable></term>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews        <listitem>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews          <para>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews            The format of the output file containing the signed zone.
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt        Possible formats are <command>"text"</command> (default),
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            which is the standard textual representation of the zone;
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt        <command>"full"</command>, which is text output in a
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            format suitable for processing by external scripts;
c9611b45736af157e2993c6ef852e55e8e24ca83Evan Hunt            and <command>"map"</command>, <command>"raw"</command>,
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            and <command>"raw=N"</command>, which store the zone in
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            binary formats for rapid loading by <command>named</command>.
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            <command>"raw=N"</command> specifies the format version of
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            the raw zone file: if N is 0, the raw file can be read by
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            any version of <command>named</command>; if N is 1, the file
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt            can be read by release 9.9.0 or higher; the default is 1.
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews          </para>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews        </listitem>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews      </varlistentry>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-p</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Use pseudo-random data when signing the zone.  This is faster,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            but less secure, than using real random data.  This option
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            may be useful when signing large zones or when the entropy
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            source is limited.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews      <varlistentry>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews        <term>-P</term>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews        <listitem>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews          <para>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews        Disable post sign verification tests.
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews          </para>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews          <para>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews        The post sign verification test ensures that for each algorithm
6a550cb83cc2196f8af0592a258f75985cdcb5ebJeremy Reed        in use there is at least one non revoked self signed KSK key,
6a550cb83cc2196f8af0592a258f75985cdcb5ebJeremy Reed        that all revoked KSK keys are self signed, and that all records
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews        in the zone are signed by the algorithm.
6a550cb83cc2196f8af0592a258f75985cdcb5ebJeremy Reed        This option skips these tests.
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews          </para>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews        </listitem>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews      </varlistentry>
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt      <varlistentry>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt        <term>-R</term>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt        <listitem>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt          <para>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt        Remove signatures from keys that no longer exist.
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt          </para>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt          <para>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt            Normally, when a previously-signed zone is passed as input
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt            to the signer, and a DNSKEY record has been removed and
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt            replaced with a new one, signatures from the old key
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt            that are still within their validity period are retained.
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt        This allows the zone to continue to validate with cached
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt        copies of the old DNSKEY RRset.  The <option>-R</option> forces
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt            <command>dnssec-signzone</command> to remove all orphaned
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt            signatures.
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt          </para>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt        </listitem>
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the source of randomness.  If the operating
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            system does not provide a <filename>/dev/random</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            or equivalent device, the default source of randomness
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            is keyboard input.  <filename>randomdev</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            specifies
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            the name of a character device or file containing random
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            data to be used instead of the default.  The special value
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <filename>keyboard</filename> indicates that keyboard
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            input should be used.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-S</term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            Smart signing: Instructs <command>dnssec-signzone</command> to
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            search the key repository for keys that match the zone being
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            signed, and to include them in the zone if appropriate.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            When a key is found, its timing metadata is examined to
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            determine how it should be used, according to the following
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            rules.  Each successive rule takes priority over the prior
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            ones:
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          <variablelist>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt              <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  If no timing metadata has been set for the key, the key is
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  published in the zone and used to sign the zone.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt              <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  If the key's publication date is set and is in the past, the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  key is published in the zone.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt              <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  If the key's activation date is set and in the past, the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  key is published (regardless of publication date) and
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  used to sign the zone.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt              <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  If the key's revocation date is set and in the past, and the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  key is published, then the key is revoked, and the revoked key
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  is used to sign the zone.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt              <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  If either of the key's unpublication or deletion dates are set
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  and in the past, the key is NOT published or used to sign the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                  zone, regardless of any other metadata.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt                </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt            </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt     </variablelist>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-T <replaceable class="parameter">ttl</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          <para>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt            Specifies a TTL to be used for new DNSKEY records imported
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt            into the zone from the key repository.  If not
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt            specified, the default is the TTL value from the zone's SOA
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            record.  This option is ignored when signing without
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            <option>-S</option>, since DNSKEY records are not imported
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            from the key repository in that case.  It is also ignored if
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            there are any pre-existing DNSKEY records at the zone apex,
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt            in which case new records' TTL values will be set to match
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt            them, or if any of the imported DNSKEY records had a default
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt            TTL value.  In the event of a a conflict between TTL values in
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt            imported keys, the shortest one is used.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-t</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Print statistics at completion.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt      <varlistentry>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt        <term>-u</term>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt        <listitem>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt          <para>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt            Update NSEC/NSEC3 chain when re-signing a previously signed
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt            zone.  With this option, a zone signed with NSEC can be
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt            switched to NSEC3, or a zone signed with NSEC3 can
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt            be switch to NSEC or to NSEC3 with different parameters.
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt            Without this option, <command>dnssec-signzone</command> will
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt            retain the existing chain when re-signing.
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt          </para>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt        </listitem>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt      </varlistentry>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-v <replaceable class="parameter">level</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Sets the debugging level.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
3727725bb7d63605b68a644060857013d563b67fEvan Hunt      <varlistentry>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt        <term>-x</term>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt        <listitem>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt          <para>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt            Only sign the DNSKEY RRset with key-signing keys, and omit
c00929ed9f5234a0f2d79bd338fa931de85f4bb2Evan Hunt            signatures from zone-signing keys.  (This is similar to the
8e4f3f1cbceef520ba889270c993de0ac376a2a7Evan Hunt            <command>dnssec-dnskey-kskonly yes;</command> zone option in
c00929ed9f5234a0f2d79bd338fa931de85f4bb2Evan Hunt            <command>named</command>.)
3727725bb7d63605b68a644060857013d563b67fEvan Hunt          </para>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt        </listitem>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt      </varlistentry>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      <varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews        <term>-z</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
3727725bb7d63605b68a644060857013d563b67fEvan Hunt            Ignore KSK flag on key when determining what to sign.  This
3727725bb7d63605b68a644060857013d563b67fEvan Hunt            causes KSK-flagged keys to sign all records, not just the
c00929ed9f5234a0f2d79bd338fa931de85f4bb2Evan Hunt            DNSKEY RRset.  (This is similar to the
c00929ed9f5234a0f2d79bd338fa931de85f4bb2Evan Hunt            <command>update-check-ksk no;</command> zone option in
c00929ed9f5234a0f2d79bd338fa931de85f4bb2Evan Hunt            <command>named</command>.)
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      </varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      <varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        <term>-3 <replaceable class="parameter">salt</replaceable></term>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        <listitem>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews          <para>
a93a66f61872a92ef4a272ca998aaff954ab4fedEvan Hunt            Generate an NSEC3 chain with the given hex encoded salt.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        A dash (<replaceable class="parameter">salt</replaceable>) can
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        be used to indicate that no salt is to be used when generating          the NSEC3 chain.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews          </para>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        </listitem>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      </varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      <varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        <term>-H <replaceable class="parameter">iterations</replaceable></term>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        <listitem>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews          <para>
a93a66f61872a92ef4a272ca998aaff954ab4fedEvan Hunt        When generating an NSEC3 chain, use this many interations.  The
a93a66f61872a92ef4a272ca998aaff954ab4fedEvan Hunt        default is 10.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews          </para>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        </listitem>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      </varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      <varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        <term>-A</term>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        <listitem>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews          <para>
a93a66f61872a92ef4a272ca998aaff954ab4fedEvan Hunt        When generating an NSEC3 chain set the OPTOUT flag on all
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        NSEC3 records and do not generate NSEC3 records for insecure
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        delegations.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews          </para>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt          <para>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt        Using this option twice (i.e., <option>-AA</option>)
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt        turns the OPTOUT flag off for all records.  This is useful
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt        when using the <option>-u</option> option to modify an NSEC3
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt        chain which previously had OPTOUT set.
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt          </para>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        </listitem>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      </varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>zonefile</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            The file containing the zone to be signed.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>key</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews        Specify which keys should be used to sign the zone.  If
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews        no keys are specified, then the zone will be examined
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews        for DNSKEY records at the zone apex.  If these are found and
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews        there are matching private keys, in the current directory,
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews        then these will be used for signing.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>EXAMPLE</title>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      The following command signs the <userinput>example.com</userinput>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      zone with the DSA key generated by <command>dnssec-keygen</command>
77b8f88f144928eddcca144c348d6ef53e7d5c43Evan Hunt      (Kexample.com.+003+17247).  Because the <command>-S</command> option
77b8f88f144928eddcca144c348d6ef53e7d5c43Evan Hunt      is not being used, the zone's keys must be in the master file
77b8f88f144928eddcca144c348d6ef53e7d5c43Evan Hunt      (<filename>db.example.com</filename>).  This invocation looks
77b8f88f144928eddcca144c348d6ef53e7d5c43Evan Hunt      for <filename>dsset</filename> files, in the current directory,
77b8f88f144928eddcca144c348d6ef53e7d5c43Evan Hunt      so that DS records can be imported from them (<command>-g</command>).
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews<programlisting>% dnssec-signzone -g -o example.com db.example.com \
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark AndrewsKexample.com.+003+17247
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrewsdb.example.com.signed
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews%</programlisting>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      In the above example, <command>dnssec-signzone</command> creates
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      the file <filename>db.example.com.signed</filename>.  This
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      file should be referenced in a zone statement in a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <filename>named.conf</filename> file.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews    <para>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      This example re-signs a previously signed zone with default parameters.
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      The private keys are assumed to be in the current directory.
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews    </para>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews<programlisting>% cp db.example.com.signed db.example.com
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews% dnssec-signzone -o example.com db.example.com
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrewsdb.example.com.signed
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews%</programlisting>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>SEE ALSO</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para><citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
e1648063291cb3237f91d0e168fb666f73a6994fJeremy Reed      <citetitle>RFC 4033</citetitle>.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>AUTHOR</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para><corpauthor>Internet Systems Consortium</corpauthor>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</refentry><!--
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Local variables:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - mode: sgml
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - End:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington-->