dnssec-signzone.docbook revision 6e8a8077faf96d8da0b6cf738913f5f1f86e4008
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
63737247d167ffa7151bc3d228ca5c0875751818Tinderbox User<!--
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - Copyright (C) 2001-2003 Internet Software Consortium.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews -
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - Permission to use, copy, modify, and distribute this software for any
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - purpose with or without fee is hereby granted, provided that the above
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - copyright notice and this permission notice appear in all copies.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews -
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews-->
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<!-- $Id: dnssec-signzone.docbook,v 1.13 2005/03/22 02:20:03 marka Exp $ -->
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<refentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refentryinfo>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <date>June 30, 2000</date>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </refentryinfo>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refmeta>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refentrytitle><application>dnssec-signzone</application></refentrytitle>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <manvolnum>8</manvolnum>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refmiscinfo>BIND9</refmiscinfo>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </refmeta>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refnamediv>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refname><application>dnssec-signzone</application></refname>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refpurpose>DNSSEC zone signing tool</refpurpose>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </refnamediv>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refsynopsisdiv>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <cmdsynopsis>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <command>dnssec-signzone</command>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-a</option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-g</option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-h</option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-p</option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-t</option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg><option>-z</option></arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg choice="req">zonefile</arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <arg rep="repeat">key</arg>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </cmdsynopsis>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </refsynopsisdiv>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <title>DESCRIPTION</title>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <command>dnssec-signzone</command> signs a zone. It generates
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews NSEC and RRSIG records and produces a signed version of the
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews zone. The security status of delegations from the signed zone
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews (that is, whether the child zones are secure or not) is
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews determined by the presence or absence of a
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <filename>keyset</filename> file for each child zone.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <title>OPTIONS</title>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <variablelist>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-a</term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Verify all generated signatures.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-c <replaceable class="parameter">class</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Specifies the DNS class of the zone.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-k <replaceable class="parameter">key</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Treat specified key as a key signing key ignoring any
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews key flags. This option may be specified multiple times.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-l <replaceable class="parameter">domain</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Generate a DLV set in addition to the key (DNSKEY) and DS sets.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews The domain is appended to the name of the records.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-d <replaceable class="parameter">directory</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Look for <filename>keyset</filename> files in
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <option>directory</option> as the directory
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-g</term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Generate DS records for child zones from keyset files.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Existing DS records will be removed.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-s <replaceable class="parameter">start-time</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Specify the date and time when the generated RRSIG records
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews become valid. This can be either an absolute or relative
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews time. An absolute start time is indicated by a number
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews in YYYYMMDDHHMMSS notation; 20000530144500 denotes
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews 14:45:00 UTC on May 30th, 2000. A relative start time is
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews indicated by +N, which is N seconds from the current time.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews If no <option>start-time</option> is specified, the current
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews time minus 1 hour (to allow for clock skew) is used.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-e <replaceable class="parameter">end-time</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Specify the date and time when the generated RRSIG records
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews expire. As with <option>start-time</option>, an absolute
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews to the start time is indicated with +N, which is N seconds from
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews the start time. A time relative to the current time is
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews indicated with now+N. If no <option>end-time</option> is
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews specified, 30 days from the start time is used as a default.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-f <replaceable class="parameter">output-file</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews The name of the output file containing the signed zone. The
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews default is to append <filename>.signed</filename> to the
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews input file.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-h</term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Prints a short summary of the options and arguments to
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <command>dnssec-signzone</command>.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-i <replaceable class="parameter">interval</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews When a previously signed zone is passed as input, records
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews may be resigned. The <option>interval</option> option
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews specifies the cycle interval as an offset from the current
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews time (in seconds). If a RRSIG record expires after the
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews cycle interval, it is retained. Otherwise, it is considered
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews to be expiring soon, and it will be replaced.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews The default cycle interval is one quarter of the difference
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews between the signature end and start times. So if neither
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <option>end-time</option> or <option>start-time</option>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews are specified, <command>dnssec-signzone</command> generates
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews signatures that are valid for 30 days, with a cycle
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews are due to expire in less than 7.5 days, they would be
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews replaced.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <varlistentry>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <term>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <listitem>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <para>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews When signing a zone with a fixed signature lifetime, all
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews RRSIG records issued at the time of signing expires
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews simultaneously. If the zone is incrementally signed, i.e.
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews a previously signed zone is passed as input to the signer,
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews all expired signatures has to be regenerated at about the
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews same time. The <option>jitter</option> option specifies a
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews jitter window that will be used to randomize the signature
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews expire time, thus spreading incremental signature
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews regeneration over time.
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews </para>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <para>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews Signature lifetime jitter also to some extent benefits
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews validators and servers by spreading out cache expiration,
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews i.e. if large numbers of RRSIGs don't expire at the same time
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews from all caches there will be less congestion than if all
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews validators need to refetch at mostly the same time.
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews </para>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews </listitem>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-n <replaceable class="parameter">ncpus</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Specifies the number of threads to use. By default, one
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews thread is started for each detected CPU.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-o <replaceable class="parameter">origin</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews The zone origin. If not specified, the name of the zone file
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews is assumed to be the origin.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-p</term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Use pseudo-random data when signing the zone. This is faster,
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews but less secure, than using real random data. This option
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews may be useful when signing large zones or when the entropy
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews source is limited.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <varlistentry>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <term>-r <replaceable class="parameter">randomdev</replaceable></term>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <listitem>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <para>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews Specifies the source of randomness. If the operating
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews system does not provide a <filename>/dev/random</filename>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews or equivalent device, the default source of randomness
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews is keyboard input. <filename>randomdev</filename> specifies
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews the name of a character device or file containing random
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews data to be used instead of the default. The special value
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <filename>keyboard</filename> indicates that keyboard
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews input should be used.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-t</term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Print statistics at completion.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Sets the debugging level.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <term>-z</term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Ignore KSK flag on key when determining what to sign.
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews </para>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
63737247d167ffa7151bc3d228ca5c0875751818Tinderbox User
63737247d167ffa7151bc3d228ca5c0875751818Tinderbox User <varlistentry>
63737247d167ffa7151bc3d228ca5c0875751818Tinderbox User <term>zonefile</term>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews The file containing the zone to be signed.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Sets the debugging level.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </listitem>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </varlistentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <varlistentry>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <term>key</term>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <listitem>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews <para>
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews The keys used to sign the zone. If no keys are specified, the
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews default all zone keys that have private key files in the
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews current directory.
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews </para>
63737247d167ffa7151bc3d228ca5c0875751818Tinderbox User </listitem>
63737247d167ffa7151bc3d228ca5c0875751818Tinderbox User </varlistentry>
63737247d167ffa7151bc3d228ca5c0875751818Tinderbox User
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </variablelist>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
63737247d167ffa7151bc3d228ca5c0875751818Tinderbox User <refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <title>EXAMPLE</title>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews The following command signs the <userinput>example.com</userinput>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews zone with the DSA key generated in the <command>dnssec-keygen</command>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews man page. The zone's keys must be in the zone. If there are
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <filename>keyset</filename> files associated with child zones,
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews they must be in the current directory.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <userinput>example.com</userinput>, the following command would be
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews issued:
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews The command would print a string of the form:
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews In this example, <command>dnssec-signzone</command> creates
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews the file <filename>db.example.com.signed</filename>. This file
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews should be referenced in a zone statement in a
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <filename>named.conf</filename> file.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <title>SEE ALSO</title>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <citerefentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refentrytitle>dnssec-keygen</refentrytitle>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <manvolnum>8</manvolnum>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </citerefentry>,
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <citetitle>RFC 2535</citetitle>.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <title>AUTHOR</title>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <corpauthor>Internet Systems Consortium</corpauthor>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </para>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews </refsect1>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews</refentry>
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<!--
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - Local variables:
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews - mode: sgml
6b0434299b05b6ca05c6836b9e8fbb7e67f05fb8Mark Andrews - End:
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews-->
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews