dnssec-signzone.docbook revision 93d6dfaf66258337985427c86181f01fc51f0bb4
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Copyright (C) 2001 Internet Software Consortium.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Permission to use, copy, modify, and distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews<!-- $Id: dnssec-signzone.docbook,v 1.7 2003/09/30 05:56:00 marka Exp $ -->
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle><application>dnssec-signzone</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refname><application>dnssec-signzone</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refpurpose>DNSSEC zone signing tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refsynopsisdiv>
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews <command>dnssec-signzone</command> signs a zone. It generates NSEC
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews and RRSIG records and produces a signed version of the zone. If there
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is a <filename>signedkey</filename> file from the zone's parent,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the parent's signatures will be incorporated into the generated
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signed zone file. The security status of delegations from the the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signed zone (that is, whether the child zones are secure or not) is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington determined by the presence or absence of a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>signedkey</filename> file for each child zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Verify all generated signatures.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-c <replaceable class="parameter">class</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the DNS class of the zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <term>-k <replaceable class="parameter">key</replaceable></term>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews Treat specified key as a key signing key ignoring any
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews key flags. This option may be specified multiple times.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-d <replaceable class="parameter">directory</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Look for <filename>signedkey</filename> files in
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <option>directory</option> as the directory
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews <varlistentry>
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews Generate DS records for child zones from keyset files.
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews Existing DS records will be removed.
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-s <replaceable class="parameter">start-time</replaceable></term>
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews Specify the date and time when the generated RRSIG records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington become valid. This can be either an absolute or relative
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time. An absolute start time is indicated by a number
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington in YYYYMMDDHHMMSS notation; 20000530144500 denotes
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington 14:45:00 UTC on May 30th, 2000. A relative start time is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington indicated by +N, which is N seconds from the current time.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If no <option>start-time</option> is specified, the current
99776003811a413457a2c35a808ad860df877d24Mark Andrews time minus 1 hour (to allow for clock skew) is used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-e <replaceable class="parameter">end-time</replaceable></term>
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews Specify the date and time when the generated RRSIG records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington expire. As with <option>start-time</option>, an absolute
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time is indicated in YYYYMMDDHHMMSS notation. A time relative
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to the start time is indicated with +N, which is N seconds from
b587e1d83f007ce68a9ae93097c461d8eb7aa373Mark Andrews the start time. A time relative to the current time is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington indicated with now+N. If no <option>end-time</option> is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington specified, 30 days from the start time is used as a default.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-f <replaceable class="parameter">output-file</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The name of the output file containing the signed zone. The
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington default is to append <filename>.signed</filename> to the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Prints a short summary of the options and arguments to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-i <replaceable class="parameter">interval</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington When a previously signed zone is passed as input, records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington may be resigned. The <option>interval</option> option
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington specifies the cycle interval as an offset from the current
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews time (in seconds). If a RRSIG record expires after the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington cycle interval, it is retained. Otherwise, it is considered
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to be expiring soon, and it will be replaced.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The default cycle interval is one quarter of the difference
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington between the signature end and start times. So if neither
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <option>end-time</option> or <option>start-time</option>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington are specified, <command>dnssec-signzone</command> generates
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signatures that are valid for 30 days, with a cycle
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington are due to expire in less than 7.5 days, they would be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-n <replaceable class="parameter">ncpus</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the number of threads to use. By default, one
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington thread is started for each detected CPU.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-o <replaceable class="parameter">origin</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The zone origin. If not specified, the name of the zone file
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is assumed to be the origin.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Use pseudo-random data when signing the zone. This is faster,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington but less secure, than using real random data. This option
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington may be useful when signing large zones or when the entropy
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington source is limited.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-r <replaceable class="parameter">randomdev</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the source of randomness. If the operating
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington system does not provide a <filename>/dev/random</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or equivalent device, the default source of randomness
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is keyboard input. <filename>randomdev</filename> specifies
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the name of a character device or file containing random
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington data to be used instead of the default. The special value
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>keyboard</filename> indicates that keyboard
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington input should be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Print statistics at completion.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-v <replaceable class="parameter">level</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews Ignore KSK flag on key when determining what to sign.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The file containing the zone to be signed.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The keys used to sign the zone. If no keys are specified, the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington default all zone keys that have private key files in the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington current directory.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The following command signs the <userinput>example.com</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zone with the DSA key generated in the <command>dnssec-keygen</command>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington man page. The zone's keys must be in the zone. If there are
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>signedkey</filename> files associated with this zone
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or any child zones, they must be in the current directory.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>example.com</userinput>, the following command would be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The command would print a string of the form:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington In this example, <command>dnssec-signzone</command> creates
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the file <filename>db.example.com.signed</filename>. This file
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington should be referenced in a zone statement in a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citerefentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle>dnssec-keygen</refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citerefentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle>dnssec-signkey</refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <corpauthor>Internet Software Consortium</corpauthor>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Local variables: