dnssec-signzone.docbook revision bf7f253e306d0ced8ae24d7a0598773950da11f4
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2001 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: dnssec-signzone.docbook,v 1.4 2003/01/18 00:24:09 marka Exp $ -->
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews <refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refentrytitle><application>dnssec-signzone</application></refentrytitle>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refname><application>dnssec-signzone</application></refname>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refpurpose>DNSSEC zone signing tool</refpurpose>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refsynopsisdiv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <cmdsynopsis>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </cmdsynopsis>
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User </refsynopsisdiv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <command>dnssec-signzone</command> signs a zone. It generates NXT
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User and SIG records and produces a signed version of the zone. If there
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User is a <filename>signedkey</filename> file from the zone's parent,
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User the parent's signatures will be incorporated into the generated
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User signed zone file. The security status of delegations from the the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signed zone (that is, whether the child zones are secure or not) is
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User determined by the presence or absence of a
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User <filename>signedkey</filename> file for each child zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater Verify all generated signatures.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater </varlistentry>
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-c <replaceable class="parameter">class</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the DNS class of the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-d <replaceable class="parameter">directory</replaceable></term>
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User Look for <filename>signedkey</filename> files in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Generate DS records for child zones from keyset files.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Existing DS records will be removed.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <term>-s <replaceable class="parameter">start-time</replaceable></term>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Specify the date and time when the generated SIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein become valid. This can be either an absolute or relative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time. An absolute start time is indicated by a number
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in YYYYMMDDHHMMSS notation; 20000530144500 denotes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 14:45:00 UTC on May 30th, 2000. A relative start time is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein indicated by +N, which is N seconds from the current time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If no <option>start-time</option> is specified, the current
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time minus 1 hour (to allow for clock skew) is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-e <replaceable class="parameter">end-time</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the date and time when the generated SIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein expire. As with <option>start-time</option>, an absolute
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time is indicated in YYYYMMDDHHMMSS notation. A time relative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the start time is indicated with +N, which is N seconds from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the start time. A time realtive to the current time is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein indicated with now+N. If no <option>end-time</option> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified, 30 days from the start time is used as a default.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-f <replaceable class="parameter">output-file</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The name of the output file containing the signed zone. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default is to append <filename>.signed</filename> to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Prints a short summary of the options and arguments to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-i <replaceable class="parameter">interval</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When a previously signed zone is passed as input, records
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may be resigned. The <option>interval</option> option
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews specifies the cycle interval as an offset from the current
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews time (in seconds). If a SIG record expires after the
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews cycle interval, it is retained. Otherwise, it is considered
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to be expiring soon, and it will be replaced.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The default cycle interval is one quarter of the difference
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews between the signature end and start times. So if neither
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <option>end-time</option> or <option>start-time</option>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews are specified, <command>dnssec-signzone</command> generates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signatures that are valid for 30 days, with a cycle
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein interval of 7.5 days. Therefore, if any existing SIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are due to expire in less than 7.5 days, they would be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-n <replaceable class="parameter">ncpus</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the number of threads to use. By default, one
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater thread is started for each detected CPU.
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater </varlistentry>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater <varlistentry>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater <term>-o <replaceable class="parameter">origin</replaceable></term>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater The zone origin. If not specified, the name of the zone file
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater is assumed to be the origin.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use pseudo-random data when signing the zone. This is faster,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein but less secure, than using real random data. This option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may be useful when signing large zones or when the entropy
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source is limited.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-r <replaceable class="parameter">randomdev</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the source of randomness. If the operating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein system does not provide a <filename>/dev/random</filename>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or equivalent device, the default source of randomness
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is keyboard input. <filename>randomdev</filename> specifies
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the name of a character device or file containing random
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein data to be used instead of the default. The special value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <filename>keyboard</filename> indicates that keyboard
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein input should be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Print statistics at completion.
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews </varlistentry>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews <varlistentry>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews Sets the debugging level.
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The file containing the zone to be signed.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the debugging level.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The keys used to sign the zone. If no keys are specified, the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default all zone keys that have private key files in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein current directory.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User </variablelist>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User The following command signs the <userinput>example.com</userinput>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User zone with the DSA key generated in the <command>dnssec-keygen</command>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User man page. The zone's keys must be in the zone. If there are
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User <filename>signedkey</filename> files associated with this zone
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User or any child zones, they must be in the current directory.
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User <userinput>example.com</userinput>, the following command would be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The command would print a string of the form:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein In this example, <command>dnssec-signzone</command> creates
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews the file <filename>db.example.com.signed</filename>. This file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein should be referenced in a zone statement in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <citerefentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </citerefentry>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <citerefentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </citerefentry>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <corpauthor>Internet Software Consortium</corpauthor>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews - Local variables:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - mode: sgml