dnssec-signzone.docbook revision c651f15b30f1dae5cc2f00878fb5da5b3a35a468
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
fec3621e807f9367a76771ae74ea0ce4133764c4Mark Andrews - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Permission to use, copy, modify, and distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id: dnssec-signzone.docbook,v 1.15 2005/04/07 03:49:56 marka Exp $ -->
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle><application>dnssec-signzone</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refname><application>dnssec-signzone</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refpurpose>DNSSEC zone signing tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
50105afc551903541608b11851d73278b23579a3Mark Andrews <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refsynopsisdiv>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews <command>dnssec-signzone</command> signs a zone. It generates
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews NSEC and RRSIG records and produces a signed version of the
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews zone. The security status of delegations from the signed zone
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews (that is, whether the child zones are secure or not) is
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews determined by the presence or absence of a
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews <filename>keyset</filename> file for each child zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Verify all generated signatures.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-c <replaceable class="parameter">class</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the DNS class of the zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <term>-k <replaceable class="parameter">key</replaceable></term>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews Treat specified key as a key signing key ignoring any
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews key flags. This option may be specified multiple times.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews </varlistentry>
50105afc551903541608b11851d73278b23579a3Mark Andrews <varlistentry>
50105afc551903541608b11851d73278b23579a3Mark Andrews <term>-l <replaceable class="parameter">domain</replaceable></term>
50105afc551903541608b11851d73278b23579a3Mark Andrews Generate a DLV set in addition to the key (DNSKEY) and DS sets.
50105afc551903541608b11851d73278b23579a3Mark Andrews The domain is appended to the name of the records.
50105afc551903541608b11851d73278b23579a3Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-d <replaceable class="parameter">directory</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <option>directory</option> as the directory
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews <varlistentry>
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews Generate DS records for child zones from keyset files.
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews Existing DS records will be removed.
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-s <replaceable class="parameter">start-time</replaceable></term>
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews Specify the date and time when the generated RRSIG records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington become valid. This can be either an absolute or relative
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time. An absolute start time is indicated by a number
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington in YYYYMMDDHHMMSS notation; 20000530144500 denotes
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington 14:45:00 UTC on May 30th, 2000. A relative start time is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington indicated by +N, which is N seconds from the current time.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If no <option>start-time</option> is specified, the current
99776003811a413457a2c35a808ad860df877d24Mark Andrews time minus 1 hour (to allow for clock skew) is used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-e <replaceable class="parameter">end-time</replaceable></term>
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews Specify the date and time when the generated RRSIG records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington expire. As with <option>start-time</option>, an absolute
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time is indicated in YYYYMMDDHHMMSS notation. A time relative
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to the start time is indicated with +N, which is N seconds from
b587e1d83f007ce68a9ae93097c461d8eb7aa373Mark Andrews the start time. A time relative to the current time is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington indicated with now+N. If no <option>end-time</option> is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington specified, 30 days from the start time is used as a default.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-f <replaceable class="parameter">output-file</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The name of the output file containing the signed zone. The
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington default is to append <filename>.signed</filename> to the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Prints a short summary of the options and arguments to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-i <replaceable class="parameter">interval</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington When a previously signed zone is passed as input, records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington may be resigned. The <option>interval</option> option
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington specifies the cycle interval as an offset from the current
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews time (in seconds). If a RRSIG record expires after the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington cycle interval, it is retained. Otherwise, it is considered
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to be expiring soon, and it will be replaced.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The default cycle interval is one quarter of the difference
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington between the signature end and start times. So if neither
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <option>end-time</option> or <option>start-time</option>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington are specified, <command>dnssec-signzone</command> generates
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signatures that are valid for 30 days, with a cycle
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington are due to expire in less than 7.5 days, they would be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews <varlistentry>
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews When signing a zone with a fixed signature lifetime, all
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews RRSIG records issued at the time of signing expires
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews simultaneously. If the zone is incrementally signed, i.e.
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews a previously signed zone is passed as input to the signer,
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews all expired signatures has to be regenerated at about the
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews same time. The <option>jitter</option> option specifies a
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews jitter window that will be used to randomize the signature
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews expire time, thus spreading incremental signature
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews regeneration over time.
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews Signature lifetime jitter also to some extent benefits
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews validators and servers by spreading out cache expiration,
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews i.e. if large numbers of RRSIGs don't expire at the same time
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews from all caches there will be less congestion than if all
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews validators need to refetch at mostly the same time.
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-n <replaceable class="parameter">ncpus</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the number of threads to use. By default, one
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington thread is started for each detected CPU.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-o <replaceable class="parameter">origin</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The zone origin. If not specified, the name of the zone file
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is assumed to be the origin.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Use pseudo-random data when signing the zone. This is faster,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington but less secure, than using real random data. This option
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington may be useful when signing large zones or when the entropy
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington source is limited.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-r <replaceable class="parameter">randomdev</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the source of randomness. If the operating
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington system does not provide a <filename>/dev/random</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or equivalent device, the default source of randomness
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is keyboard input. <filename>randomdev</filename> specifies
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the name of a character device or file containing random
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington data to be used instead of the default. The special value
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>keyboard</filename> indicates that keyboard
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington input should be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Print statistics at completion.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-v <replaceable class="parameter">level</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews Ignore KSK flag on key when determining what to sign.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The file containing the zone to be signed.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The keys used to sign the zone. If no keys are specified, the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington default all zone keys that have private key files in the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington current directory.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The following command signs the <userinput>example.com</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zone with the DSA key generated in the <command>dnssec-keygen</command>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington man page. The zone's keys must be in the zone. If there are
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews <filename>keyset</filename> files associated with child zones,
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews they must be in the current directory.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>example.com</userinput>, the following command would be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The command would print a string of the form:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington In this example, <command>dnssec-signzone</command> creates
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the file <filename>db.example.com.signed</filename>. This file
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington should be referenced in a zone statement in a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citerefentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle>dnssec-keygen</refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
17cb8353e999e3294e6619613f401af3f7b1540cMark Andrews <corpauthor>Internet Systems Consortium</corpauthor>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Local variables: