dnssec-signzone.docbook revision dafcb997e390efa4423883dafd100c975c4095d6
252N/A<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
252N/A<!--
252N/A - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
252N/A - Copyright (C) 2001-2003 Internet Software Consortium.
252N/A -
252N/A - Permission to use, copy, modify, and distribute this software for any
252N/A - purpose with or without fee is hereby granted, provided that the above
252N/A - copyright notice and this permission notice appear in all copies.
252N/A -
252N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
252N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
252N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
252N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
252N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
252N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
252N/A - PERFORMANCE OF THIS SOFTWARE.
252N/A-->
252N/A
252N/A<!-- $Id: dnssec-signzone.docbook,v 1.9 2004/03/05 04:57:41 marka Exp $ -->
252N/A
252N/A<refentry>
252N/A <refentryinfo>
252N/A <date>June 30, 2000</date>
252N/A </refentryinfo>
252N/A
252N/A <refmeta>
252N/A <refentrytitle><application>dnssec-signzone</application></refentrytitle>
252N/A <manvolnum>8</manvolnum>
252N/A <refmiscinfo>BIND9</refmiscinfo>
252N/A </refmeta>
252N/A
252N/A <refnamediv>
252N/A <refname><application>dnssec-signzone</application></refname>
252N/A <refpurpose>DNSSEC zone signing tool</refpurpose>
252N/A </refnamediv>
252N/A
252N/A <refsynopsisdiv>
252N/A <cmdsynopsis>
252N/A <command>dnssec-signzone</command>
252N/A <arg><option>-a</option></arg>
252N/A <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
252N/A <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
252N/A <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
252N/A <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
252N/A <arg><option>-g</option></arg>
252N/A <arg><option>-h</option></arg>
252N/A <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
252N/A <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
252N/A <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
252N/A <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
252N/A <arg><option>-p</option></arg>
252N/A <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
252N/A <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
252N/A <arg><option>-t</option></arg>
252N/A <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
252N/A <arg><option>-z</option></arg>
252N/A <arg choice="req">zonefile</arg>
252N/A <arg rep="repeat">key</arg>
252N/A </cmdsynopsis>
252N/A </refsynopsisdiv>
252N/A
252N/A <refsect1>
252N/A <title>DESCRIPTION</title>
252N/A <para>
252N/A <command>dnssec-signzone</command> signs a zone. It generates NSEC
252N/A and RRSIG records and produces a signed version of the zone. If there
252N/A is a <filename>signedkey</filename> file from the zone's parent,
252N/A the parent's signatures will be incorporated into the generated
252N/A signed zone file. The security status of delegations from the
252N/A signed zone (that is, whether the child zones are secure or not) is
252N/A determined by the presence or absence of a
252N/A <filename>signedkey</filename> file for each child zone.
252N/A </para>
252N/A </refsect1>
252N/A
252N/A <refsect1>
252N/A <title>OPTIONS</title>
252N/A
252N/A <variablelist>
252N/A <varlistentry>
252N/A <term>-a</term>
252N/A <listitem>
252N/A <para>
252N/A Verify all generated signatures.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-c <replaceable class="parameter">class</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A Specifies the DNS class of the zone.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-k <replaceable class="parameter">key</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A Treat specified key as a key signing key ignoring any
252N/A key flags. This option may be specified multiple times.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-d <replaceable class="parameter">directory</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A Look for <filename>signedkey</filename> files in
252N/A <option>directory</option> as the directory
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-g</term>
252N/A <listitem>
252N/A <para>
252N/A Generate DS records for child zones from keyset files.
252N/A Existing DS records will be removed.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-s <replaceable class="parameter">start-time</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A Specify the date and time when the generated RRSIG records
252N/A become valid. This can be either an absolute or relative
252N/A time. An absolute start time is indicated by a number
252N/A in YYYYMMDDHHMMSS notation; 20000530144500 denotes
252N/A 14:45:00 UTC on May 30th, 2000. A relative start time is
252N/A indicated by +N, which is N seconds from the current time.
252N/A If no <option>start-time</option> is specified, the current
252N/A time minus 1 hour (to allow for clock skew) is used.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-e <replaceable class="parameter">end-time</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A Specify the date and time when the generated RRSIG records
252N/A expire. As with <option>start-time</option>, an absolute
252N/A time is indicated in YYYYMMDDHHMMSS notation. A time relative
252N/A to the start time is indicated with +N, which is N seconds from
252N/A the start time. A time relative to the current time is
252N/A indicated with now+N. If no <option>end-time</option> is
252N/A specified, 30 days from the start time is used as a default.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-f <replaceable class="parameter">output-file</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A The name of the output file containing the signed zone. The
252N/A default is to append <filename>.signed</filename> to the
252N/A input file.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-h</term>
252N/A <listitem>
252N/A <para>
252N/A Prints a short summary of the options and arguments to
252N/A <command>dnssec-signzone</command>.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-i <replaceable class="parameter">interval</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A When a previously signed zone is passed as input, records
252N/A may be resigned. The <option>interval</option> option
252N/A specifies the cycle interval as an offset from the current
252N/A time (in seconds). If a RRSIG record expires after the
252N/A cycle interval, it is retained. Otherwise, it is considered
252N/A to be expiring soon, and it will be replaced.
252N/A </para>
252N/A <para>
252N/A The default cycle interval is one quarter of the difference
252N/A between the signature end and start times. So if neither
252N/A <option>end-time</option> or <option>start-time</option>
252N/A are specified, <command>dnssec-signzone</command> generates
252N/A signatures that are valid for 30 days, with a cycle
252N/A interval of 7.5 days. Therefore, if any existing RRSIG records
252N/A are due to expire in less than 7.5 days, they would be
252N/A replaced.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-n <replaceable class="parameter">ncpus</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A Specifies the number of threads to use. By default, one
252N/A thread is started for each detected CPU.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-o <replaceable class="parameter">origin</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A The zone origin. If not specified, the name of the zone file
252N/A is assumed to be the origin.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-p</term>
252N/A <listitem>
252N/A <para>
252N/A Use pseudo-random data when signing the zone. This is faster,
252N/A but less secure, than using real random data. This option
252N/A may be useful when signing large zones or when the entropy
252N/A source is limited.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-r <replaceable class="parameter">randomdev</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A Specifies the source of randomness. If the operating
252N/A system does not provide a <filename>/dev/random</filename>
252N/A or equivalent device, the default source of randomness
252N/A is keyboard input. <filename>randomdev</filename> specifies
252N/A the name of a character device or file containing random
252N/A data to be used instead of the default. The special value
252N/A <filename>keyboard</filename> indicates that keyboard
252N/A input should be used.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-t</term>
252N/A <listitem>
252N/A <para>
252N/A Print statistics at completion.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-v <replaceable class="parameter">level</replaceable></term>
252N/A <listitem>
252N/A <para>
252N/A Sets the debugging level.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>-z</term>
252N/A <listitem>
252N/A <para>
252N/A Ignore KSK flag on key when determining what to sign.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>zonefile</term>
252N/A <listitem>
252N/A <para>
252N/A The file containing the zone to be signed.
252N/A Sets the debugging level.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A <varlistentry>
252N/A <term>key</term>
252N/A <listitem>
252N/A <para>
252N/A The keys used to sign the zone. If no keys are specified, the
252N/A default all zone keys that have private key files in the
252N/A current directory.
252N/A </para>
252N/A </listitem>
252N/A </varlistentry>
252N/A
252N/A </variablelist>
252N/A </refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated in the <command>dnssec-keygen</command>
man page. The zone's keys must be in the zone. If there are
<filename>signedkey</filename> files associated with this zone
or any child zones, they must be in the current directory.
<userinput>example.com</userinput>, the following command would be
issued:
</para>
<para>
<userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
</para>
<para>
The command would print a string of the form:
</para>
<para>
In this example, <command>dnssec-signzone</command> creates
the file <filename>db.example.com.signed</filename>. This file
should be referenced in a zone statement in a
<filename>named.conf</filename> file.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signkey</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2535</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>
<corpauthor>Internet Software Consortium</corpauthor>
</para>
</refsect1>
</refentry>
<!--
- Local variables:
- mode: sgml
- End:
-->