dnssec-signzone.docbook revision dafcb997e390efa4423883dafd100c975c4095d6
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
6a42ab64276ff832a47e009be1208f7c7d4da22dAutomatic Updater - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
6a42ab64276ff832a47e009be1208f7c7d4da22dAutomatic Updater - Copyright (C) 2001-2003 Internet Software Consortium.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - Permission to use, copy, modify, and distribute this software for any
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - purpose with or without fee is hereby granted, provided that the above
6a42ab64276ff832a47e009be1208f7c7d4da22dAutomatic Updater - copyright notice and this permission notice appear in all copies.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
6a42ab64276ff832a47e009be1208f7c7d4da22dAutomatic Updater - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - PERFORMANCE OF THIS SOFTWARE.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<!-- $Id: dnssec-signzone.docbook,v 1.9 2004/03/05 04:57:41 marka Exp $ -->
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <refentryinfo>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </refentryinfo>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <refentrytitle><application>dnssec-signzone</application></refentrytitle>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <refname><application>dnssec-signzone</application></refname>
b6b8f8a0362da8c749021c4b6376cfb96047912bTinderbox User <refpurpose>DNSSEC zone signing tool</refpurpose>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <refsynopsisdiv>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </cmdsynopsis>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </refsynopsisdiv>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <command>dnssec-signzone</command> signs a zone. It generates NSEC
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater and RRSIG records and produces a signed version of the zone. If there
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater is a <filename>signedkey</filename> file from the zone's parent,
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater the parent's signatures will be incorporated into the generated
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater signed zone file. The security status of delegations from the
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater signed zone (that is, whether the child zones are secure or not) is
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater determined by the presence or absence of a
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <filename>signedkey</filename> file for each child zone.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <variablelist>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Verify all generated signatures.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater </varlistentry>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater <varlistentry>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater <term>-c <replaceable class="parameter">class</replaceable></term>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater Specifies the DNS class of the zone.
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater </varlistentry>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater <varlistentry>
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater <term>-k <replaceable class="parameter">key</replaceable></term>
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater Treat specified key as a key signing key ignoring any
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater key flags. This option may be specified multiple times.
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater </varlistentry>
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater <varlistentry>
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater <term>-d <replaceable class="parameter">directory</replaceable></term>
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater Look for <filename>signedkey</filename> files in
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater <option>directory</option> as the directory
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater </varlistentry>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Generate DS records for child zones from keyset files.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Existing DS records will be removed.
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater </varlistentry>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater <varlistentry>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater <term>-s <replaceable class="parameter">start-time</replaceable></term>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Specify the date and time when the generated RRSIG records
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater become valid. This can be either an absolute or relative
f39512a917cdd06c611d366603374f6ef570c80eTinderbox User time. An absolute start time is indicated by a number
f39512a917cdd06c611d366603374f6ef570c80eTinderbox User in YYYYMMDDHHMMSS notation; 20000530144500 denotes
f39512a917cdd06c611d366603374f6ef570c80eTinderbox User 14:45:00 UTC on May 30th, 2000. A relative start time is
f39512a917cdd06c611d366603374f6ef570c80eTinderbox User indicated by +N, which is N seconds from the current time.
f39512a917cdd06c611d366603374f6ef570c80eTinderbox User If no <option>start-time</option> is specified, the current
f39512a917cdd06c611d366603374f6ef570c80eTinderbox User time minus 1 hour (to allow for clock skew) is used.
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater </varlistentry>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <term>-e <replaceable class="parameter">end-time</replaceable></term>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater Specify the date and time when the generated RRSIG records
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater expire. As with <option>start-time</option>, an absolute
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater time is indicated in YYYYMMDDHHMMSS notation. A time relative
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater to the start time is indicated with +N, which is N seconds from
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater the start time. A time relative to the current time is
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater indicated with now+N. If no <option>end-time</option> is
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater specified, 30 days from the start time is used as a default.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <term>-f <replaceable class="parameter">output-file</replaceable></term>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater The name of the output file containing the signed zone. The
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater default is to append <filename>.signed</filename> to the
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater </varlistentry>
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Prints a short summary of the options and arguments to
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <term>-i <replaceable class="parameter">interval</replaceable></term>
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater When a previously signed zone is passed as input, records
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater may be resigned. The <option>interval</option> option
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater specifies the cycle interval as an offset from the current
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater time (in seconds). If a RRSIG record expires after the
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater cycle interval, it is retained. Otherwise, it is considered
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater to be expiring soon, and it will be replaced.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater The default cycle interval is one quarter of the difference
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater between the signature end and start times. So if neither
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <option>end-time</option> or <option>start-time</option>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater are specified, <command>dnssec-signzone</command> generates
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater signatures that are valid for 30 days, with a cycle
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater interval of 7.5 days. Therefore, if any existing RRSIG records
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater are due to expire in less than 7.5 days, they would be
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <term>-n <replaceable class="parameter">ncpus</replaceable></term>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Specifies the number of threads to use. By default, one
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater thread is started for each detected CPU.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <term>-o <replaceable class="parameter">origin</replaceable></term>
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User The zone origin. If not specified, the name of the zone file
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User is assumed to be the origin.
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User </varlistentry>
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User <varlistentry>
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User Use pseudo-random data when signing the zone. This is faster,
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User but less secure, than using real random data. This option
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User may be useful when signing large zones or when the entropy
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User source is limited.
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User </varlistentry>
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <term>-r <replaceable class="parameter">randomdev</replaceable></term>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Specifies the source of randomness. If the operating
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater system does not provide a <filename>/dev/random</filename>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater or equivalent device, the default source of randomness
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater is keyboard input. <filename>randomdev</filename> specifies
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater the name of a character device or file containing random
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater data to be used instead of the default. The special value
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <filename>keyboard</filename> indicates that keyboard
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater input should be used.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Print statistics at completion.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <term>-v <replaceable class="parameter">level</replaceable></term>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Sets the debugging level.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Ignore KSK flag on key when determining what to sign.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater The file containing the zone to be signed.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater Sets the debugging level.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater The keys used to sign the zone. If no keys are specified, the
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater default all zone keys that have private key files in the
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater current directory.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </varlistentry>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </variablelist>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater The following command signs the <userinput>example.com</userinput>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater zone with the DSA key generated in the <command>dnssec-keygen</command>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater man page. The zone's keys must be in the zone. If there are
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <filename>signedkey</filename> files associated with this zone
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater or any child zones, they must be in the current directory.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <userinput>example.com</userinput>, the following command would be
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater The command would print a string of the form:
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater In this example, <command>dnssec-signzone</command> creates
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater the file <filename>db.example.com.signed</filename>. This file
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater should be referenced in a zone statement in a
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <citerefentry>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater <refentrytitle>dnssec-keygen</refentrytitle>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater </citerefentry>,
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater <citerefentry>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater <refentrytitle>dnssec-signkey</refentrytitle>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater </citerefentry>,
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater <corpauthor>Internet Software Consortium</corpauthor>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater - Local variables: