6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <info>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <date>2014-02-18</date>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </info>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refentryinfo>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <corpname>ISC</corpname>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <corpauthor>Internet Systems Consortium, Inc.</corpauthor>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </refentryinfo>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refmeta>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refentrytitle><application>dnssec-signzone</application></refentrytitle>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <manvolnum>8</manvolnum>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refmiscinfo>BIND9</refmiscinfo>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </refmeta>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refnamediv>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refname><application>dnssec-signzone</application></refname>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refpurpose>DNSSEC zone signing tool</refpurpose>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </refnamediv>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <docinfo>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <copyright>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2004</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2005</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2006</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2007</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2008</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2009</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2011</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2012</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2013</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2014</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2015</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2016</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <holder>Internet Systems Consortium, Inc. ("ISC")</holder>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </copyright>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <copyright>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2000</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2001</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2002</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <year>2003</year>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <holder>Internet Software Consortium.</holder>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </copyright>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </docinfo>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refsynopsisdiv>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <cmdsynopsis sepchar=" ">

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <command>dnssec-signzone</command>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-a</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">directory</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-D</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-g</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-h</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">domain</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-P</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-p</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-Q</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-R</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-S</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-t</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-u</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-V</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-x</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-z</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="opt" rep="norepeat"><option>-A</option></arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg choice="req" rep="norepeat">zonefile</arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <arg rep="repeat" choice="opt">key</arg>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </cmdsynopsis>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </refsynopsisdiv>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refsection><info><title>DESCRIPTION</title></info>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para><command>dnssec-signzone</command>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley signs a zone. It generates

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley NSEC and RRSIG records and produces a signed version of the

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley zone. The security status of delegations from the signed zone

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley (that is, whether the child zones are secure or not) is

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley determined by the presence or absence of a

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <filename>keyset</filename> file for each child zone.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </refsection>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <refsection><info><title>OPTIONS</title></info>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <variablelist>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-a</term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Verify all generated signatures.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-c <replaceable class="parameter">class</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Specifies the DNS class of the zone.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-C</term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Compatibility mode: Generate a

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <filename>keyset-<replaceable>zonename</replaceable></filename>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley file in addition to

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <filename>dsset-<replaceable>zonename</replaceable></filename>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley when signing a zone, for use by older versions of

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <command>dnssec-signzone</command>.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-d <replaceable class="parameter">directory</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Look for <filename>dsset-</filename> or

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <filename>keyset-</filename> files in <option>directory</option>.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-D</term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Output only those record types automatically managed by

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley NSEC3 and NSEC3PARAM records. If smart signing

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley (<option>-S</option>) is used, DNSKEY records are also

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley included. The resulting file can be included in the original

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley zone file with <command>$INCLUDE</command>. This option

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley cannot be combined with <option>-O raw</option>,

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <option>-O map</option>, or serial number updating.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-E <replaceable class="parameter">engine</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley When applicable, specifies the hardware to use for

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley cryptographic operations, such as a secure key store used

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley for signing.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley When BIND is built with OpenSSL PKCS#11 support, this defaults

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley to the string "pkcs11", which identifies an OpenSSL engine

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley that can drive a cryptographic accelerator or hardware service

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley module. When BIND is built with native PKCS#11 cryptography

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley (--enable-native-pkcs11), it defaults to the path of the PKCS#11

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley provider library specified via "--with-pkcs11".

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-g</term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Generate DS records for child zones from

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <filename>dsset-</filename> or <filename>keyset-</filename>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley file. Existing DS records will be removed.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-K <replaceable class="parameter">directory</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Key repository: Specify a directory to search for DNSSEC keys.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley If not specified, defaults to the current directory.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-k <replaceable class="parameter">key</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Treat specified key as a key signing key ignoring any

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley key flags. This option may be specified multiple times.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-l <replaceable class="parameter">domain</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Generate a DLV set in addition to the key (DNSKEY) and DS sets.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley The domain is appended to the name of the records.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-M <replaceable class="parameter">maxttl</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Sets the maximum TTL for the signed zone.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Any TTL higher than <replaceable>maxttl</replaceable> in the

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley input zone will be reduced to <replaceable>maxttl</replaceable>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley in the output. This provides certainty as to the largest

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley possible TTL in the signed zone, which is useful to know when

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley rolling keys because it is the longest possible time before

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley signatures that have been retrieved by resolvers will expire

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley from resolver caches. Zones that are signed with this

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley option should be configured to use a matching

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <option>max-zone-ttl</option> in <filename>named.conf</filename>.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley (Note: This option is incompatible with <option>-D</option>,

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley because it modifies non-DNSSEC data in the output zone.)

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-s <replaceable class="parameter">start-time</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Specify the date and time when the generated RRSIG records

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley become valid. This can be either an absolute or relative

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley time. An absolute start time is indicated by a number

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley in YYYYMMDDHHMMSS notation; 20000530144500 denotes

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley 14:45:00 UTC on May 30th, 2000. A relative start time is

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley indicated by +N, which is N seconds from the current time.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley If no <option>start-time</option> is specified, the current

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley time minus 1 hour (to allow for clock skew) is used.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-e <replaceable class="parameter">end-time</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Specify the date and time when the generated RRSIG records

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley expire. As with <option>start-time</option>, an absolute

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley time is indicated in YYYYMMDDHHMMSS notation. A time relative

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley to the start time is indicated with +N, which is N seconds from

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley the start time. A time relative to the current time is

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley indicated with now+N. If no <option>end-time</option> is

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley specified, 30 days from the start time is used as a default.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <option>end-time</option> must be later than

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <option>start-time</option>.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-X <replaceable class="parameter">extended end-time</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Specify the date and time when the generated RRSIG records

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley for the DNSKEY RRset will expire. This is to be used in cases

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley when the DNSKEY signatures need to persist longer than

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley signatures on other records; e.g., when the private component

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley of the KSK is kept offline and the KSK signature is to be

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley refreshed manually.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley As with <option>start-time</option>, an absolute

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley time is indicated in YYYYMMDDHHMMSS notation. A time relative

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley to the start time is indicated with +N, which is N seconds from

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley the start time. A time relative to the current time is

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley indicated with now+N. If no <option>extended end-time</option> is

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley specified, the value of <option>end-time</option> is used as

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley the default. (<option>end-time</option>, in turn, defaults to

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley 30 days from the start time.) <option>extended end-time</option>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley must be later than <option>start-time</option>.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-f <replaceable class="parameter">output-file</replaceable></term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley The name of the output file containing the signed zone. The

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley default is to append <filename>.signed</filename> to

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley the input filename. If <option>output-file</option> is

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley set to <literal>"-"</literal>, then the signed zone is

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley written to the standard output, with a default output

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley format of "full".

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-h</term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Prints a short summary of the options and arguments to

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <command>dnssec-signzone</command>.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-V</term>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley Prints version information.

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </para>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </listitem>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley </varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <varlistentry>

6ea1b817e31b89a627e146fe69e23ea0a64c89ecBob Halley <term>-i <replaceable class="parameter">interval</replaceable></term>

<listitem>

<para>

When a previously-signed zone is passed as input, records

may be resigned. The <option>interval</option> option

specifies the cycle interval as an offset from the current

time (in seconds). If a RRSIG record expires after the

cycle interval, it is retained. Otherwise, it is considered

to be expiring soon, and it will be replaced.

</para>

<para>

The default cycle interval is one quarter of the difference

between the signature end and start times. So if neither

<option>end-time</option> or <option>start-time</option>

are specified, <command>dnssec-signzone</command>

generates

signatures that are valid for 30 days, with a cycle

interval of 7.5 days. Therefore, if any existing RRSIG records

are due to expire in less than 7.5 days, they would be

replaced.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-I <replaceable class="parameter">input-format</replaceable></term>

<listitem>

<para>

The format of the input zone file.

Possible formats are <command>"text"</command> (default),

<command>"raw"</command>, and <command>"map"</command>.

This option is primarily intended to be used for dynamic

signed zones so that the dumped zone file in a non-text

format containing updates can be signed directly.

The use of this option does not make much sense for

non-dynamic zones.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-j <replaceable class="parameter">jitter</replaceable></term>

<listitem>

<para>

When signing a zone with a fixed signature lifetime, all

RRSIG records issued at the time of signing expires

simultaneously. If the zone is incrementally signed, i.e.

a previously-signed zone is passed as input to the signer,

all expired signatures have to be regenerated at about the

same time. The <option>jitter</option> option specifies a

jitter window that will be used to randomize the signature

expire time, thus spreading incremental signature

regeneration over time.

</para>

<para>

Signature lifetime jitter also to some extent benefits

validators and servers by spreading out cache expiration,

i.e. if large numbers of RRSIGs don't expire at the same time

from all caches there will be less congestion than if all

validators need to refetch at mostly the same time.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-L <replaceable class="parameter">serial</replaceable></term>

<listitem>

<para>

When writing a signed zone to "raw" or "map" format, set the

"source serial" value in the header to the specified serial

number. (This is expected to be used primarily for testing

purposes.)

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-n <replaceable class="parameter">ncpus</replaceable></term>

<listitem>

<para>

Specifies the number of threads to use. By default, one

thread is started for each detected CPU.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>

<listitem>

<para>

The SOA serial number format of the signed zone.

Possible formats are <command>"keep"</command> (default),

<command>"increment"</command>, <command>"unixtime"</command>,

and <command>"date"</command>.

</para>

<variablelist>

<varlistentry>

<term><command>"keep"</command></term>

<listitem>

<para>Do not modify the SOA serial number.</para>

</listitem>

</varlistentry>

<varlistentry>

<term><command>"increment"</command></term>

<listitem>

<para>Increment the SOA serial number using RFC 1982

arithmetics.</para>

</listitem>

</varlistentry>

<varlistentry>

<term><command>"unixtime"</command></term>

<listitem>

<para>Set the SOA serial number to the number of seconds

since epoch.</para>

</listitem>

</varlistentry>

<varlistentry>

<term><command>"date"</command></term>

<listitem>

<para>Set the SOA serial number to today's date in

YYYYMMDDNN format.</para>

</listitem>

</varlistentry>

</variablelist>

</listitem>

</varlistentry>

<varlistentry>

<term>-o <replaceable class="parameter">origin</replaceable></term>

<listitem>

<para>

The zone origin. If not specified, the name of the zone file

is assumed to be the origin.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-O <replaceable class="parameter">output-format</replaceable></term>

<listitem>

<para>

The format of the output file containing the signed zone.

Possible formats are <command>"text"</command> (default),

which is the standard textual representation of the zone;

<command>"full"</command>, which is text output in a

format suitable for processing by external scripts;

and <command>"map"</command>, <command>"raw"</command>,

and <command>"raw=N"</command>, which store the zone in

binary formats for rapid loading by <command>named</command>.

<command>"raw=N"</command> specifies the format version of

the raw zone file: if N is 0, the raw file can be read by

any version of <command>named</command>; if N is 1, the file

can be read by release 9.9.0 or higher; the default is 1.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-p</term>

<listitem>

<para>

Use pseudo-random data when signing the zone. This is faster,

but less secure, than using real random data. This option

may be useful when signing large zones or when the entropy

source is limited.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-P</term>

<listitem>

<para>

Disable post sign verification tests.

</para>

<para>

The post sign verification test ensures that for each algorithm

in use there is at least one non revoked self signed KSK key,

that all revoked KSK keys are self signed, and that all records

in the zone are signed by the algorithm.

This option skips these tests.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-Q</term>

<listitem>

<para>

Remove signatures from keys that are no longer active.

</para>

<para>

Normally, when a previously-signed zone is passed as input

to the signer, and a DNSKEY record has been removed and

replaced with a new one, signatures from the old key

that are still within their validity period are retained.

This allows the zone to continue to validate with cached

copies of the old DNSKEY RRset. The <option>-Q</option>

forces <command>dnssec-signzone</command> to remove

signatures from keys that are no longer active. This

enables ZSK rollover using the procedure described in

RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-R</term>

<listitem>

<para>

Remove signatures from keys that are no longer published.

</para>

<para>

This option is similar to <option>-Q</option>, except it

forces <command>dnssec-signzone</command> to signatures from

keys that are no longer published. This enables ZSK rollover

using the procedure described in RFC 4641, section 4.2.1.2

("Double Signature Zone Signing Key Rollover").

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-r <replaceable class="parameter">randomdev</replaceable></term>

<listitem>

<para>

Specifies the source of randomness. If the operating

system does not provide a <filename>/dev/random</filename>

or equivalent device, the default source of randomness

is keyboard input. <filename>randomdev</filename>

specifies

the name of a character device or file containing random

data to be used instead of the default. The special value

<filename>keyboard</filename> indicates that keyboard

input should be used.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-S</term>

<listitem>

<para>

Smart signing: Instructs <command>dnssec-signzone</command> to

search the key repository for keys that match the zone being

signed, and to include them in the zone if appropriate.

</para>

<para>

When a key is found, its timing metadata is examined to

determine how it should be used, according to the following

rules. Each successive rule takes priority over the prior

ones:

</para>

<variablelist>

<varlistentry>

<listitem>

<para>

If no timing metadata has been set for the key, the key is

published in the zone and used to sign the zone.

</para>

</listitem>

</varlistentry>

<varlistentry>

<listitem>

<para>

If the key's publication date is set and is in the past, the

key is published in the zone.

</para>

</listitem>

</varlistentry>

<varlistentry>

<listitem>

<para>

If the key's activation date is set and in the past, the

key is published (regardless of publication date) and

used to sign the zone.

</para>

</listitem>

</varlistentry>

<varlistentry>

<listitem>

<para>

If the key's revocation date is set and in the past, and the

key is published, then the key is revoked, and the revoked key

is used to sign the zone.

</para>

</listitem>

</varlistentry>

<varlistentry>

<listitem>

<para>

If either of the key's unpublication or deletion dates are set

and in the past, the key is NOT published or used to sign the

zone, regardless of any other metadata.

</para>

</listitem>

</varlistentry>

</variablelist>

</listitem>

</varlistentry>

<varlistentry>

<term>-T <replaceable class="parameter">ttl</replaceable></term>

<listitem>

<para>

Specifies a TTL to be used for new DNSKEY records imported

into the zone from the key repository. If not

specified, the default is the TTL value from the zone's SOA

record. This option is ignored when signing without

<option>-S</option>, since DNSKEY records are not imported

from the key repository in that case. It is also ignored if

there are any pre-existing DNSKEY records at the zone apex,

in which case new records' TTL values will be set to match

them, or if any of the imported DNSKEY records had a default

TTL value. In the event of a a conflict between TTL values in

imported keys, the shortest one is used.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-t</term>

<listitem>

<para>

Print statistics at completion.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-u</term>

<listitem>

<para>

Update NSEC/NSEC3 chain when re-signing a previously signed

zone. With this option, a zone signed with NSEC can be

switched to NSEC3, or a zone signed with NSEC3 can

be switch to NSEC or to NSEC3 with different parameters.

Without this option, <command>dnssec-signzone</command> will

retain the existing chain when re-signing.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-v <replaceable class="parameter">level</replaceable></term>

<listitem>

<para>

Sets the debugging level.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-x</term>

<listitem>

<para>

Only sign the DNSKEY RRset with key-signing keys, and omit

signatures from zone-signing keys. (This is similar to the

<command>dnssec-dnskey-kskonly yes;</command> zone option in

<command>named</command>.)

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-z</term>

<listitem>

<para>

Ignore KSK flag on key when determining what to sign. This

causes KSK-flagged keys to sign all records, not just the

DNSKEY RRset. (This is similar to the

<command>update-check-ksk no;</command> zone option in

<command>named</command>.)

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-3 <replaceable class="parameter">salt</replaceable></term>

<listitem>

<para>

Generate an NSEC3 chain with the given hex encoded salt.

A dash (<replaceable class="parameter">salt</replaceable>) can

be used to indicate that no salt is to be used when generating the NSEC3 chain.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-H <replaceable class="parameter">iterations</replaceable></term>

<listitem>

<para>

When generating an NSEC3 chain, use this many iterations. The

default is 10.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-A</term>

<listitem>

<para>

When generating an NSEC3 chain set the OPTOUT flag on all

NSEC3 records and do not generate NSEC3 records for insecure

delegations.

</para>

<para>

Using this option twice (i.e., <option>-AA</option>)

turns the OPTOUT flag off for all records. This is useful

when using the <option>-u</option> option to modify an NSEC3

chain which previously had OPTOUT set.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>zonefile</term>

<listitem>

<para>

The file containing the zone to be signed.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>key</term>

<listitem>

<para>

Specify which keys should be used to sign the zone. If

no keys are specified, then the zone will be examined

for DNSKEY records at the zone apex. If these are found and

there are matching private keys, in the current directory,

then these will be used for signing.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsection>

<refsection><info><title>EXAMPLE</title></info>

<para>

The following command signs the <userinput>example.com</userinput>

zone with the DSA key generated by <command>dnssec-keygen</command>

(Kexample.com.+003+17247). Because the <command>-S</command> option

is not being used, the zone's keys must be in the master file

(<filename>db.example.com</filename>). This invocation looks

for <filename>dsset</filename> files, in the current directory,

so that DS records can be imported from them (<command>-g</command>).

</para>

<programlisting>% dnssec-signzone -g -o example.com db.example.com \

Kexample.com.+003+17247

%</programlisting>

<para>

In the above example, <command>dnssec-signzone</command> creates

the file <filename>db.example.com.signed</filename>. This

file should be referenced in a zone statement in a

<filename>named.conf</filename> file.

</para>

<para>

This example re-signs a previously signed zone with default parameters.

The private keys are assumed to be in the current directory.

</para>

<programlisting>% cp db.example.com.signed db.example.com

% dnssec-signzone -o example.com db.example.com

%</programlisting>

</refsection>

<refsection><info><title>SEE ALSO</title></info>

<para><citerefentry>

<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>

</citerefentry>,

<citetitle>BIND 9 Administrator Reference Manual</citetitle>,

<citetitle>RFC 4033</citetitle>, <citetitle>RFC 4641</citetitle>.

</para>

</refsection>

</refentry>