dnssec-signzone.docbook revision 0e27506ce3135f9bd49e12564ad0e15256135118
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User [<!ENTITY mdash "—">]>
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - Permission to use, copy, modify, and/or distribute this software for any
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - purpose with or without fee is hereby granted, provided that the above
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - copyright notice and this permission notice appear in all copies.
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - PERFORMANCE OF THIS SOFTWARE.
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User<!-- $Id: dnssec-signzone.docbook,v 1.47 2011/03/05 23:52:29 tbox Exp $ -->
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refentrytitle><application>dnssec-signzone</application></refentrytitle>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refnamediv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refname><application>dnssec-signzone</application></refname>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <refpurpose>DNSSEC zone signing tool</refpurpose>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refnamediv>
c42708dcc8ca18a41152251654d29f0cdd5b9533Tinderbox User <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User <holder>Internet Software Consortium.</holder>
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User <refsynopsisdiv>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt signs a zone. It generates
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt NSEC and RRSIG records and produces a signed version of the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zone. The security status of delegations from the signed zone
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (that is, whether the child zones are secure or not) is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt determined by the presence or absence of a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <filename>keyset</filename> file for each child zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <variablelist>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Verify all generated signatures.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <term>-c <replaceable class="parameter">class</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specifies the DNS class of the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Compatibility mode: Generate a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <filename>keyset-<replaceable>zonename</replaceable></filename>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt file in addition to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <filename>dsset-<replaceable>zonename</replaceable></filename>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt when signing a zone, for use by older versions of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-d <replaceable class="parameter">directory</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <filename>keyset-</filename> files in <option>directory</option>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Output only those record types automatically managed by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt NSEC3 and NSEC3PARAM records. If smart signing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (<option>-S</option>) is used, DNSKEY records are also
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User included. The resulting file can be included in the original
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zone file with <command>$INCLUDE</command>. This option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt cannot be combined with <option>-O raw</option> or serial
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt number updating.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-E <replaceable class="parameter">engine</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Uses a crypto hardware (OpenSSL engine) for the crypto operations
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt it supports, for instance signing with private keys from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a secure key store. When compiled with PKCS#11 support
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User it defaults to pkcs11; the empty name resets it to no engine.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Generate DS records for child zones from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <filename>dsset-</filename> or <filename>keyset-</filename>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User file. Existing DS records will be removed.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Key repository: Specify a directory to search for DNSSEC keys.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User If not specified, defaults to the current directory.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-k <replaceable class="parameter">key</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Treat specified key as a key signing key ignoring any
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt key flags. This option may be specified multiple times.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-l <replaceable class="parameter">domain</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Generate a DLV set in addition to the key (DNSKEY) and DS sets.
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User The domain is appended to the name of the records.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-s <replaceable class="parameter">start-time</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User become valid. This can be either an absolute or relative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt time. An absolute start time is indicated by a number
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt 14:45:00 UTC on May 30th, 2000. A relative start time is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User indicated by +N, which is N seconds from the current time.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User If no <option>start-time</option> is specified, the current
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt time minus 1 hour (to allow for clock skew) is used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-e <replaceable class="parameter">end-time</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User expire. As with <option>start-time</option>, an absolute
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User time is indicated in YYYYMMDDHHMMSS notation. A time relative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to the start time is indicated with +N, which is N seconds from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the start time. A time relative to the current time is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt indicated with now+N. If no <option>end-time</option> is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt specified, 30 days from the start time is used as a default.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specify the date and time when the generated RRSIG records
e2b184f84e846bbcb764b6f0aef5dcd583d3d7a1Tinderbox User for the DNSKEY RRset will expire. This is to be used in cases
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt when the DNSKEY signatures need to persist longer than
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User signatures on other records; e.g., when the private component
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User of the KSK is kept offline and the KSK signature is to be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt refreshed manually.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt time is indicated in YYYYMMDDHHMMSS notation. A time relative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to the start time is indicated with +N, which is N seconds from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the start time. A time relative to the current time is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt indicated with now+N. If no <option>extended end-time</option> is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt specified, the value of <option>end-time</option> is used as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the default. (<option>end-time</option>, in turn, defaults to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt 30 days from the start time.) <option>extended end-time</option>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User must be later than <option>start-time</option>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-f <replaceable class="parameter">output-file</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The name of the output file containing the signed zone. The
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt default is to append <filename>.signed</filename> to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt input filename.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Prints a short summary of the options and arguments to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <term>-i <replaceable class="parameter">interval</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When a previously-signed zone is passed as input, records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User may be resigned. The <option>interval</option> option
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User specifies the cycle interval as an offset from the current
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt time (in seconds). If a RRSIG record expires after the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt cycle interval, it is retained. Otherwise, it is considered
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to be expiring soon, and it will be replaced.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The default cycle interval is one quarter of the difference
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt between the signature end and start times. So if neither
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <option>end-time</option> or <option>start-time</option>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User are specified, <command>dnssec-signzone</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt signatures that are valid for 30 days, with a cycle
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User are due to expire in less than 7.5 days, they would be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-I <replaceable class="parameter">input-format</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The format of the input zone file.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Possible formats are <command>"text"</command> (default)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User This option is primarily intended to be used for dynamic
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User signed zones so that the dumped zone file in a non-text
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt format containing updates can be signed directly.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The use of this option does not make much sense for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt non-dynamic zones.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-j <replaceable class="parameter">jitter</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When signing a zone with a fixed signature lifetime, all
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User RRSIG records issued at the time of signing expires
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User simultaneously. If the zone is incrementally signed, i.e.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a previously-signed zone is passed as input to the signer,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt all expired signatures have to be regenerated at about the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt same time. The <option>jitter</option> option specifies a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt jitter window that will be used to randomize the signature
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt expire time, thus spreading incremental signature
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User regeneration over time.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Signature lifetime jitter also to some extent benefits
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User validators and servers by spreading out cache expiration,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User i.e. if large numbers of RRSIGs don't expire at the same time
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt from all caches there will be less congestion than if all
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt validators need to refetch at mostly the same time.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-n <replaceable class="parameter">ncpus</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specifies the number of threads to use. By default, one
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt thread is started for each detected CPU.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The SOA serial number format of the signed zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Possible formats are <command>"keep"</command> (default),
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <para>Increment the SOA serial number using RFC 1982
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt arithmetics.</para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <para>Set the SOA serial number to the number of seconds
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt since epoch.</para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-o <replaceable class="parameter">origin</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The zone origin. If not specified, the name of the zone file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is assumed to be the origin.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-O <replaceable class="parameter">output-format</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The format of the output file containing the signed zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Possible formats are <command>"text"</command> (default)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Use pseudo-random data when signing the zone. This is faster,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt but less secure, than using real random data. This option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt may be useful when signing large zones or when the entropy
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt source is limited.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Disable post sign verification tests.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User The post sign verification test ensures that for each algorithm
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User in use there is at least one non revoked self signed KSK key,
d7a61cfbe56ebfa1682e949e48b4d08840234d8fTinderbox User that all revoked KSK keys are self signed, and that all records
d7a61cfbe56ebfa1682e949e48b4d08840234d8fTinderbox User in the zone are signed by the algorithm.
d7a61cfbe56ebfa1682e949e48b4d08840234d8fTinderbox User This option skips these tests.
d7a61cfbe56ebfa1682e949e48b4d08840234d8fTinderbox User </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <term>-r <replaceable class="parameter">randomdev</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Specifies the source of randomness. If the operating
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User system does not provide a <filename>/dev/random</filename>
909a8e59a460dd24588b857976abddbbab9894caTinderbox User or equivalent device, the default source of randomness
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User is keyboard input. <filename>randomdev</filename>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the name of a character device or file containing random
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt data to be used instead of the default. The special value
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <filename>keyboard</filename> indicates that keyboard
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt input should be used.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Smart signing: Instructs <command>dnssec-signzone</command> to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt search the key repository for keys that match the zone being
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt signed, and to include them in the zone if appropriate.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When a key is found, its timing metadata is examined to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt determine how it should be used, according to the following
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt rules. Each successive rule takes priority over the prior
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <variablelist>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User If no timing metadata has been set for the key, the key is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User published in the zone and used to sign the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User If the key's publication date is set and is in the past, the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User key is published in the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If the key's activation date is set and in the past, the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt key is published (regardless of publication date) and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt used to sign the zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If the key's revocation date is set and in the past, and the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User key is published, then the key is revoked, and the revoked key
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is used to sign the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If either of the key's unpublication or deletion dates are set
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and in the past, the key is NOT published or used to sign the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zone, regardless of any other metadata.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <term>-T <replaceable class="parameter">ttl</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specifies the TTL to be used for new DNSKEY records imported
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt into the zone from the key repository. If not specified,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the default is the minimum TTL value from the zone's SOA
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User record. This option is ignored when signing without
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <option>-S</option>, since DNSKEY records are not imported
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User from the key repository in that case. It is also ignored if
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt there are any pre-existing DNSKEY records at the zone apex,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in which case new records' TTL values will be set to match
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Print statistics at completion.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Update NSEC/NSEC3 chain when re-signing a previously signed
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zone. With this option, a zone signed with NSEC can be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt switched to NSEC3, or a zone signed with NSEC3 can
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User be switch to NSEC or to NSEC3 with different parameters.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Without this option, <command>dnssec-signzone</command> will
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt retain the existing chain when re-signing.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-v <replaceable class="parameter">level</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the debugging level.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Only sign the DNSKEY RRset with key-signing keys, and omit
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User signatures from zone-signing keys. (This is similar to the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <command>dnssec-dnskey-kskonly yes;</command> zone option in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Ignore KSK flag on key when determining what to sign. This
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User causes KSK-flagged keys to sign all records, not just the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User DNSKEY RRset. (This is similar to the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <command>update-check-ksk no;</command> zone option in
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-3 <replaceable class="parameter">salt</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Generate an NSEC3 chain with the given hex encoded salt.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User A dash (<replaceable class="parameter">salt</replaceable>) can
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt be used to indicate that no salt is to be used when generating the NSEC3 chain.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <term>-H <replaceable class="parameter">iterations</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When generating an NSEC3 chain, use this many interations. The
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt default is 10.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User When generating an NSEC3 chain set the OPTOUT flag on all
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User NSEC3 records and do not generate NSEC3 records for insecure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt delegations.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Using this option twice (i.e., <option>-AA</option>)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt turns the OPTOUT flag off for all records. This is useful
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User when using the <option>-u</option> option to modify an NSEC3
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User chain which previously had OPTOUT set.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The file containing the zone to be signed.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Specify which keys should be used to sign the zone. If
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User no keys are specified, then the zone will be examined
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt for DNSKEY records at the zone apex. If these are found and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt there are matching private keys, in the current directory,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User then these will be used for signing.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The following command signs the <userinput>example.com</userinput>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zone with the DSA key generated by <command>dnssec-keygen</command>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User (Kexample.com.+003+17247). Because the <command>-S</command> option
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is not being used, the zone's keys must be in the master file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (<filename>db.example.com</filename>). This invocation looks
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt for <filename>dsset</filename> files, in the current directory,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt so that DS records can be imported from them (<command>-g</command>).
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<programlisting>% dnssec-signzone -g -o example.com db.example.com \
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt%</programlisting>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User In the above example, <command>dnssec-signzone</command> creates
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the file <filename>db.example.com.signed</filename>. This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt file should be referenced in a zone statement in a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This example re-signs a previously signed zone with default parameters.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The private keys are assumed to be in the current directory.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<programlisting>% cp db.example.com.signed db.example.com
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User%</programlisting>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </citerefentry>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <para><corpauthor>Internet Systems Consortium</corpauthor>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - Local variables:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - mode: sgml