bin/dnssec/dnssec-signzone.docbook

	dnssec-signzone.docbook revision 553ead32ff5b00284e574dcabc39115d4d74ec66
55cf6e01272ec475edea32aa9b7923de2d36cb42Christian Maeder<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu           [<!ENTITY mdash "&#8212;">]>
473e53f026b96a03a2196192d09ab01faecd7cb4Francisc Nicolae Bungiu<!--
544989bc1f6ed4bc0813334ffd934db0fb0010eaFelix Gabriel Mance - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - Copyright (C) 2000-2003  Internet Software Consortium.
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu -
473e53f026b96a03a2196192d09ab01faecd7cb4Francisc Nicolae Bungiu - Permission to use, copy, modify, and/or distribute this software for any
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - purpose with or without fee is hereby granted, provided that the above
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - copyright notice and this permission notice appear in all copies.
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu -
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu - PERFORMANCE OF THIS SOFTWARE.
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu-->
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu<!-- $Id: dnssec-signzone.docbook,v 1.35 2009/07/19 04:18:04 each Exp $ -->
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu<refentry id="man.dnssec-signzone">
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu  <refentryinfo>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu    <date>June 05, 2009</date>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu  </refentryinfo>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu
148897af8457fe167e0e310dc3f9a60e10381f5dChristian Maeder  <refmeta>
148897af8457fe167e0e310dc3f9a60e10381f5dChristian Maeder    <refentrytitle><application>dnssec-signzone</application></refentrytitle>
148897af8457fe167e0e310dc3f9a60e10381f5dChristian Maeder   <manvolnum>8</manvolnum>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu    <refmiscinfo>BIND9</refmiscinfo>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu  </refmeta>
083b2687afdb676237f926bdb643b24027291d05Felix Gabriel Mance
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu  <refnamediv>
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder    <refname><application>dnssec-signzone</application></refname>
ac222650eff05099d9fc69240c7c2d29ab5f99b7Felix Gabriel Mance    <refpurpose>DNSSEC zone signing tool</refpurpose>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance  </refnamediv>
45e34c7696f9dd6163686ff6798b33a126590fa2Felix Gabriel Mance
148897af8457fe167e0e310dc3f9a60e10381f5dChristian Maeder  <docinfo>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu    <copyright>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <year>2004</year>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <year>2005</year>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <year>2006</year>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <year>2007</year>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <year>2008</year>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <year>2009</year>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu    </copyright>
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance    <copyright>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <year>2000</year>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <year>2001</year>
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance      <year>2002</year>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <year>2003</year>
148897af8457fe167e0e310dc3f9a60e10381f5dChristian Maeder      <holder>Internet Software Consortium.</holder>
ac222650eff05099d9fc69240c7c2d29ab5f99b7Felix Gabriel Mance    </copyright>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu  </docinfo>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu  <refsynopsisdiv>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu    <cmdsynopsis>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <command>dnssec-signzone</command>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-a</option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
45e34c7696f9dd6163686ff6798b33a126590fa2Felix Gabriel Mance      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-g</option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-h</option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-p</option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-P</option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-S</option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-t</option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-z</option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
45e34c7696f9dd6163686ff6798b33a126590fa2Felix Gabriel Mance      <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg><option>-A</option></arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg choice="req">zonefile</arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <arg rep="repeat">key</arg>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu    </cmdsynopsis>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu  </refsynopsisdiv>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu  <refsect1>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu    <title>DESCRIPTION</title>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu    <para><command>dnssec-signzone</command>
9d3ad36a8d5095b19c227cc42594d0624ca50b2fFelix Gabriel Mance      signs a zone.  It generates
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance      NSEC and RRSIG records and produces a signed version of the
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      zone. The security status of delegations from the signed zone
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      (that is, whether the child zones are secure or not) is
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      determined by the presence or absence of a
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance      <filename>keyset</filename> file for each child zone.
524c60af8cda1f8a335152323a167fa211021380Christian Maeder    </para>
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance  </refsect1>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance  <refsect1>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance    <title>OPTIONS</title>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance    <variablelist>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <term>-a</term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            Verify all generated signatures.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
bbf4a60ddb796930cce6b5e5d6d20ac1a454bdd6mcodescu      <varlistentry>
84eda1788280aaede40e987b32467aff146a7d2emcodescu        <term>-c <replaceable class="parameter">class</replaceable></term>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <listitem>
073b8bf847c3ef9bc8ec3345b0b2cbd5d8a27fd6mcodescu          <para>
00b30e291b243a8dbb6bb2097e70cc76032b63f5mcodescu            Specifies the DNS class of the zone.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
84eda1788280aaede40e987b32467aff146a7d2emcodescu        </listitem>
00b30e291b243a8dbb6bb2097e70cc76032b63f5mcodescu      </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
073b8bf847c3ef9bc8ec3345b0b2cbd5d8a27fd6mcodescu      <varlistentry>
073b8bf847c3ef9bc8ec3345b0b2cbd5d8a27fd6mcodescu        <term>-d <replaceable class="parameter">directory</replaceable></term>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          <para>
00b30e291b243a8dbb6bb2097e70cc76032b63f5mcodescu            Look for <filename>dsset-</filename> or
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            <filename>keyset-</filename> files in <option>directory</option>.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
9d3ad36a8d5095b19c227cc42594d0624ca50b2fFelix Gabriel Mance
9d3ad36a8d5095b19c227cc42594d0624ca50b2fFelix Gabriel Mance      <varlistentry>
9d3ad36a8d5095b19c227cc42594d0624ca50b2fFelix Gabriel Mance        <term>-g</term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            Generate DS records for child zones from
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            <filename>dsset-</filename> or <filename>keyset-</filename>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            file.  Existing DS records will be removed.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <term>-K <replaceable class="parameter">directory</replaceable></term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <listitem>
29388ae1e5c17f328db03f136c0e8e0db96d9b2bFelix Gabriel Mance          <para>
29388ae1e5c17f328db03f136c0e8e0db96d9b2bFelix Gabriel Mance            Key repository: Specify a directory to search for DNSSEC keys.
29388ae1e5c17f328db03f136c0e8e0db96d9b2bFelix Gabriel Mance            If not specified, defaults to the current directory.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance      <varlistentry>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance        <term>-k <replaceable class="parameter">key</replaceable></term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            Treat specified key as a key signing key ignoring any
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            key flags.  This option may be specified multiple times.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      <varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <term>-l <replaceable class="parameter">domain</replaceable></term>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance            The domain is appended to the name of the records.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance      <varlistentry>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance        <term>-s <replaceable class="parameter">start-time</replaceable></term>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance        <listitem>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance          <para>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance            Specify the date and time when the generated RRSIG records
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance            become valid.  This can be either an absolute or relative
9d3ad36a8d5095b19c227cc42594d0624ca50b2fFelix Gabriel Mance            time.  An absolute start time is indicated by a number
9d3ad36a8d5095b19c227cc42594d0624ca50b2fFelix Gabriel Mance            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
9d3ad36a8d5095b19c227cc42594d0624ca50b2fFelix Gabriel Mance            14:45:00 UTC on May 30th, 2000.  A relative start time is
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance            indicated by +N, which is N seconds from the current time.
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance            If no <option>start-time</option> is specified, the current
29388ae1e5c17f328db03f136c0e8e0db96d9b2bFelix Gabriel Mance            time minus 1 hour (to allow for clock skew) is used.
29388ae1e5c17f328db03f136c0e8e0db96d9b2bFelix Gabriel Mance          </para>
29388ae1e5c17f328db03f136c0e8e0db96d9b2bFelix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
737b1b41cdc83ea7076820a4891c95c8f6922c5cFelix Gabriel Mance
737b1b41cdc83ea7076820a4891c95c8f6922c5cFelix Gabriel Mance      <varlistentry>
737b1b41cdc83ea7076820a4891c95c8f6922c5cFelix Gabriel Mance        <term>-e <replaceable class="parameter">end-time</replaceable></term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            Specify the date and time when the generated RRSIG records
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            expire.  As with <option>start-time</option>, an absolute
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
29388ae1e5c17f328db03f136c0e8e0db96d9b2bFelix Gabriel Mance            to the start time is indicated with +N, which is N seconds from
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            the start time.  A time relative to the current time is
29388ae1e5c17f328db03f136c0e8e0db96d9b2bFelix Gabriel Mance            indicated with now+N.  If no <option>end-time</option> is
29388ae1e5c17f328db03f136c0e8e0db96d9b2bFelix Gabriel Mance            specified, 30 days from the start time is used as a default.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <varlistentry>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu        <term>-f <replaceable class="parameter">output-file</replaceable></term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            The name of the output file containing the signed zone.  The
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            default is to append <filename>.signed</filename> to
7852de3551fc797566ee71165bafe05b6d81728cnotanartist            the
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            input filename.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu        </listitem>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      </varlistentry>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <varlistentry>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu        <term>-h</term>
7852de3551fc797566ee71165bafe05b6d81728cnotanartist        <listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            Prints a short summary of the options and arguments to
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            <command>dnssec-signzone</command>.
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu          </para>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu        </listitem>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      </varlistentry>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      <varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <term>-i <replaceable class="parameter">interval</replaceable></term>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <listitem>
46d4ee3a3a49edb71666fdb54bb7e68a22fbf448Christian Maeder          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            When a previously-signed zone is passed as input, records
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            may be resigned.  The <option>interval</option> option
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            specifies the cycle interval as an offset from the current
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            time (in seconds).  If a RRSIG record expires after the
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            cycle interval, it is retained.  Otherwise, it is considered
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            to be expiring soon, and it will be replaced.
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu          </para>
55c408be0f43042369ac45ca608351793a318d77Felix Gabriel Mance          <para>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            The default cycle interval is one quarter of the difference
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            between the signature end and start times.  So if neither
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            <option>end-time</option> or <option>start-time</option>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            are specified, <command>dnssec-signzone</command>
148897af8457fe167e0e310dc3f9a60e10381f5dChristian Maeder            generates
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            signatures that are valid for 30 days, with a cycle
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            interval of 7.5 days.  Therefore, if any existing RRSIG records
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            are due to expire in less than 7.5 days, they would be
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            replaced.
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu          </para>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu        </listitem>
148897af8457fe167e0e310dc3f9a60e10381f5dChristian Maeder      </varlistentry>
148897af8457fe167e0e310dc3f9a60e10381f5dChristian Maeder
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu      <varlistentry>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu        <term>-I <replaceable class="parameter">input-format</replaceable></term>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu        <listitem>
45e34c7696f9dd6163686ff6798b33a126590fa2Felix Gabriel Mance          <para>
6d907570443508c99867ea29ddf5e5cb0a2ef8c2Christian Maeder            The format of the input zone file.
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance        Possible formats are <command>"text"</command> (default)
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu        and <command>"raw"</command>.
55c408be0f43042369ac45ca608351793a318d77Felix Gabriel Mance        This option is primarily intended to be used for dynamic
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance            signed zones so that the dumped zone file in a non-text
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance            format containing updates can be signed directly.
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance        The use of this option does not make much sense for
68cc40da4dddf2c6e1cb42246688ffb54784ec4cChristian Maeder        non-dynamic zones.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
68cc40da4dddf2c6e1cb42246688ffb54784ec4cChristian Maeder        </listitem>
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance      </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
6debc9b26675e077a8feba7cba2385b5e1cf25dbFelix Gabriel Mance      <varlistentry>
9d3ad36a8d5095b19c227cc42594d0624ca50b2fFelix Gabriel Mance        <term>-j <replaceable class="parameter">jitter</replaceable></term>
9d3ad36a8d5095b19c227cc42594d0624ca50b2fFelix Gabriel Mance        <listitem>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu          <para>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            When signing a zone with a fixed signature lifetime, all
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            RRSIG records issued at the time of signing expires
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            simultaneously.  If the zone is incrementally signed, i.e.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            a previously-signed zone is passed as input to the signer,
6debc9b26675e077a8feba7cba2385b5e1cf25dbFelix Gabriel Mance            all expired signatures have to be regenerated at about the
a54f6ea90a19373f84cd0a3732e26d69a6092081Francisc Nicolae Bungiu            same time.  The <option>jitter</option> option specifies a
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            jitter window that will be used to randomize the signature
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            expire time, thus spreading incremental signature
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance            regeneration over time.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            Signature lifetime jitter also to some extent benefits
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            validators and servers by spreading out cache expiration,
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            i.e. if large numbers of RRSIGs don't expire at the same time
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance            from all caches there will be less congestion than if all
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            validators need to refetch at mostly the same time.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        </listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance      <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <term>-n <replaceable class="parameter">ncpus</replaceable></term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <listitem>
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            Specifies the number of threads to use.  By default, one
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            thread is started for each detected CPU.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
3b4fb2c734e9cc654d3770879eef341545814776Felix Gabriel Mance
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            The SOA serial number format of the signed zone.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        Possible formats are <command>"keep"</command> (default),
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            <command>"increment"</command> and
3b4fb2c734e9cc654d3770879eef341545814776Felix Gabriel Mance        <command>"unixtime"</command>.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <variablelist>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <term><command>"keep"</command></term>
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance              <listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance                <para>Do not modify the SOA serial number.</para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <term><command>"increment"</command></term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance              <listitem>
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance                <para>Increment the SOA serial number using RFC 1982
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance                      arithmetics.</para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
863fa65ac095659c6da1cde7fe7b839f1e7f60f9Felix Gabriel Mance        <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <term><command>"unixtime"</command></term>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance              <listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance                <para>Set the SOA serial number to the number of seconds
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            since epoch.</para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance     </variablelist>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
c22832fdc390b7b17c6edf2657e00731c0cfd5beFelix Gabriel Mance        </listitem>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance      </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance      <varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <term>-o <replaceable class="parameter">origin</replaceable></term>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <listitem>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance          <para>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance            The zone origin.  If not specified, the name of the zone file
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            is assumed to be the origin.
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance          </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        </listitem>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance      </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      <varlistentry>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance        <term>-O <replaceable class="parameter">output-format</replaceable></term>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance        <listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          <para>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance            The format of the output file containing the signed zone.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        Possible formats are <command>"text"</command> (default)
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance        and <command>"raw"</command>.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        </listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance      <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <term>-p</term>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <listitem>
6debc9b26675e077a8feba7cba2385b5e1cf25dbFelix Gabriel Mance          <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            Use pseudo-random data when signing the zone.  This is faster,
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            but less secure, than using real random data.  This option
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            may be useful when signing large zones or when the entropy
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            source is limited.
6debc9b26675e077a8feba7cba2385b5e1cf25dbFelix Gabriel Mance          </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        </listitem>
6debc9b26675e077a8feba7cba2385b5e1cf25dbFelix Gabriel Mance      </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <term>-P</term>
e4a9fde95085fb3cada3e7c5e2e8b4d5cf898c4aFelix Gabriel Mance        <listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        Disable post sign verification tests.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance          <para>
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance        The post sign verification test ensures that for each algorithm
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        in use there is at least one non revoked self signed KSK key,
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        that all revoked KSK keys are self signed, and that all records
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance        in the zone are signed by the algorithm.
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance        This option skips these tests.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance        </listitem>
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance      </varlistentry>
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      <varlistentry>
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance        <listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            Specifies the source of randomness.  If the operating
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance            system does not provide a <filename>/dev/random</filename>
51d64c2e160c971ea2ae1d4f1ddffe6a0a3b8f64Felix Gabriel Mance            or equivalent device, the default source of randomness
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            is keyboard input.  <filename>randomdev</filename>
3b4fb2c734e9cc654d3770879eef341545814776Felix Gabriel Mance            specifies
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance            the name of a character device or file containing random
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            data to be used instead of the default.  The special value
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            <filename>keyboard</filename> indicates that keyboard
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance            input should be used.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
4b7c9b9fec53befb553f2c9b11e30a4fe2235e03Felix Gabriel Mance        </listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      </varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      <varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <term>-S</term>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          <para>
0c3badd7ad83eb89f64ef5ed1122c4fa856fb45dFelix Gabriel Mance            Smart signing: Instructs <command>dnssec-signzone</command> to
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance            search the key repository for keys that match the zone being
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance            signed, and to include them in the zone if appropriate.
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          </para>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          <para>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance            When a key is found, its timing metadata is examined to
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance            determine how it should be used, according to the following
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance            rules.  Each successive rule takes priority over the prior
4b7c9b9fec53befb553f2c9b11e30a4fe2235e03Felix Gabriel Mance            ones:
4b7c9b9fec53befb553f2c9b11e30a4fe2235e03Felix Gabriel Mance          </para>
ab72ebade3d901d3857bf76626216456b83ebdc6Felix Gabriel Mance          <variablelist>
4b7c9b9fec53befb553f2c9b11e30a4fe2235e03Felix Gabriel Mance        <varlistentry>
ab72ebade3d901d3857bf76626216456b83ebdc6Felix Gabriel Mance              <listitem>
4b7c9b9fec53befb553f2c9b11e30a4fe2235e03Felix Gabriel Mance                <para>
4b7c9b9fec53befb553f2c9b11e30a4fe2235e03Felix Gabriel Mance                  If no timing metadata has been set for the key, the key is
4b7c9b9fec53befb553f2c9b11e30a4fe2235e03Felix Gabriel Mance                  published in the zone and used to sign the zone.
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance                </para>
4b7c9b9fec53befb553f2c9b11e30a4fe2235e03Felix Gabriel Mance          </listitem>
ab72ebade3d901d3857bf76626216456b83ebdc6Felix Gabriel Mance            </varlistentry>
4b7c9b9fec53befb553f2c9b11e30a4fe2235e03Felix Gabriel Mance
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu              <listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance                <para>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance                  If the key's publication date is set and is in the past, the
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu                  key is published in the zone.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu                </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance            </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance              <listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance                <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu                  If the key's activation date is set and in the past, the
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance                  key is published (regardless of publication date) and
f35720a6408a181351a6de0e2597953580cc14b4mcodescu                  used to sign the zone.
f35720a6408a181351a6de0e2597953580cc14b4mcodescu                </para>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          </listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance            </varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu              <listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu                <para>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu                  If the key's revocation date is set and in the past, and the
f35720a6408a181351a6de0e2597953580cc14b4mcodescu                  key is published, then the key is revoked, and the revoked key
f35720a6408a181351a6de0e2597953580cc14b4mcodescu                  is used to sign the zone.
f35720a6408a181351a6de0e2597953580cc14b4mcodescu                </para>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu          </listitem>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu            </varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance              <listitem>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu                <para>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance                  If either of the key's unpublication or deletion dates are set
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance                  and in the past, the key is NOT published or used to sign the
f35720a6408a181351a6de0e2597953580cc14b4mcodescu                  zone, regardless of any other metadata.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu                </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </listitem>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu            </varlistentry>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu     </variablelist>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu        </listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      </varlistentry>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu
f35720a6408a181351a6de0e2597953580cc14b4mcodescu      <varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <term>-T <replaceable class="parameter">ttl</replaceable></term>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu        <listitem>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu          <para>
f35720a6408a181351a6de0e2597953580cc14b4mcodescu            Specifies the TTL of new DNSKEY records imported to the zone
0ca560844b21459d554e0919c61b6e2d3a5523c6Francisc Nicolae Bungiu            from the key repository.  Only useful with the -S option.
148897af8457fe167e0e310dc3f9a60e10381f5dChristian Maeder          </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        </listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      <varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <term>-t</term>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            Print statistics at completion.
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          </para>
737b1b41cdc83ea7076820a4891c95c8f6922c5cFelix Gabriel Mance        </listitem>
737b1b41cdc83ea7076820a4891c95c8f6922c5cFelix Gabriel Mance      </varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      <varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <term>-v <replaceable class="parameter">level</replaceable></term>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            Sets the debugging level.
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          </para>
737b1b41cdc83ea7076820a4891c95c8f6922c5cFelix Gabriel Mance        </listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
737b1b41cdc83ea7076820a4891c95c8f6922c5cFelix Gabriel Mance      <varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <term>-z</term>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          <para>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance            Ignore KSK flag on key when determining what to sign.
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        </listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      </varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      <varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <term>-3 <replaceable class="parameter">salt</replaceable></term>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          <para>
737b1b41cdc83ea7076820a4891c95c8f6922c5cFelix Gabriel Mance            Generate a NSEC3 chain with the given hex encoded salt.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        A dash (<replaceable class="parameter">salt</replaceable>) can
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        be used to indicate that no salt is to be used when generating          the NSEC3 chain.
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          </para>
3b4fb2c734e9cc654d3770879eef341545814776Felix Gabriel Mance        </listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      </varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      <varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <term>-H <replaceable class="parameter">iterations</replaceable></term>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <listitem>
92ae4d5885ea837ffe3dae9b2de742f871229b94Christian Maeder          <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        When generating a NSEC3 chain use this many interations.  The
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        default is 100.
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance      </varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance      <varlistentry>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <term>-A</term>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        <listitem>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance          <para>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        When generating a NSEC3 chain set the OPTOUT flag on all
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance        NSEC3 records and do not generate NSEC3 records for insecure
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance        delegations.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          </para>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        </listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      </varlistentry>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      <varlistentry>
a98ae3297826edfeba8f9300e389594cccb6b80cFelix Gabriel Mance        <term>zonefile</term>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance        <listitem>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu          <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu            The file containing the zone to be signed.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
7852de3551fc797566ee71165bafe05b6d81728cnotanartist        </listitem>
e6b8e95a7eef957ee15b2a5af67e8aebf090788fmcodescu      </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      <varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        <term>key</term>
01d43e1585a9d10bf2b5c2148ce53d7d8ab2b228mcodescu        <listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        Specify which keys should be used to sign the zone.  If
7852de3551fc797566ee71165bafe05b6d81728cnotanartist        no keys are specified, then the zone will be examined
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        for DNSKEY records at the zone apex.  If these are found and
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        there are matching private keys, in the current directory,
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu        then these will be used for signing.
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance          </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance        </listitem>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </varlistentry>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance    </variablelist>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance  </refsect1>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu  <refsect1>
6debc9b26675e077a8feba7cba2385b5e1cf25dbFelix Gabriel Mance    <title>EXAMPLE</title>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu    <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      The following command signs the <userinput>example.com</userinput>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      zone with the DSA key generated by <command>dnssec-keygen</command>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      (Kexample.com.+003+17247).  The zone's keys must be in the master
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      file (<filename>db.example.com</filename>).  This invocation looks
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      for <filename>keyset</filename> files, in the current directory,
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      so that DS records can be generated from them (<command>-g</command>).
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu    </para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance<programlisting>% dnssec-signzone -g -o example.com db.example.com \
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel ManceKexample.com.+003+17247
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescudb.example.com.signed
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance%</programlisting>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance    <para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      In the above example, <command>dnssec-signzone</command> creates
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      the file <filename>db.example.com.signed</filename>.  This
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      file should be referenced in a zone statement in a
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      <filename>named.conf</filename> file.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu    </para>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance    <para>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      This example re-signs a previously signed zone with default parameters.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      The private keys are assumed to be in the current directory.
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu    </para>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance<programlisting>% cp db.example.com.signed db.example.com
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance% dnssec-signzone -o example.com db.example.com
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescudb.example.com.signed
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu%</programlisting>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance  </refsect1>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu  <refsect1>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu    <title>SEE ALSO</title>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu    <para><citerefentry>
01bafc1b5187ed986fe0b0e3cddd1ce0dae888fdFelix Gabriel Mance        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
df07519fa32f65c0a01313b9bced6fb6f89f8ee2Felix Gabriel Mance      </citerefentry>,
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu      <citetitle>RFC 4033</citetitle>.
01d43e1585a9d10bf2b5c2148ce53d7d8ab2b228mcodescu    </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu  </refsect1>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu  <refsect1>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu    <title>AUTHOR</title>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu    <para><corpauthor>Internet Systems Consortium</corpauthor>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu    </para>
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu  </refsect1>
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance</refentry><!--
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu - Local variables:
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance - mode: sgml
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu - End:
c3da0385115421492e90a75ab91aef806006d12aFelix Gabriel Mance-->
89d587a3af030fa269f6fe96633b3e49df67dad6mcodescu