bin/dnssec/dnssec-signzone.docbook

	dnssec-signzone.docbook revision 6e8a8077faf96d8da0b6cf738913f5f1f86e4008
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!--
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Copyright (C) 2001-2003  Internet Software Consortium.
a6ca100924894cdd8e2b791d75a8cef32b1fba1fTinderbox User -
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - Permission to use, copy, modify, and distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - copyright notice and this permission notice appear in all copies.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington -
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews-->
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<!-- $Id: dnssec-signzone.docbook,v 1.13 2005/03/22 02:20:03 marka Exp $ -->
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews
b5ad6dfea4cc3e7d1d322ac99f1e5a31096837c4Mark Andrews<refentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refentryinfo>
1753d3c4d74241a847794f7e7cfd94cc79be6600Evan Hunt    <date>June 30, 2000</date>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refmeta>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refentrytitle><application>dnssec-signzone</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <manvolnum>8</manvolnum>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refmiscinfo>BIND9</refmiscinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refmeta>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refname><application>dnssec-signzone</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refpurpose>DNSSEC zone signing tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  <refsynopsisdiv>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <cmdsynopsis>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <command>dnssec-signzone</command>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-a</option></arg>
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
3398334b3acda24b086957286288ca9852662b12Automatic Updater      <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
dde8659175c5798267fb0fdefd7576e4efe271b3Automatic Updater      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
f428e385a4f7a42196b53de8e134909e8c488258Automatic Updater      <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
207cee019eb5cbbe7c905f7c52f7b5d11f8c0305Automatic Updater      <arg><option>-g</option></arg>
99d8f5a70440ee8b63ab1745d713b96dde890546Tinderbox User      <arg><option>-h</option></arg>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
a6ca100924894cdd8e2b791d75a8cef32b1fba1fTinderbox User      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-p</option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews      <arg><option>-t</option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-z</option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg choice="req">zonefile</arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg rep="repeat">key</arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsynopsisdiv>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt  <refsect1>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt    <title>DESCRIPTION</title>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <command>dnssec-signzone</command> signs a zone.  It generates
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    NSEC and RRSIG records and produces a signed version of the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    zone. The security status of delegations from the signed zone
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    (that is, whether the child zones are secure or not) is
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont    determined by the presence or absence of a
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews    <filename>keyset</filename> file for each child zone.
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt  <refsect1>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews    <title>OPTIONS</title>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt    <variablelist>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-a</term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <listitem>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews      <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt          Verify all generated signatures.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </para>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews    </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman        <term>-c <replaceable class="parameter">class</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    <listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           Specifies the DNS class of the zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-k <replaceable class="parameter">key</replaceable></term>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews    <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           Treat specified key as a key signing key ignoring any
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           key flags.  This option may be specified multiple times.
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt      </para>
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt    </listitem>
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt      </varlistentry>
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-l <replaceable class="parameter">domain</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        Generate a DLV set in addition to the key (DNSKEY) and DS sets.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        The domain is appended to the name of the records.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-d <replaceable class="parameter">directory</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    <listitem>
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews      <para>
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews           Look for <filename>keyset</filename> files in
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt           <option>directory</option> as the directory
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-g</term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    <listitem>
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt      <para>
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt        Generate DS records for child zones from keyset files.
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt        Existing DS records will be removed.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-s <replaceable class="parameter">start-time</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           Specify the date and time when the generated RRSIG records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           become valid.  This can be either an absolute or relative
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           time.  An absolute start time is indicated by a number
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           in YYYYMMDDHHMMSS notation; 20000530144500 denotes
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           14:45:00 UTC on May 30th, 2000.  A relative start time is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           indicated by +N, which is N seconds from the current time.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           If no <option>start-time</option> is specified, the current
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           time minus 1 hour (to allow for clock skew) is used.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt      </varlistentry>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt        <term>-e <replaceable class="parameter">end-time</replaceable></term>
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews    <listitem>
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Specify the date and time when the generated RRSIG records
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt           expire.  As with <option>start-time</option>, an absolute
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           time is indicated in YYYYMMDDHHMMSS notation.  A time relative
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           to the start time is indicated with +N, which is N seconds from
edad003e630cf9a25db88d95247d10eb96117d66Jeremy C. Reed           the start time.  A time relative to the current time is
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           indicated with now+N.  If no <option>end-time</option> is
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           specified, 30 days from the start time is used as a default.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    </listitem>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-f <replaceable class="parameter">output-file</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           The name of the output file containing the signed zone.  The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           default is to append <filename>.signed</filename> to the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           input file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
bf45f72ed319628eebce60c368177320943d001fMark Andrews      <varlistentry>
bf45f72ed319628eebce60c368177320943d001fMark Andrews        <term>-h</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           Prints a short summary of the options and arguments to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           <command>dnssec-signzone</command>.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-i <replaceable class="parameter">interval</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    <listitem>
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews      <para>
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews           When a previously signed zone is passed as input, records
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt           may be resigned.  The <option>interval</option> option
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           specifies the cycle interval as an offset from the current
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           time (in seconds).  If a RRSIG record expires after the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           cycle interval, it is retained.  Otherwise, it is considered
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           to be expiring soon, and it will be replaced.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           The default cycle interval is one quarter of the difference
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           between the signature end and start times.  So if neither
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           <option>end-time</option> or <option>start-time</option>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           are specified, <command>dnssec-signzone</command> generates
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           signatures that are valid for 30 days, with a cycle
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           interval of 7.5 days.  Therefore, if any existing RRSIG records
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           are due to expire in less than 7.5 days, they would be
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           replaced.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           When signing a zone with a fixed signature lifetime, all
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           RRSIG records issued at the time of signing expires
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           simultaneously.  If the zone is incrementally signed, i.e.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           a previously signed zone is passed as input to the signer,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           all expired signatures has to be regenerated at about the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           same time.  The <option>jitter</option> option specifies a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           jitter window that will be used to randomize the signature
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont           expire time, thus spreading incremental signature
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont           regeneration over time.
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont      </para>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont      <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt           Signature lifetime jitter also to some extent benefits
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt           validators and servers by spreading out cache expiration,
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt           i.e. if large numbers of RRSIGs don't expire at the same time
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt           from all caches there will be less congestion than if all
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt           validators need to refetch at mostly the same time.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt    </listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont      <varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont        <term>-n <replaceable class="parameter">ncpus</replaceable></term>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont    <listitem>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont      <para>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews           Specifies the number of threads to use.  By default, one
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews           thread is started for each detected CPU.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-o <replaceable class="parameter">origin</replaceable></term>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews    <listitem>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      <para>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt           The zone origin.  If not specified, the name of the zone file
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt           is assumed to be the origin.
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt      </para>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt    </listitem>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt      </varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt      <varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt        <term>-p</term>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt    <listitem>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt      <para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           Use pseudo-random data when signing the zone.  This is faster,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           but less secure, than using real random data.  This option
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           may be useful when signing large zones or when the entropy
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           source is limited.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           Specifies the source of randomness.  If the operating
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           system does not provide a <filename>/dev/random</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           or equivalent device, the default source of randomness
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           is keyboard input.  <filename>randomdev</filename> specifies
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           the name of a character device or file containing random
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           data to be used instead of the default.  The special value
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           <filename>keyboard</filename> indicates that keyboard
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           input should be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt        <term>-t</term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    <listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt           Print statistics at completion.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    </listitem>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews      </varlistentry>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-v <replaceable class="parameter">level</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Sets the debugging level.
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews      </para>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews    </listitem>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt      </varlistentry>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt      <varlistentry>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt        <term>-z</term>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt    <listitem>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt      <para>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt           Ignore KSK flag on key when determining what to sign.
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt      </para>
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt    </listitem>
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt      </varlistentry>
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt      <varlistentry>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt        <term>zonefile</term>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt    <listitem>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt      <para>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt           The file containing the zone to be signed.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>key</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           The keys used to sign the zone.  If no keys are specified, the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           default all zone keys that have private key files in the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington           current directory.
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews      </para>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    </listitem>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews      </varlistentry>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    </variablelist>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews  </refsect1>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews  <refsect1>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    <title>EXAMPLE</title>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    <para>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews        The following command signs the <userinput>example.com</userinput>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    zone with the DSA key generated in the <command>dnssec-keygen</command>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    man page.  The zone's keys must be in the zone.  If there are
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    <filename>keyset</filename> files associated with child zones,
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    they must be in the current directory.
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    <userinput>example.com</userinput>, the following command would be
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    issued:
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    </para>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews    <para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        The command would print a string of the form:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        In this example, <command>dnssec-signzone</command> creates
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    the file <filename>db.example.com.signed</filename>.  This file
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    should be referenced in a zone statement in a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <filename>named.conf</filename> file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  </refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  <refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <title>SEE ALSO</title>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <citerefentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews        <refentrytitle>dnssec-keygen</refentrytitle>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews    <manvolnum>8</manvolnum>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews      </citerefentry>,
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews      <citetitle>RFC 2535</citetitle>.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews    </para>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews  </refsect1>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews  <refsect1>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews    <title>AUTHOR</title>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews    <para>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews        <corpauthor>Internet Systems Consortium</corpauthor>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews    </para>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews  </refsect1>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington</refentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<!--
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Local variables:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - mode: sgml
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - End:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein-->
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein