dnssec-signzone.docbook revision b5ad6dfea4cc3e7d1d322ac99f1e5a31096837c4
1633838b8255282d10af15c5c84cee5a51466712Bob Halley<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
94d102893aeb8ecea49dcda64e742835ffe0c102Bob Halley "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
1633838b8255282d10af15c5c84cee5a51466712Bob Halley [<!ENTITY mdash "&#8212;">]>
1633838b8255282d10af15c5c84cee5a51466712Bob Halley<!--
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - Copyright (C) 2000-2003 Internet Software Consortium.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley -
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - Permission to use, copy, modify, and distribute this software for any
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - purpose with or without fee is hereby granted, provided that the above
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - copyright notice and this permission notice appear in all copies.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley -
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d25afd60ee2286cb171c4960a790f3d7041b6f85Bob Halley - PERFORMANCE OF THIS SOFTWARE.
d25afd60ee2286cb171c4960a790f3d7041b6f85Bob Halley-->
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley<!-- $Id: dnssec-signzone.docbook,v 1.20 2005/07/19 04:55:20 marka Exp $ -->
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley<refentry id="man.dnssec-signzone">
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refentryinfo>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <date>June 30, 2000</date>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </refentryinfo>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refmeta>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refentrytitle><application>dnssec-signzone</application></refentrytitle>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <manvolnum>8</manvolnum>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refmiscinfo>BIND9</refmiscinfo>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </refmeta>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refnamediv>
3740b569ae76295b941d57a724a43beb75b533baBob Halley <refname><application>dnssec-signzone</application></refname>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refpurpose>DNSSEC zone signing tool</refpurpose>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </refnamediv>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <docinfo>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <copyright>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <year>2004</year>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <year>2005</year>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </copyright>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <copyright>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <year>2000</year>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <year>2001</year>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <year>2002</year>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <year>2003</year>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <holder>Internet Software Consortium.</holder>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </copyright>
3740b569ae76295b941d57a724a43beb75b533baBob Halley </docinfo>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <refsynopsisdiv>
3740b569ae76295b941d57a724a43beb75b533baBob Halley <cmdsynopsis>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <command>dnssec-signzone</command>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <arg><option>-a</option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-g</option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-h</option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-p</option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-t</option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg><option>-z</option></arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg choice="req">zonefile</arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <arg rep="repeat">key</arg>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </cmdsynopsis>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </refsynopsisdiv>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <refsect1>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <title>DESCRIPTION</title>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para><command>dnssec-signzone</command>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley signs a zone. It generates
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley NSEC and RRSIG records and produces a signed version of the
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley zone. The security status of delegations from the signed zone
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley (that is, whether the child zones are secure or not) is
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley determined by the presence or absence of a
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <filename>keyset</filename> file for each child zone.
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley </para>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley </refsect1>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <refsect1>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <title>OPTIONS</title>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <variablelist>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-a</term>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley Verify all generated signatures.
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </para>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-c <replaceable class="parameter">class</replaceable></term>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <para>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley Specifies the DNS class of the zone.
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley </para>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley </listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-k <replaceable class="parameter">key</replaceable></term>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley Treat specified key as a key signing key ignoring any
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley key flags. This option may be specified multiple times.
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </para>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <term>-l <replaceable class="parameter">domain</replaceable></term>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <listitem>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley <para>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley Generate a DLV set in addition to the key (DNSKEY) and DS sets.
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley The domain is appended to the name of the records.
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley </para>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley </listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>
4bc30f45a225947a298f706a8522c9d30915d137Bob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-d <replaceable class="parameter">directory</replaceable></term>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley Look for <filename>keyset</filename> files in
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <option>directory</option> as the directory
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </para>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-g</term>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley Generate DS records for child zones from keyset files.
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley Existing DS records will be removed.
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </para>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley </varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <varlistentry>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <term>-s <replaceable class="parameter">start-time</replaceable></term>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <listitem>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley <para>
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley Specify the date and time when the generated RRSIG records
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley become valid. This can be either an absolute or relative
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halley time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <option>start-time</option> is specified, the current
time minus 1 hour (to allow for clock skew) is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e <replaceable class="parameter">end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
expire. As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">output-file</replaceable></term>
<listitem>
<para>
The name of the output file containing the signed zone. The
default is to append <filename>.signed</filename> to
the
input file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
When a previously signed zone is passed as input, records
may be resigned. The <option>interval</option> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
</para>
<para>
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
<option>end-time</option> or <option>start-time</option>
are specified, <command>dnssec-signzone</command>
generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be
replaced.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">input-format</replaceable></term>
<listitem>
<para>
The format of the input zone file.
Possible formats are <command>"text"</command> (default)
and <command>"raw"</command>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be signed directly.
The use of this option does not make much sense for
non-dynamic zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j <replaceable class="parameter">jitter</replaceable></term>
<listitem>
<para>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
same time. The <option>jitter</option> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</para>
<para>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">ncpus</replaceable></term>
<listitem>
<para>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">origin</replaceable></term>
<listitem>
<para>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-O <replaceable class="parameter">output-format</replaceable></term>
<listitem>
<para>
The format of the output file containing the signed zone.
Possible formats are <command>"text"</command> (default)
and <command>"raw"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t</term>
<listitem>
<para>
Print statistics at completion.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Ignore KSK flag on key when determining what to sign.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonefile</term>
<listitem>
<para>
The file containing the zone to be signed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>key</term>
<listitem>
<para>
The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
current directory.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated in the <command>dnssec-keygen</command>
man page. The zone's keys must be in the zone. If there are
<filename>keyset</filename> files associated with child
zones,
they must be in the current directory.
<userinput>example.com</userinput>, the following command would be
issued:
</para>
<para><userinput>dnssec-signzone -o example.com db.example.com
Kexample.com.+003+26160</userinput>
</para>
<para>
The command would print a string of the form:
</para>
<para>
In this example, <command>dnssec-signzone</command> creates
the file <filename>db.example.com.signed</filename>. This
file
should be referenced in a zone statement in a
<filename>named.conf</filename> file.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2535</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->