bin/dnssec/dnssec-signzone.docbook

	dnssec-signzone.docbook revision ba751492fcc4f161a18b983d4f018a1a52938cb9
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews           [<!ENTITY mdash "&#8212;">]>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2000-2003  Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<!-- $Id: dnssec-signzone.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<refentry id="man.dnssec-signzone">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <date>June 05, 2009</date>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refmeta>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refentrytitle><application>dnssec-signzone</application></refentrytitle>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein   <manvolnum>8</manvolnum>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews    <refmiscinfo>BIND9</refmiscinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refmeta>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refname><application>dnssec-signzone</application></refname>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refpurpose>DNSSEC zone signing tool</refpurpose>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <docinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <copyright>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2004</year>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <year>2005</year>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <year>2006</year>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <year>2007</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2008</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2009</year>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <year>2011</year>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <year>2012</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2013</year>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    </copyright>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <copyright>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <year>2000</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2001</year>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <year>2002</year>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <year>2003</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <holder>Internet Software Consortium.</holder>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    </copyright>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </docinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User  <refsynopsisdiv>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User    <cmdsynopsis>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <command>dnssec-signzone</command>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-a</option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-D</option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg><option>-g</option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-h</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater      <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater      <arg><option>-P</option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-p</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-R</option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-S</option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg><option>-t</option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-u</option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg><option>-x</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-z</option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg><option>-A</option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg choice="req">zonefile</arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <arg rep="repeat">key</arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <title>DESCRIPTION</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <para><command>dnssec-signzone</command>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      signs a zone.  It generates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      NSEC and RRSIG records and produces a signed version of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      zone. The security status of delegations from the signed zone
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      (that is, whether the child zones are secure or not) is
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews      determined by the presence or absence of a
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews      <filename>keyset</filename> file for each child zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </para>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews  </refsect1>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refsect1>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <title>OPTIONS</title>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <variablelist>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        <term>-a</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Verify all generated signatures.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        <term>-c <replaceable class="parameter">class</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            Specifies the DNS class of the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-C</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Compatibility mode: Generate a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <filename>keyset-<replaceable>zonename</replaceable></filename>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            file in addition to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <filename>dsset-<replaceable>zonename</replaceable></filename>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            when signing a zone, for use by older versions of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <command>dnssec-signzone</command>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-d <replaceable class="parameter">directory</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Look for <filename>dsset-</filename> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <filename>keyset-</filename> files in <option>directory</option>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-D</term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Output only those record types automatically managed by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        NSEC3 and NSEC3PARAM records. If smart signing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        (<option>-S</option>) is used, DNSKEY records are also
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        included. The resulting file can be included in the original
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        zone file with <command>$INCLUDE</command>. This option
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        cannot be combined with <option>-O raw</option>,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            <option>-O map</option>, or serial number updating.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          </para>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        </listitem>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      </varlistentry>
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        <term>-E <replaceable class="parameter">engine</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        <listitem>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          <para>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            When applicable, specifies the hardware to use for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            cryptographic operations, such as a secure key store used
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            for signing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            When BIND is built with OpenSSL PKCS#11 support, this defaults
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to the string "pkcs11", which identifies an OpenSSL engine
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            that can drive a cryptographic accelerator or hardware service
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            module.  When BIND is built with native PKCS#11 cryptography
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            provider library specified via "--with-pkcs11".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        <term>-g</term>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        <listitem>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater          <para>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater            Generate DS records for child zones from
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater            <filename>dsset-</filename> or <filename>keyset-</filename>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater            file.  Existing DS records will be removed.
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater          </para>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        </listitem>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      </varlistentry>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater      <varlistentry>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        <term>-K <replaceable class="parameter">directory</replaceable></term>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Key repository: Specify a directory to search for DNSSEC keys.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            If not specified, defaults to the current directory.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>-k <replaceable class="parameter">key</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Treat specified key as a key signing key ignoring any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            key flags.  This option may be specified multiple times.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-l <replaceable class="parameter">domain</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The domain is appended to the name of the records.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-s <replaceable class="parameter">start-time</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Specify the date and time when the generated RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            become valid.  This can be either an absolute or relative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            time.  An absolute start time is indicated by a number
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            14:45:00 UTC on May 30th, 2000.  A relative start time is
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            indicated by +N, which is N seconds from the current time.
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            If no <option>start-time</option> is specified, the current
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            time minus 1 hour (to allow for clock skew) is used.
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          </para>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews        </listitem>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      </varlistentry>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-e <replaceable class="parameter">end-time</replaceable></term>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specify the date and time when the generated RRSIG records
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            expire.  As with <option>start-time</option>, an absolute
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            to the start time is indicated with +N, which is N seconds from
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            the start time.  A time relative to the current time is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            indicated with now+N.  If no <option>end-time</option> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            specified, 30 days from the start time is used as a default.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <option>end-time</option> must be later than
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <option>start-time</option>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Specify the date and time when the generated RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            for the DNSKEY RRset will expire.  This is to be used in cases
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            when the DNSKEY signatures need to persist longer than
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            signatures on other records; e.g., when the private component
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            of the KSK is kept offline and the KSK signature is to be
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            refreshed manually.
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User          </para>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User          <para>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            As with <option>start-time</option>, an absolute
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            to the start time is indicated with +N, which is N seconds from
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            the start time.  A time relative to the current time is
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            indicated with now+N.  If no <option>extended end-time</option> is
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            specified, the value of <option>end-time</option> is used as
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            the default.  (<option>end-time</option>, in turn, defaults to
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            30 days from the start time.) <option>extended end-time</option>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User            must be later than <option>start-time</option>.
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User          </para>
3a32ac2a720653083c7a22cb654b86c398f6d4c8Tinderbox User        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-f <replaceable class="parameter">output-file</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The name of the output file containing the signed zone.  The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            default is to append <filename>.signed</filename> to
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews            the input filename.  If <option>output-file</option> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            set to <literal>"-"</literal>, then the signed zone is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            written to the standard output, with a default output
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            format of "full".
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-h</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Prints a short summary of the options and arguments to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <command>dnssec-signzone</command>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-i <replaceable class="parameter">interval</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            When a previously-signed zone is passed as input, records
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            may be resigned.  The <option>interval</option> option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            specifies the cycle interval as an offset from the current
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            time (in seconds).  If a RRSIG record expires after the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            cycle interval, it is retained.  Otherwise, it is considered
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to be expiring soon, and it will be replaced.
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          </para>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews          <para>
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            The default cycle interval is one quarter of the difference
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            between the signature end and start times.  So if neither
ceeb18e6907a10547859faa340ecad83bedae90cMark Andrews            <option>end-time</option> or <option>start-time</option>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            are specified, <command>dnssec-signzone</command>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            generates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            signatures that are valid for 30 days, with a cycle
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            interval of 7.5 days.  Therefore, if any existing RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            are due to expire in less than 7.5 days, they would be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            replaced.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-I <replaceable class="parameter">input-format</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The format of the input zone file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Possible formats are <command>"text"</command> (default),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <command>"raw"</command>, and <command>"map"</command>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        This option is primarily intended to be used for dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            signed zones so that the dumped zone file in a non-text
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            format containing updates can be signed directly.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The use of this option does not make much sense for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        non-dynamic zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-j <replaceable class="parameter">jitter</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            When signing a zone with a fixed signature lifetime, all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            RRSIG records issued at the time of signing expires
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            simultaneously.  If the zone is incrementally signed, i.e.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            a previously-signed zone is passed as input to the signer,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            all expired signatures have to be regenerated at about the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            same time.  The <option>jitter</option> option specifies a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            jitter window that will be used to randomize the signature
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            expire time, thus spreading incremental signature
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews            regeneration over time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Signature lifetime jitter also to some extent benefits
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            validators and servers by spreading out cache expiration,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            i.e. if large numbers of RRSIGs don't expire at the same time
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            from all caches there will be less congestion than if all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            validators need to refetch at mostly the same time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-L <replaceable class="parameter">serial</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            When writing a signed zone to "raw" or "map" format, set the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            "source serial" value in the header to the specified serial
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            number.  (This is expected to be used primarily for testing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            purposes.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        </listitem>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      </varlistentry>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      <varlistentry>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        <term>-n <replaceable class="parameter">ncpus</replaceable></term>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        <listitem>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater          <para>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater            Specifies the number of threads to use.  By default, one
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater            thread is started for each detected CPU.
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater          </para>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        </listitem>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      </varlistentry>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater      <varlistentry>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        <listitem>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater          <para>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater            The SOA serial number format of the signed zone.
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        Possible formats are <command>"keep"</command> (default),
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater            <command>"increment"</command> and
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        <command>"unixtime"</command>.
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater          </para>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater          <variablelist>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater        <varlistentry>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater          <term><command>"keep"</command></term>
984c2e9f76e66e86f7d9aca99a774836ddf196eaAutomatic Updater              <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein                <para>Do not modify the SOA serial number.</para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <term><command>"increment"</command></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein              <listitem>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User                <para>Increment the SOA serial number using RFC 1982
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User                      arithmetics.</para>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User          </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User        <varlistentry>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User          <term><command>"unixtime"</command></term>
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User              <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                <para>Set the SOA serial number to the number of seconds
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User            since epoch.</para>
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User          </listitem>
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User            </varlistentry>
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User     </variablelist>
a24330c4805a224191ab687d0291963062fe3355Tinderbox User
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User        </listitem>
5d564da348e890e42f63eebf2dced9a05b41f4fbTinderbox User      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User        <term>-o <replaceable class="parameter">origin</replaceable></term>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User        <listitem>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          <para>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            The zone origin.  If not specified, the name of the zone file
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            is assumed to be the origin.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          </para>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User        </listitem>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User      </varlistentry>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-O <replaceable class="parameter">output-format</replaceable></term>
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User        <listitem>
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User          <para>
bae169ea64bf736d6ea6074c2af3d7c117079972Tinderbox User            The format of the output file containing the signed zone.
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User        Possible formats are <command>"text"</command> (default),
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User            which is the standard textual representation of the zone;
5d564da348e890e42f63eebf2dced9a05b41f4fbTinderbox User        <command>"full"</command>, which is text output in a
dad65f7c93330a10705384739dff3a6d4dfe1e70Tinderbox User            format suitable for processing by external scripts;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            and <command>"map"</command>, <command>"raw"</command>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            and <command>"raw=N"</command>, which store the zone in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            binary formats for rapid loading by <command>named</command>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <command>"raw=N"</command> specifies the format version of
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User            the raw zone file: if N is 0, the raw file can be read by
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User            any version of <command>named</command>; if N is 1, the file
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User            can be read by release 9.9.0 or higher; the default is 1.
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User          </para>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User        </listitem>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User      </varlistentry>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User      <varlistentry>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User        <term>-p</term>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User        <listitem>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User          <para>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User            Use pseudo-random data when signing the zone.  This is faster,
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User            but less secure, than using real random data.  This option
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User            may be useful when signing large zones or when the entropy
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User            source is limited.
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User          </para>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User        </listitem>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User      </varlistentry>
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User
8f70b6b48364b58f2823e735c35bf77787de0860Tinderbox User      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-P</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Disable post sign verification tests.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The post sign verification test ensures that for each algorithm
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        in use there is at least one non revoked self signed KSK key,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        that all revoked KSK keys are self signed, and that all records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        in the zone are signed by the algorithm.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        This option skips these tests.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-Q</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Remove signatures from keys that are no longer active.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Normally, when a previously-signed zone is passed as input
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to the signer, and a DNSKEY record has been removed and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            replaced with a new one, signatures from the old key
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            that are still within their validity period are retained.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        This allows the zone to continue to validate with cached
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        copies of the old DNSKEY RRset.  The <option>-Q</option>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            forces <command>dnssec-signzone</command> to remove
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            signatures from keys that are no longer active. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            enables ZSK rollover using the procedure described in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-R</term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        Remove signatures from keys that are no longer published.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            This option is similar to <option>-Q</option>, except it
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            forces <command>dnssec-signzone</command> to signatures from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            keys that are no longer published. This enables ZSK rollover
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            using the procedure described in RFC 4641, section 4.2.1.2
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            ("Double Signature Zone Signing Key Rollover").
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews          <para>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews            Specifies the source of randomness.  If the operating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            system does not provide a <filename>/dev/random</filename>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            or equivalent device, the default source of randomness
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            is keyboard input.  <filename>randomdev</filename>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            specifies
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the name of a character device or file containing random
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            data to be used instead of the default.  The special value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <filename>keyboard</filename> indicates that keyboard
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            input should be used.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-S</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews            Smart signing: Instructs <command>dnssec-signzone</command> to
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews            search the key repository for keys that match the zone being
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            signed, and to include them in the zone if appropriate.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            When a key is found, its timing metadata is examined to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            determine how it should be used, according to the following
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews            rules.  Each successive rule takes priority over the prior
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews            ones:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          <variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <varlistentry>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews              <listitem>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews                <para>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews                  If no timing metadata has been set for the key, the key is
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews                  published in the zone and used to sign the zone.
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews                </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein              <listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User                <para>
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews                  If the key's publication date is set and is in the past, the
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews                  key is published in the zone.
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews                </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt              <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  If the key's activation date is set and in the past, the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  key is published (regardless of publication date) and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  used to sign the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews        <varlistentry>
035992291cb70ec3be4046fcea921b4a6acb1c77Mark Andrews              <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein                <para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User                  If the key's revocation date is set and in the past, and the
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater                  key is published, then the key is revoked, and the revoked key
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews                  is used to sign the zone.
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews                </para>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews          </listitem>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews            </varlistentry>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews        <varlistentry>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews              <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                <para>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews                  If either of the key's unpublication or deletion dates are set
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews                  and in the past, the key is NOT published or used to sign the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  zone, regardless of any other metadata.
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews                </para>
4556ad3a270bf049b3225433a402666aaffe3c36Mark Andrews          </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User     </variablelist>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-T <replaceable class="parameter">ttl</replaceable></term>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews            Specifies a TTL to be used for new DNSKEY records imported
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            into the zone from the key repository.  If not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            specified, the default is the TTL value from the zone's SOA
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            record.  This option is ignored when signing without
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            <option>-S</option>, since DNSKEY records are not imported
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            from the key repository in that case.  It is also ignored if
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            there are any pre-existing DNSKEY records at the zone apex,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            in which case new records' TTL values will be set to match
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            them, or if any of the imported DNSKEY records had a default
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews            TTL value.  In the event of a a conflict between TTL values in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            imported keys, the shortest one is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater      <varlistentry>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater        <term>-t</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            Print statistics at completion.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews      <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        <term>-u</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Update NSEC/NSEC3 chain when re-signing a previously signed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            zone.  With this option, a zone signed with NSEC can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            switched to NSEC3, or a zone signed with NSEC3 can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            be switch to NSEC or to NSEC3 with different parameters.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Without this option, <command>dnssec-signzone</command> will
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            retain the existing chain when re-signing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-v <replaceable class="parameter">level</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          <para>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            Sets the debugging level.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-x</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Only sign the DNSKEY RRset with key-signing keys, and omit
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            signatures from zone-signing keys.  (This is similar to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <command>dnssec-dnskey-kskonly yes;</command> zone option in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <command>named</command>.)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      <varlistentry>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        <term>-z</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Ignore KSK flag on key when determining what to sign.  This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            causes KSK-flagged keys to sign all records, not just the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            DNSKEY RRset.  (This is similar to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <command>update-check-ksk no;</command> zone option in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <command>named</command>.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-3 <replaceable class="parameter">salt</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            Generate an NSEC3 chain with the given hex encoded salt.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        A dash (<replaceable class="parameter">salt</replaceable>) can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        be used to indicate that no salt is to be used when generating          the NSEC3 chain.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-H <replaceable class="parameter">iterations</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        When generating an NSEC3 chain, use this many iterations.  The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        default is 10.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-A</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        When generating an NSEC3 chain set the OPTOUT flag on all
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        NSEC3 records and do not generate NSEC3 records for insecure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        delegations.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Using this option twice (i.e., <option>-AA</option>)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        turns the OPTOUT flag off for all records.  This is useful
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        when using the <option>-u</option> option to modify an NSEC3
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        chain which previously had OPTOUT set.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>zonefile</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The file containing the zone to be signed.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>key</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Specify which keys should be used to sign the zone.  If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        no keys are specified, then the zone will be examined
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        for DNSKEY records at the zone apex.  If these are found and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        there are matching private keys, in the current directory,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        then these will be used for signing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refsect1>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refsect1>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <title>EXAMPLE</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      The following command signs the <userinput>example.com</userinput>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      zone with the DSA key generated by <command>dnssec-keygen</command>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      (Kexample.com.+003+17247).  Because the <command>-S</command> option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      is not being used, the zone's keys must be in the master file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      (<filename>db.example.com</filename>).  This invocation looks
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      for <filename>dsset</filename> files, in the current directory,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      so that DS records can be imported from them (<command>-g</command>).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<programlisting>% dnssec-signzone -g -o example.com db.example.com \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinKexample.com.+003+17247
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntdb.example.com.signed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein%</programlisting>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      In the above example, <command>dnssec-signzone</command> creates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the file <filename>db.example.com.signed</filename>.  This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      file should be referenced in a zone statement in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <filename>named.conf</filename> file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      This example re-signs a previously signed zone with default parameters.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      The private keys are assumed to be in the current directory.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<programlisting>% cp db.example.com.signed db.example.com
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein% dnssec-signzone -o example.com db.example.com
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeindb.example.com.signed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein%</programlisting>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refsect1>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refsect1>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <title>SEE ALSO</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <para><citerefentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </citerefentry>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <citetitle>RFC 4033</citetitle>, <citetitle>RFC 4641</citetitle>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refsect1>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <title>AUTHOR</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <para><corpauthor>Internet Systems Consortium</corpauthor>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</refentry><!--
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Local variables:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - mode: sgml
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - End:
d9c707589ade5d69fb59b6837555adc4cd24d34fAutomatic Updater-->
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt