dnssec-signzone.docbook revision ba751492fcc4f161a18b983d4f018a1a52938cb9
f1c89cb4f5c72c54bb67dc48cd6f2b332eab9e92Automatic Updater<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
66ebd200f5ee9b6566e4390bd679beecb6bdcc6aTinderbox User "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
f1c89cb4f5c72c54bb67dc48cd6f2b332eab9e92Automatic Updater [<!ENTITY mdash "—">]>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User - Permission to use, copy, modify, and/or distribute this software for any
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - purpose with or without fee is hereby granted, provided that the above
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt - copyright notice and this permission notice appear in all copies.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt - PERFORMANCE OF THIS SOFTWARE.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt<!-- $Id: dnssec-signzone.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <refentryinfo>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </refentryinfo>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <refentrytitle><application>dnssec-signzone</application></refentrytitle>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <refnamediv>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <refname><application>dnssec-signzone</application></refname>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </refnamediv>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </copyright>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </copyright>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <refsynopsisdiv>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <cmdsynopsis>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </cmdsynopsis>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </refsynopsisdiv>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt signs a zone. It generates
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt NSEC and RRSIG records and produces a signed version of the
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt zone. The security status of delegations from the signed zone
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt (that is, whether the child zones are secure or not) is
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt determined by the presence or absence of a
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <filename>keyset</filename> file for each child zone.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Verify all generated signatures.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-c <replaceable class="parameter">class</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Specifies the DNS class of the zone.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Compatibility mode: Generate a
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <filename>keyset-<replaceable>zonename</replaceable></filename>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt file in addition to
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <filename>dsset-<replaceable>zonename</replaceable></filename>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt when signing a zone, for use by older versions of
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-d <replaceable class="parameter">directory</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <filename>keyset-</filename> files in <option>directory</option>.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Output only those record types automatically managed by
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt NSEC3 and NSEC3PARAM records. If smart signing
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt (<option>-S</option>) is used, DNSKEY records are also
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt included. The resulting file can be included in the original
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt zone file with <command>$INCLUDE</command>. This option
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <option>-O map</option>, or serial number updating.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-E <replaceable class="parameter">engine</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt When applicable, specifies the hardware to use for
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt cryptographic operations, such as a secure key store used
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt for signing.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt When BIND is built with OpenSSL PKCS#11 support, this defaults
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt to the string "pkcs11", which identifies an OpenSSL engine
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt that can drive a cryptographic accelerator or hardware service
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt module. When BIND is built with native PKCS#11 cryptography
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt (--enable-native-pkcs11), it defaults to the path of the PKCS#11
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt provider library specified via "--with-pkcs11".
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Generate DS records for child zones from
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <filename>dsset-</filename> or <filename>keyset-</filename>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt file. Existing DS records will be removed.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Key repository: Specify a directory to search for DNSSEC keys.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt If not specified, defaults to the current directory.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-k <replaceable class="parameter">key</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Treat specified key as a key signing key ignoring any
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt key flags. This option may be specified multiple times.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-l <replaceable class="parameter">domain</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Generate a DLV set in addition to the key (DNSKEY) and DS sets.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt The domain is appended to the name of the records.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-s <replaceable class="parameter">start-time</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Specify the date and time when the generated RRSIG records
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt become valid. This can be either an absolute or relative
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt time. An absolute start time is indicated by a number
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt in YYYYMMDDHHMMSS notation; 20000530144500 denotes
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt 14:45:00 UTC on May 30th, 2000. A relative start time is
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt indicated by +N, which is N seconds from the current time.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt If no <option>start-time</option> is specified, the current
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt time minus 1 hour (to allow for clock skew) is used.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-e <replaceable class="parameter">end-time</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Specify the date and time when the generated RRSIG records
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt expire. As with <option>start-time</option>, an absolute
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt time is indicated in YYYYMMDDHHMMSS notation. A time relative
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt to the start time is indicated with +N, which is N seconds from
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt the start time. A time relative to the current time is
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt indicated with now+N. If no <option>end-time</option> is
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt specified, 30 days from the start time is used as a default.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Specify the date and time when the generated RRSIG records
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt for the DNSKEY RRset will expire. This is to be used in cases
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt when the DNSKEY signatures need to persist longer than
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt signatures on other records; e.g., when the private component
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt of the KSK is kept offline and the KSK signature is to be
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt refreshed manually.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt time is indicated in YYYYMMDDHHMMSS notation. A time relative
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt to the start time is indicated with +N, which is N seconds from
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt the start time. A time relative to the current time is
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt indicated with now+N. If no <option>extended end-time</option> is
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt specified, the value of <option>end-time</option> is used as
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt the default. (<option>end-time</option>, in turn, defaults to
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt 30 days from the start time.) <option>extended end-time</option>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-f <replaceable class="parameter">output-file</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt The name of the output file containing the signed zone. The
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt default is to append <filename>.signed</filename> to
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt the input filename. If <option>output-file</option> is
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt set to <literal>"-"</literal>, then the signed zone is
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt written to the standard output, with a default output
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt format of "full".
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Prints a short summary of the options and arguments to
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-i <replaceable class="parameter">interval</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt When a previously-signed zone is passed as input, records
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt may be resigned. The <option>interval</option> option
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt specifies the cycle interval as an offset from the current
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt time (in seconds). If a RRSIG record expires after the
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt cycle interval, it is retained. Otherwise, it is considered
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt to be expiring soon, and it will be replaced.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt The default cycle interval is one quarter of the difference
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt between the signature end and start times. So if neither
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <option>end-time</option> or <option>start-time</option>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt signatures that are valid for 30 days, with a cycle
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt interval of 7.5 days. Therefore, if any existing RRSIG records
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt are due to expire in less than 7.5 days, they would be
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-I <replaceable class="parameter">input-format</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt The format of the input zone file.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Possible formats are <command>"text"</command> (default),
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <command>"raw"</command>, and <command>"map"</command>.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt This option is primarily intended to be used for dynamic
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt signed zones so that the dumped zone file in a non-text
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt format containing updates can be signed directly.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt The use of this option does not make much sense for
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt non-dynamic zones.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-j <replaceable class="parameter">jitter</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt When signing a zone with a fixed signature lifetime, all
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt RRSIG records issued at the time of signing expires
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt simultaneously. If the zone is incrementally signed, i.e.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt a previously-signed zone is passed as input to the signer,
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt all expired signatures have to be regenerated at about the
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt same time. The <option>jitter</option> option specifies a
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt jitter window that will be used to randomize the signature
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt expire time, thus spreading incremental signature
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt regeneration over time.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Signature lifetime jitter also to some extent benefits
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt validators and servers by spreading out cache expiration,
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt i.e. if large numbers of RRSIGs don't expire at the same time
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt from all caches there will be less congestion than if all
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt validators need to refetch at mostly the same time.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-L <replaceable class="parameter">serial</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt When writing a signed zone to "raw" or "map" format, set the
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt "source serial" value in the header to the specified serial
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt number. (This is expected to be used primarily for testing
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-n <replaceable class="parameter">ncpus</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Specifies the number of threads to use. By default, one
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt thread is started for each detected CPU.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt The SOA serial number format of the signed zone.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Possible formats are <command>"keep"</command> (default),
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <variablelist>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <para>Increment the SOA serial number using RFC 1982
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt arithmetics.</para>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
0b24b2d3c423560a0a4cd9a4476b9a2dcafb7ea3Evan Hunt <para>Set the SOA serial number to the number of seconds
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt since epoch.</para>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </variablelist>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-o <replaceable class="parameter">origin</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt The zone origin. If not specified, the name of the zone file
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt is assumed to be the origin.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <term>-O <replaceable class="parameter">output-format</replaceable></term>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt The format of the output file containing the signed zone.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Possible formats are <command>"text"</command> (default),
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt which is the standard textual representation of the zone;
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <command>"full"</command>, which is text output in a
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt format suitable for processing by external scripts;
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt and <command>"map"</command>, <command>"raw"</command>,
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt and <command>"raw=N"</command>, which store the zone in
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt binary formats for rapid loading by <command>named</command>.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <command>"raw=N"</command> specifies the format version of
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt the raw zone file: if N is 0, the raw file can be read by
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt any version of <command>named</command>; if N is 1, the file
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt can be read by release 9.9.0 or higher; the default is 1.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Use pseudo-random data when signing the zone. This is faster,
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt but less secure, than using real random data. This option
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt may be useful when signing large zones or when the entropy
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt source is limited.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Disable post sign verification tests.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt The post sign verification test ensures that for each algorithm
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt in use there is at least one non revoked self signed KSK key,
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt that all revoked KSK keys are self signed, and that all records
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt in the zone are signed by the algorithm.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt This option skips these tests.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt </varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt <varlistentry>
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Remove signatures from keys that are no longer active.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt Normally, when a previously-signed zone is passed as input
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt to the signer, and a DNSKEY record has been removed and
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt replaced with a new one, signatures from the old key
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt that are still within their validity period are retained.
01967d183990e44752fe61f193dab9c04c3afd9cEvan Hunt This allows the zone to continue to validate with cached
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt copies of the old DNSKEY RRset. The <option>-Q</option>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt forces <command>dnssec-signzone</command> to remove
Kexample.com.+003+17247