dnssec-signzone.docbook revision ba751492fcc4f161a18b983d4f018a1a52938cb9
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
c63ebf815c8a874525cf18670ad74847f7fc7b26Christian Maeder "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder [<!ENTITY mdash "—">]>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder - Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder - Copyright (C) 2000-2003 Internet Software Consortium.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder - Permission to use, copy, modify, and/or distribute this software for any
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder - purpose with or without fee is hereby granted, provided that the above
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder - copyright notice and this permission notice appear in all copies.
f2f9df2e17e70674f0bf426ed1763c973ee4cde0Christian Maeder - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c9a7e6af169a2adfb92f42331cd578065ed83a2bChristian Maeder - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c9a7e6af169a2adfb92f42331cd578065ed83a2bChristian Maeder - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder - PERFORMANCE OF THIS SOFTWARE.
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich<!-- $Id: dnssec-signzone.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
ad270004874ce1d0697fb30d7309f180553bb315Christian Maeder <refentryinfo>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder </refentryinfo>
ef9e8535c168d3f774d9e74368a2317a9eda5826Christian Maeder <refentrytitle><application>dnssec-signzone</application></refentrytitle>
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder <refname><application>dnssec-signzone</application></refname>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <refpurpose>DNSSEC zone signing tool</refpurpose>
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
4b4a0b61b72cf8478a5d4d5002bca9f699401363Christian Maeder <holder>Internet Software Consortium.</holder>
8cacad2a09782249243b80985f28e9387019fe40Christian Maeder <refsynopsisdiv>
6a2dad705deefd1b7a7e09b84fd2d75f2213be47Christian Maeder <cmdsynopsis>
014dc30f64ec25e4790cca987d4d1e6635430510Christian Maeder <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
f04e8f3ff56405901be968fd4c6e9769239f1a9bKlaus Luettich <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
4ba08bfca0cc8d9da65397b8dfd2654fdb4c0e62Christian Maeder <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
feca1d35123d8c31aee238c9ce79947b0bf65494Christian Maeder <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
431d34c7007a787331c4e5ec997badb0f8190fc7Christian Maeder <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
db675e8302ddb0d6528088ce68f5e98a00e890e3Christian Maeder <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
23ffcc44ca8612feccbd8fda63fa5be7ab5f9dc3Christian Maeder <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
a3c6d8e0670bf2aa71bc8e2a3b1f45d56dd65e4cChristian Maeder <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder </cmdsynopsis>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder </refsynopsisdiv>
d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder signs a zone. It generates
d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder NSEC and RRSIG records and produces a signed version of the
d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder zone. The security status of delegations from the signed zone
d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder (that is, whether the child zones are secure or not) is
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder determined by the presence or absence of a
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder <filename>keyset</filename> file for each child zone.
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder <variablelist>
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder <varlistentry>
6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder Verify all generated signatures.
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder </varlistentry>
e4f4d096e5e6d60dd91c746d0e833d0ac7a29c50Christian Maeder <varlistentry>
eb74267cf39e4e95f9eeb5c765f4c8dac33971b4Christian Maeder <term>-c <replaceable class="parameter">class</replaceable></term>
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder Specifies the DNS class of the zone.
8d178ae08a52d61379e6b8074f61646499bc88bbChristian Maeder </varlistentry>
6cd33d6101fb1b93baa6d86fac158af18a115108Christian Maeder <varlistentry>
6cd33d6101fb1b93baa6d86fac158af18a115108Christian Maeder Compatibility mode: Generate a
b2ac5a92cf36382e8deea5661c1964566caf72b3Christian Maeder <filename>keyset-<replaceable>zonename</replaceable></filename>
ea5432ff6f61c64469b11d9352b23fef4ff152e8Christian Maeder file in addition to
b2ac5a92cf36382e8deea5661c1964566caf72b3Christian Maeder <filename>dsset-<replaceable>zonename</replaceable></filename>
b2ac5a92cf36382e8deea5661c1964566caf72b3Christian Maeder when signing a zone, for use by older versions of
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder </varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <varlistentry>
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder <term>-d <replaceable class="parameter">directory</replaceable></term>
f1a913f880e409e7327b5deae95738b5448379a1Christian Maeder <filename>keyset-</filename> files in <option>directory</option>.
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder </varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <varlistentry>
93f5b72fdb9ee734caa750b43dd79bbb590dcd73Christian Maeder Output only those record types automatically managed by
328a85c807f2a95c3f147d10b05927eaf862ebebChristian Maeder <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
8fb127028cb7dd361e348a3252e33487f73428bcJonathan von Schroeder NSEC3 and NSEC3PARAM records. If smart signing
06dd4e7c29f33f6122a910719e3bd9062256e397Andy Gimblett (<option>-S</option>) is used, DNSKEY records are also
254df6f22d01eacf7c57b85729e0445747b630d9Christian Maeder included. The resulting file can be included in the original
4ba08bfca0cc8d9da65397b8dfd2654fdb4c0e62Christian Maeder zone file with <command>$INCLUDE</command>. This option
bff4b3f816be4c1e1d8ded76f1d5af786839e1a9Christian Maeder cannot be combined with <option>-O raw</option>,
5b818f10e11fc79def1fdd5c8a080d64a6438d87Christian Maeder <option>-O map</option>, or serial number updating.
819e29dba060687cf391e444e0f6ff88c1908cc3Christian Maeder </varlistentry>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <varlistentry>
140287998aa8592c9c403bd9e308e447ba92ae11Christian Maeder <term>-E <replaceable class="parameter">engine</replaceable></term>
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder When applicable, specifies the hardware to use for
3554301a34639efb6c9961a8571775d0061284c9Christian Maeder cryptographic operations, such as a secure key store used
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder When BIND is built with OpenSSL PKCS#11 support, this defaults
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder to the string "pkcs11", which identifies an OpenSSL engine
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder that can drive a cryptographic accelerator or hardware service
383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder module. When BIND is built with native PKCS#11 cryptography
383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder (--enable-native-pkcs11), it defaults to the path of the PKCS#11
383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder provider library specified via "--with-pkcs11".
3554301a34639efb6c9961a8571775d0061284c9Christian Maeder </varlistentry>
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder <varlistentry>
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder Generate DS records for child zones from
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder <filename>dsset-</filename> or <filename>keyset-</filename>
383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder file. Existing DS records will be removed.
a14767aeac3e78ed100f5b75e210ba563ee10dbaChristian Maeder </varlistentry>
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder <varlistentry>
3554301a34639efb6c9961a8571775d0061284c9Christian Maeder <term>-K <replaceable class="parameter">directory</replaceable></term>
54ea981a0503c396c2923a1c06421c6235baf27fChristian Maeder Key repository: Specify a directory to search for DNSSEC keys.
54ea981a0503c396c2923a1c06421c6235baf27fChristian Maeder If not specified, defaults to the current directory.
697e63e30aa3c309a1ef1f9357745111f8dfc5a9Christian Maeder </varlistentry>
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder <varlistentry>
f9e0b18852b238ddb649d341194e05d7200d1bbeChristian Maeder <term>-k <replaceable class="parameter">key</replaceable></term>
819e29dba060687cf391e444e0f6ff88c1908cc3Christian Maeder Treat specified key as a key signing key ignoring any
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder key flags. This option may be specified multiple times.
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder </varlistentry>
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder <varlistentry>
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder <term>-l <replaceable class="parameter">domain</replaceable></term>
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder Generate a DLV set in addition to the key (DNSKEY) and DS sets.
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder The domain is appended to the name of the records.
ac34194a668399bb8ef238da77c3a09e93fb253bChristian Maeder </varlistentry>
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder <varlistentry>
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder <term>-s <replaceable class="parameter">start-time</replaceable></term>
c208973c890b8f993297720fd0247bc7481d4304Christian Maeder Specify the date and time when the generated RRSIG records
0d0278c34a374b29c2d6c58b39b8b56e283d48e8Christian Maeder become valid. This can be either an absolute or relative
0d0278c34a374b29c2d6c58b39b8b56e283d48e8Christian Maeder time. An absolute start time is indicated by a number
0d0278c34a374b29c2d6c58b39b8b56e283d48e8Christian Maeder in YYYYMMDDHHMMSS notation; 20000530144500 denotes
1842453990fed8a1bd7a5ac792d7982c1d2bfcd5Christian Maeder 14:45:00 UTC on May 30th, 2000. A relative start time is
0d0278c34a374b29c2d6c58b39b8b56e283d48e8Christian Maeder indicated by +N, which is N seconds from the current time.
1842453990fed8a1bd7a5ac792d7982c1d2bfcd5Christian Maeder If no <option>start-time</option> is specified, the current
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder time minus 1 hour (to allow for clock skew) is used.
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder </varlistentry>
01e278bdd7dce13b9303ed3d79683d83c89d09f9Liam O'Reilly <varlistentry>
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder <term>-e <replaceable class="parameter">end-time</replaceable></term>
8c812cd83569e973f10cf69a342424ceabc07af9Christian Maeder Specify the date and time when the generated RRSIG records
8c812cd83569e973f10cf69a342424ceabc07af9Christian Maeder expire. As with <option>start-time</option>, an absolute
1535e1d8c82db5f7e2402261983c4c2ef39f4f39Mihai Codescu time is indicated in YYYYMMDDHHMMSS notation. A time relative
31d6d9286988dc31639d105841296759aeb743e0Jonathan von Schroeder to the start time is indicated with +N, which is N seconds from
1535e1d8c82db5f7e2402261983c4c2ef39f4f39Mihai Codescu the start time. A time relative to the current time is
7a3fe82695aa32657693e05712f84d7f81672f2eJonathan von Schroeder indicated with now+N. If no <option>end-time</option> is
7a3fe82695aa32657693e05712f84d7f81672f2eJonathan von Schroeder specified, 30 days from the start time is used as a default.
7a3fe82695aa32657693e05712f84d7f81672f2eJonathan von Schroeder <option>end-time</option> must be later than
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder </varlistentry>
81f49ee02aaa3bc870401f8883bf52742eb3ea7aJonathan von Schroeder <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
d54cd08a4cfa26256c38d8ed12c343adbfe1a0e3Christian Maeder Specify the date and time when the generated RRSIG records
3b06e23643a9f65390cb8c1caabe83fa7e87a708Till Mossakowski for the DNSKEY RRset will expire. This is to be used in cases
b1f59a4ea7c96f4c03a4d7cfcb9c5e66871cfbbbChristian Maeder when the DNSKEY signatures need to persist longer than
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder signatures on other records; e.g., when the private component
8c812cd83569e973f10cf69a342424ceabc07af9Christian Maeder of the KSK is kept offline and the KSK signature is to be
0b349288edfa50fdf38fda1a14e1562d03f92574Christian Maeder refreshed manually.
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder As with <option>start-time</option>, an absolute
1b3a2f98d1cd01fc9e0591f69507e20526727559Dominik Luecke time is indicated in YYYYMMDDHHMMSS notation. A time relative
f04e8f3ff56405901be968fd4c6e9769239f1a9bKlaus Luettich to the start time is indicated with +N, which is N seconds from
e39a1626bee36d6ad13a2c0014a80ef179a65bcbChristian Maeder the start time. A time relative to the current time is
f8e1a1eca871a26a535a4ee7d51902ba94b1db1eChristian Maeder indicated with now+N. If no <option>extended end-time</option> is
ea3bff3e547a1ac714d4db39c5efef95e02b2e7dChristian Maeder specified, the value of <option>end-time</option> is used as
dd6f22b9dcff2695181b86372e4df03d5b96e92dKristina Sojakova the default. (<option>end-time</option>, in turn, defaults to
005e0f0c6b0cc898003b03801158c208f3071fc5Kristina Sojakova 30 days from the start time.) <option>extended end-time</option>
abf2487c3aece95c371ea89ac64319370dcb6483Klaus Luettich must be later than <option>start-time</option>.
23b4e542dca35852f58d1fb3f7d9078c1de5ab06Christian Maeder </varlistentry>
74a992bd019d3319df2f21f9d358ff06cafb5f7eMihaela Turcu <varlistentry>
8a78868bae2ec6838c87366c35c57e109154c51eChristian Maeder <term>-f <replaceable class="parameter">output-file</replaceable></term>
c2e192ace9ef7cfb0e59563f1b24477b2b65cff3Dominik Dietrich The name of the output file containing the signed zone. The
6b75c206b317eb30a08d88a8f27e0295ffeb1546Christian Maeder default is to append <filename>.signed</filename> to
9a4b469ca0a7f44a598e551a973c75195207db58Eugen Kuksa the input filename. If <option>output-file</option> is
48aa0645e25883048369afc02aac3f49b14a50daChristian Maeder set to <literal>"-"</literal>, then the signed zone is
01645eac73dbc789392674930adc5745c935f3a0Christian Maeder written to the standard output, with a default output
01645eac73dbc789392674930adc5745c935f3a0Christian Maeder format of "full".
3a9fce5398f4621558ca220c66c87cee59adc258Jonathan von Schroeder </varlistentry>
0a03acf9fa28e6ff00f4d7c9c6acbae64cf09c56Ewaryst Schulz <varlistentry>
308834907a120fd8771e18292ed2ca9cd767c12dChristian Maeder Prints a short summary of the options and arguments to
bab2d88d650448628730ed3b65c9f99c52500e8cChristian Maeder </varlistentry>
4b4a0b61b72cf8478a5d4d5002bca9f699401363Christian Maeder <varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <term>-i <replaceable class="parameter">interval</replaceable></term>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder When a previously-signed zone is passed as input, records
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder may be resigned. The <option>interval</option> option
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder specifies the cycle interval as an offset from the current
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder time (in seconds). If a RRSIG record expires after the
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder cycle interval, it is retained. Otherwise, it is considered
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder to be expiring soon, and it will be replaced.
7a3fe82695aa32657693e05712f84d7f81672f2eJonathan von Schroeder The default cycle interval is one quarter of the difference
7a3fe82695aa32657693e05712f84d7f81672f2eJonathan von Schroeder between the signature end and start times. So if neither
1535e1d8c82db5f7e2402261983c4c2ef39f4f39Mihai Codescu <option>end-time</option> or <option>start-time</option>
1535e1d8c82db5f7e2402261983c4c2ef39f4f39Mihai Codescu are specified, <command>dnssec-signzone</command>
1535e1d8c82db5f7e2402261983c4c2ef39f4f39Mihai Codescu signatures that are valid for 30 days, with a cycle
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder interval of 7.5 days. Therefore, if any existing RRSIG records
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder are due to expire in less than 7.5 days, they would be
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder </varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <term>-I <replaceable class="parameter">input-format</replaceable></term>
81f49ee02aaa3bc870401f8883bf52742eb3ea7aJonathan von Schroeder The format of the input zone file.
81f49ee02aaa3bc870401f8883bf52742eb3ea7aJonathan von Schroeder Possible formats are <command>"text"</command> (default),
81f49ee02aaa3bc870401f8883bf52742eb3ea7aJonathan von Schroeder <command>"raw"</command>, and <command>"map"</command>.
81f49ee02aaa3bc870401f8883bf52742eb3ea7aJonathan von Schroeder This option is primarily intended to be used for dynamic
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder signed zones so that the dumped zone file in a non-text
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder format containing updates can be signed directly.
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder The use of this option does not make much sense for
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder non-dynamic zones.
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder </varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <term>-j <replaceable class="parameter">jitter</replaceable></term>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder When signing a zone with a fixed signature lifetime, all
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder RRSIG records issued at the time of signing expires
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder simultaneously. If the zone is incrementally signed, i.e.
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder a previously-signed zone is passed as input to the signer,
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder all expired signatures have to be regenerated at about the
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder same time. The <option>jitter</option> option specifies a
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder jitter window that will be used to randomize the signature
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder expire time, thus spreading incremental signature
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder regeneration over time.
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder Signature lifetime jitter also to some extent benefits
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder validators and servers by spreading out cache expiration,
5199920ca3b698b2149c8cb9d2ce2e98a280ff9dChristian Maeder i.e. if large numbers of RRSIGs don't expire at the same time
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder from all caches there will be less congestion than if all
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder validators need to refetch at mostly the same time.
9f85afecbd79b3df5a0bb17bd28cd0b288dc3213Kristina Sojakova </varlistentry>
9f85afecbd79b3df5a0bb17bd28cd0b288dc3213Kristina Sojakova <varlistentry>
79834070d6d3c63a098e570b12fa3405c607dc70Kristina Sojakova <term>-L <replaceable class="parameter">serial</replaceable></term>
23b4e542dca35852f58d1fb3f7d9078c1de5ab06Christian Maeder When writing a signed zone to "raw" or "map" format, set the
23b4e542dca35852f58d1fb3f7d9078c1de5ab06Christian Maeder "source serial" value in the header to the specified serial
23b4e542dca35852f58d1fb3f7d9078c1de5ab06Christian Maeder number. (This is expected to be used primarily for testing
624e6701e0deb7ac6c03c0cba0190fbc5033cf93Ewaryst Schulz </varlistentry>
c2e192ace9ef7cfb0e59563f1b24477b2b65cff3Dominik Dietrich <varlistentry>
7165a916d2fa1bf87c4741ec63b253413eebbf69Karl Luc <term>-n <replaceable class="parameter">ncpus</replaceable></term>
01645eac73dbc789392674930adc5745c935f3a0Christian Maeder Specifies the number of threads to use. By default, one
01645eac73dbc789392674930adc5745c935f3a0Christian Maeder thread is started for each detected CPU.
bff4b3f816be4c1e1d8ded76f1d5af786839e1a9Christian Maeder </varlistentry>
b5da047a9a875dec3f968b6c0df96af326f90fa9Alexis Tsogias <varlistentry>
fc09e0a6af734edbd944dd8082bb51985c233b43Alexis Tsogias <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
0a03acf9fa28e6ff00f4d7c9c6acbae64cf09c56Ewaryst Schulz The SOA serial number format of the signed zone.
0a03acf9fa28e6ff00f4d7c9c6acbae64cf09c56Ewaryst Schulz Possible formats are <command>"keep"</command> (default),
ed1b8e97e72b2e3e92edaf2eb22a4b5373d705f1Felix Gabriel Mance <variablelist>
0a03acf9fa28e6ff00f4d7c9c6acbae64cf09c56Ewaryst Schulz <varlistentry>
4b4a0b61b72cf8478a5d4d5002bca9f699401363Christian Maeder <para>Do not modify the SOA serial number.</para>
c70ef4c3b3a62764f715510c9fd67dde3acfe454Christian Maeder </varlistentry>
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder <varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <para>Increment the SOA serial number using RFC 1982
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder arithmetics.</para>
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder </varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <varlistentry>
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder <para>Set the SOA serial number to the number of seconds
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder since epoch.</para>
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich </varlistentry>
50c3cc2b79207355522c5b096172b3c6b7bec300Christian Maeder </variablelist>
857992065be4ed40a72c6296b6c0aec62ab4c5b9Christian Maeder </varlistentry>
7c99e334446bb97120e30e967baeeddfdd1278deKlaus Luettich <varlistentry>
f5c9b1e739228c2a2edf055ac419583412569683Christian Maeder <term>-o <replaceable class="parameter">origin</replaceable></term>
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder The zone origin. If not specified, the name of the zone file
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder is assumed to be the origin.
fa21fba9ceb1ddf7b3efd54731a12ed8750191d8Christian Maeder </varlistentry>
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder <varlistentry>
0c355dd0b739631ee472f9a656e266be27fa4e64Christian Maeder <term>-O <replaceable class="parameter">output-format</replaceable></term>
c7ec85d1103173e089aa5048fd7afb2f9b505124Klaus Luettich The format of the output file containing the signed zone.
c7ec85d1103173e089aa5048fd7afb2f9b505124Klaus Luettich Possible formats are <command>"text"</command> (default),
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder which is the standard textual representation of the zone;
c7ec85d1103173e089aa5048fd7afb2f9b505124Klaus Luettich <command>"full"</command>, which is text output in a
c7ec85d1103173e089aa5048fd7afb2f9b505124Klaus Luettich format suitable for processing by external scripts;
810746aea00b81c1eec27dae84d73a43599ff056Christian Maeder and <command>"map"</command>, <command>"raw"</command>,
a883cd4d01fe39d23219cf5333425f195be24d8bChristian Maeder and <command>"raw=N"</command>, which store the zone in
b905126bab9454b89041f92b3c50bb9efc85e427Klaus Luettich binary formats for rapid loading by <command>named</command>.
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <command>"raw=N"</command> specifies the format version of
33d042fe6a9eb27a4c48f840b80838f3e7d98e34Christian Maeder the raw zone file: if N is 0, the raw file can be read by
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder any version of <command>named</command>; if N is 1, the file
0a5571c8adeddd27548445546491725beb224dddChristian Maeder can be read by release 9.9.0 or higher; the default is 1.
0a5571c8adeddd27548445546491725beb224dddChristian Maeder </varlistentry>
f38b3687c5558128515e34fb85d8b466d22dc300Christian Maeder <varlistentry>
e642ad0e782f9bb9ba310164358220402eec8cd8Christian Maeder Use pseudo-random data when signing the zone. This is faster,
f38b3687c5558128515e34fb85d8b466d22dc300Christian Maeder but less secure, than using real random data. This option
f38b3687c5558128515e34fb85d8b466d22dc300Christian Maeder may be useful when signing large zones or when the entropy
db3016fbc6065fc0d57e68c28ae280e6ac95a39aChristian Maeder source is limited.
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder </varlistentry>
e05fd774e0181e93963d4302303b20698603a505Christian Maeder <varlistentry>
825a1e4ca1e768de4b4883c65a6cb1dce6aa0002Christian Maeder Disable post sign verification tests.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder The post sign verification test ensures that for each algorithm
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder in use there is at least one non revoked self signed KSK key,
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder that all revoked KSK keys are self signed, and that all records
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder in the zone are signed by the algorithm.
aebb0b18fe5e6ba7dd7e4c66a16a905611ef7ba9Christian Maeder This option skips these tests.
e05fd774e0181e93963d4302303b20698603a505Christian Maeder </varlistentry>
1dfba1f850f6a43094962b459998d1ea11472461Christian Maeder <varlistentry>
b64e673e77d2e02c8cd1625ddbd4ea5a97fd5ce3Christian Maeder Remove signatures from keys that are no longer active.
fa0f3519d71f719d88577b716b1579776b4a2535Christian Maeder Normally, when a previously-signed zone is passed as input
99afa6000472f3d291fdf9193ea19d334a58658dChristian Maeder to the signer, and a DNSKEY record has been removed and
5bb7eeaca10ea76595229375f907a5a388b7c882Christian Maeder replaced with a new one, signatures from the old key
5bb7eeaca10ea76595229375f907a5a388b7c882Christian Maeder that are still within their validity period are retained.
5bb7eeaca10ea76595229375f907a5a388b7c882Christian Maeder This allows the zone to continue to validate with cached
c59d1c38ef94b4fb1c8d9fda9573bc1e1d2801e7Christian Maeder copies of the old DNSKEY RRset. The <option>-Q</option>
cd36bffee51c77cdadcb9f916b34fa512e311946Christian Maeder forces <command>dnssec-signzone</command> to remove
99afa6000472f3d291fdf9193ea19d334a58658dChristian Maeder signatures from keys that are no longer active. This
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder enables ZSK rollover using the procedure described in
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich </varlistentry>
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich <varlistentry>
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich Remove signatures from keys that are no longer published.
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich This option is similar to <option>-Q</option>, except it
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich forces <command>dnssec-signzone</command> to signatures from
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder keys that are no longer published. This enables ZSK rollover
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder using the procedure described in RFC 4641, section 4.2.1.2
810746aea00b81c1eec27dae84d73a43599ff056Christian Maeder ("Double Signature Zone Signing Key Rollover").
1365c420ef71be3d52796ebd369dc2defdedc822Christian Maeder </varlistentry>
a80c28bb8b7a23ccdf7e08d0fe216fc19cc97273Klaus Luettich <varlistentry>
82e29b77f0ef4cccd7ed734692c5e1e93dbbc645Christian Maeder <term>-r <replaceable class="parameter">randomdev</replaceable></term>
5f0e3e4cb7dd31033c9682cafa712d2a66b2f3bcChristian Maeder Specifies the source of randomness. If the operating
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder system does not provide a <filename>/dev/random</filename>
b9625461755578f3eed04676d42a63fd2caebd0cChristian Maeder or equivalent device, the default source of randomness
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder is keyboard input. <filename>randomdev</filename>
d0652648f9879c67a194f8b03baafe2700c68eb4Christian Maeder the name of a character device or file containing random
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder data to be used instead of the default. The special value
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder <filename>keyboard</filename> indicates that keyboard
b1f59a4ea7c96f4c03a4d7cfcb9c5e66871cfbbbChristian Maeder input should be used.
4ba08bfca0cc8d9da65397b8dfd2654fdb4c0e62Christian Maeder </varlistentry>
4ba08bfca0cc8d9da65397b8dfd2654fdb4c0e62Christian Maeder <varlistentry>
1365c420ef71be3d52796ebd369dc2defdedc822Christian Maeder Smart signing: Instructs <command>dnssec-signzone</command> to
308834907a120fd8771e18292ed2ca9cd767c12dChristian Maeder search the key repository for keys that match the zone being
308834907a120fd8771e18292ed2ca9cd767c12dChristian Maeder signed, and to include them in the zone if appropriate.
36f63902db2b3463faa9f59912ad106e2d5aaa24Klaus Luettich When a key is found, its timing metadata is examined to
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder determine how it should be used, according to the following
e420b3848a0e15a9e074b08c413996cbeb5ab06dChristian Maeder rules. Each successive rule takes priority over the prior
cc07a598b995acc9436651e66fd18009509047efChristian Maeder <variablelist>
cc07a598b995acc9436651e66fd18009509047efChristian Maeder <varlistentry>
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich If no timing metadata has been set for the key, the key is
4ba08bfca0cc8d9da65397b8dfd2654fdb4c0e62Christian Maeder published in the zone and used to sign the zone.
2c619a4dfdc1df27573eba98e81ed1ace906941dChristian Maeder </varlistentry>
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder <varlistentry>
e284004f10a315dbdb624c8b2522f65d485eaa48Martin Kühl If the key's publication date is set and is in the past, the
e284004f10a315dbdb624c8b2522f65d485eaa48Martin Kühl key is published in the zone.
50515239e7e190f4a34ca581dd685d002148fbddChristian Maeder </varlistentry>
0b349288edfa50fdf38fda1a14e1562d03f92574Christian Maeder <varlistentry>
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder If the key's activation date is set and in the past, the
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder key is published (regardless of publication date) and
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder used to sign the zone.
8b4c68db8b465107cabef8b9cd5b6bc216e1b156Till Mossakowski </varlistentry>
8b4c68db8b465107cabef8b9cd5b6bc216e1b156Till Mossakowski <varlistentry>
bcaf979d9babe6346aa343687aa7d596e2894cccPaolo Torrini If the key's revocation date is set and in the past, and the
5ce19352a9cc47d982819cc889a71cd0a61ac171Christian Maeder key is published, then the key is revoked, and the revoked key
5ce19352a9cc47d982819cc889a71cd0a61ac171Christian Maeder is used to sign the zone.
23ab8855c58adfbd03a0730584b917b24c603901Christian Maeder </varlistentry>
23ab8855c58adfbd03a0730584b917b24c603901Christian Maeder <varlistentry>
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder If either of the key's unpublication or deletion dates are set
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder and in the past, the key is NOT published or used to sign the
431d34c7007a787331c4e5ec997badb0f8190fc7Christian Maeder zone, regardless of any other metadata.
99afa6000472f3d291fdf9193ea19d334a58658dChristian Maeder </varlistentry>
50c3cc2b79207355522c5b096172b3c6b7bec300Christian Maeder </variablelist>
24ddb6d7cde9dd6ab04b8631b1b0104e0861ec5fChristian Maeder </varlistentry>
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder <varlistentry>
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder <term>-T <replaceable class="parameter">ttl</replaceable></term>
9096f6c6aaded6cd8288656ceccd4c7b3bd0747eChristian Maeder Specifies a TTL to be used for new DNSKEY records imported
9096f6c6aaded6cd8288656ceccd4c7b3bd0747eChristian Maeder into the zone from the key repository. If not
e112e83352048f3db8c8f93ae104193e7338c10fChristian Maeder specified, the default is the TTL value from the zone's SOA
e112e83352048f3db8c8f93ae104193e7338c10fChristian Maeder record. This option is ignored when signing without
e62d49c0dc2893da75faad896bd135e2e9a7087bKlaus Luettich <option>-S</option>, since DNSKEY records are not imported
e62d49c0dc2893da75faad896bd135e2e9a7087bKlaus Luettich from the key repository in that case. It is also ignored if
e62d49c0dc2893da75faad896bd135e2e9a7087bKlaus Luettich there are any pre-existing DNSKEY records at the zone apex,
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder in which case new records' TTL values will be set to match
e112e83352048f3db8c8f93ae104193e7338c10fChristian Maeder them, or if any of the imported DNSKEY records had a default
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder TTL value. In the event of a a conflict between TTL values in
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder imported keys, the shortest one is used.
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder </varlistentry>
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder <varlistentry>
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder Print statistics at completion.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder </varlistentry>
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder <varlistentry>
f4505a64a089693012a3f5c3b1f12a82cd7a2a5aKlaus Luettich Update NSEC/NSEC3 chain when re-signing a previously signed
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder zone. With this option, a zone signed with NSEC can be
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder switched to NSEC3, or a zone signed with NSEC3 can
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder be switch to NSEC or to NSEC3 with different parameters.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder Without this option, <command>dnssec-signzone</command> will
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder retain the existing chain when re-signing.
1a6464613c59e35072b90ca296ae402cbe956144Christian Maeder </varlistentry>
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder <varlistentry>
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder <term>-v <replaceable class="parameter">level</replaceable></term>
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder Sets the debugging level.
f78ce817f35574674d54e30ad1861a9b4ced20caChristian Maeder </varlistentry>
f78ce817f35574674d54e30ad1861a9b4ced20caChristian Maeder <varlistentry>
f78ce817f35574674d54e30ad1861a9b4ced20caChristian Maeder Only sign the DNSKEY RRset with key-signing keys, and omit
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder signatures from zone-signing keys. (This is similar to the
89c9d707aa817684b88036a2dad66c3437840677Heng Jiang <command>dnssec-dnskey-kskonly yes;</command> zone option in
f041c9a6bda23de33a38490e35b831ae18d96b45Christian Maeder </varlistentry>
f041c9a6bda23de33a38490e35b831ae18d96b45Christian Maeder <varlistentry>
49d647f58ec5bf482da541eec62f531848c49036Christian Maeder Ignore KSK flag on key when determining what to sign. This
7834a982096d93301a4626f444dd9ea5f9fe17eaChristian Maeder causes KSK-flagged keys to sign all records, not just the
7834a982096d93301a4626f444dd9ea5f9fe17eaChristian Maeder DNSKEY RRset. (This is similar to the
f9442174f64331ccf0bf08178632af7302ccfc96Christian Maeder <command>update-check-ksk no;</command> zone option in
53bbc1c9a4e986d1ee9c081d6f0ac7b9546f212bDominik Luecke </varlistentry>
bf7b17b0e19362e9228672782218678cab275d1eDominik Luecke <varlistentry>
bf7b17b0e19362e9228672782218678cab275d1eDominik Luecke <term>-3 <replaceable class="parameter">salt</replaceable></term>
bf7b17b0e19362e9228672782218678cab275d1eDominik Luecke Generate an NSEC3 chain with the given hex encoded salt.
bf7b17b0e19362e9228672782218678cab275d1eDominik Luecke A dash (<replaceable class="parameter">salt</replaceable>) can
75b0c0c2cbfb7edd3f4c0555227aabbe6c1aa195Christian Maeder be used to indicate that no salt is to be used when generating the NSEC3 chain.
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu </varlistentry>
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu <term>-H <replaceable class="parameter">iterations</replaceable></term>
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu When generating an NSEC3 chain, use this many iterations. The
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu </varlistentry>
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu When generating an NSEC3 chain set the OPTOUT flag on all
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu NSEC3 records and do not generate NSEC3 records for insecure
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu Using this option twice (i.e., <option>-AA</option>)
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu turns the OPTOUT flag off for all records. This is useful
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu when using the <option>-u</option> option to modify an NSEC3
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu chain which previously had OPTOUT set.
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu </varlistentry>
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu The file containing the zone to be signed.
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu </varlistentry>
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu Specify which keys should be used to sign the zone. If
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu no keys are specified, then the zone will be examined
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu for DNSKEY records at the zone apex. If these are found and
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu there are matching private keys, in the current directory,
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu then these will be used for signing.
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu </varlistentry>
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu </variablelist>
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu The following command signs the <userinput>example.com</userinput>
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu zone with the DSA key generated by <command>dnssec-keygen</command>
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu (Kexample.com.+003+17247). Because the <command>-S</command> option
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu is not being used, the zone's keys must be in the master file
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu (<filename>db.example.com</filename>). This invocation looks
ae3e4689adbf4de67f4e1cdda6db2c0e406027d0Francisc Nicolae Bungiu for <filename>dsset</filename> files, in the current directory,
b446bf54c1dc78690aa12e86aadc49cdd8585847Christian Maeder so that DS records can be imported from them (<command>-g</command>).
3b5814dc6ac813faf8a12ecddf4b727ca7b666a8Francisc Nicolae Bungiu<programlisting>% dnssec-signzone -g -o example.com db.example.com \