dnssec-signzone.docbook revision f3150c99d7a3389eba632844c59b8563fc917e3e
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
5cd4555ad444fd391002ae32450572054369fd42Rob Austein "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [<!ENTITY mdash "—">]>
a6ca100924894cdd8e2b791d75a8cef32b1fba1fTinderbox User - Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle><application>dnssec-signzone</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refname><application>dnssec-signzone</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refpurpose>DNSSEC zone signing tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refnamediv>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <cmdsynopsis>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <arg><option>-M <replaceable class="parameter">domain</replaceable></option></arg>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </cmdsynopsis>
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt </refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signs a zone. It generates
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington NSEC and RRSIG records and produces a signed version of the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zone. The security status of delegations from the signed zone
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington (that is, whether the child zones are secure or not) is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington determined by the presence or absence of a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>keyset</filename> file for each child zone.
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews <variablelist>
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Verify all generated signatures.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt <varlistentry>
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt <term>-c <replaceable class="parameter">class</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the DNS class of the zone.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Compatibility mode: Generate a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>keyset-<replaceable>zonename</replaceable></filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington file in addition to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>dsset-<replaceable>zonename</replaceable></filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington when signing a zone, for use by older versions of
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt <term>-d <replaceable class="parameter">directory</replaceable></term>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <filename>keyset-</filename> files in <option>directory</option>.
edad003e630cf9a25db88d95247d10eb96117d66Jeremy C. Reed </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Output only those record types automatically managed by
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington NSEC3 and NSEC3PARAM records. If smart signing
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington (<option>-S</option>) is used, DNSKEY records are also
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington included. The resulting file can be included in the original
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein zone file with <command>$INCLUDE</command>. This option
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein cannot be combined with <option>-O raw</option>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>-O map</option>, or serial number updating.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
bf45f72ed319628eebce60c368177320943d001fMark Andrews <varlistentry>
bf45f72ed319628eebce60c368177320943d001fMark Andrews <term>-E <replaceable class="parameter">engine</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington When applicable, specifies the hardware to use for
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington cryptographic operations, such as a secure key store used
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt for signing.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt When BIND is built with OpenSSL PKCS#11 support, this defaults
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt to the string "pkcs11", which identifies an OpenSSL engine
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt that can drive a cryptographic accelerator or hardware service
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt module. When BIND is built with native PKCS#11 cryptography
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews (--enable-native-pkcs11), it defaults to the path of the PKCS#11
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews provider library specified via "--with-pkcs11".
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Generate DS records for child zones from
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <filename>dsset-</filename> or <filename>keyset-</filename>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt file. Existing DS records will be removed.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Key repository: Specify a directory to search for DNSSEC keys.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If not specified, defaults to the current directory.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-k <replaceable class="parameter">key</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Treat specified key as a key signing key ignoring any
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont key flags. This option may be specified multiple times.
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <term>-l <replaceable class="parameter">domain</replaceable></term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Generate a DLV set in addition to the key (DNSKEY) and DS sets.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt The domain is appended to the name of the records.
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont </varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <term>-M <replaceable class="parameter">maxttl</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the maximum TTL for the signed zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Any TTL higher than <replaceable>maxttl</replaceable> in the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein input zone will be reduced to <replaceable>maxttl</replaceable>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt in the output. This provides certainty as to the largest
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein possible TTL in the signed zone, which is useful to know when
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein rolling keys because it is the longest possible time before
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews signatures that have been retrieved by resolvers will expire
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews from resolver caches. Zones that are signed with this
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt option should be configured to use a matching
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <option>max-zone-ttl</option> in <filename>named.conf</filename>.
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt (Note: This option is incompatible with <option>-D</option>,
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt because it modifies non-DNSSEC data in the output zone.)
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt </varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <term>-s <replaceable class="parameter">start-time</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specify the date and time when the generated RRSIG records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein become valid. This can be either an absolute or relative
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein time. An absolute start time is indicated by a number
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in YYYYMMDDHHMMSS notation; 20000530144500 denotes
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein 14:45:00 UTC on May 30th, 2000. A relative start time is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein indicated by +N, which is N seconds from the current time.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If no <option>start-time</option> is specified, the current
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein time minus 1 hour (to allow for clock skew) is used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-e <replaceable class="parameter">end-time</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specify the date and time when the generated RRSIG records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein expire. As with <option>start-time</option>, an absolute
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time is indicated in YYYYMMDDHHMMSS notation. A time relative
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to the start time is indicated with +N, which is N seconds from
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt the start time. A time relative to the current time is
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt indicated with now+N. If no <option>end-time</option> is
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt specified, 30 days from the start time is used as a default.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews <varlistentry>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Specify the date and time when the generated RRSIG records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for the DNSKEY RRset will expire. This is to be used in cases
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein when the DNSKEY signatures need to persist longer than
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews signatures on other records; e.g., when the private component
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews of the KSK is kept offline and the KSK signature is to be
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt refreshed manually.
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt time is indicated in YYYYMMDDHHMMSS notation. A time relative
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt to the start time is indicated with +N, which is N seconds from
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt the start time. A time relative to the current time is
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt indicated with now+N. If no <option>extended end-time</option> is
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt specified, the value of <option>end-time</option> is used as
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt the default. (<option>end-time</option>, in turn, defaults to
03f979494f5c80e05a72f876914d9d44085fbd6aEvan Hunt 30 days from the start time.) <option>extended end-time</option>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-f <replaceable class="parameter">output-file</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The name of the output file containing the signed zone. The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein default is to append <filename>.signed</filename> to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the input filename. If <option>output-file</option> is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein set to <literal>"-"</literal>, then the signed zone is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein written to the standard output, with a default output
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein format of "full".
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews </varlistentry>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews <varlistentry>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews Prints a short summary of the options and arguments to
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews </varlistentry>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews <varlistentry>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews Prints version information.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-i <replaceable class="parameter">interval</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When a previously-signed zone is passed as input, records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein may be resigned. The <option>interval</option> option
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein specifies the cycle interval as an offset from the current
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein time (in seconds). If a RRSIG record expires after the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein cycle interval, it is retained. Otherwise, it is considered
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to be expiring soon, and it will be replaced.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The default cycle interval is one quarter of the difference
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington between the signature end and start times. So if neither
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <option>end-time</option> or <option>start-time</option>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews are specified, <command>dnssec-signzone</command>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews signatures that are valid for 30 days, with a cycle
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews are due to expire in less than 7.5 days, they would be
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews </varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <term>-I <replaceable class="parameter">input-format</replaceable></term>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews The format of the input zone file.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Possible formats are <command>"text"</command> (default),
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <command>"raw"</command>, and <command>"map"</command>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This option is primarily intended to be used for dynamic
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein signed zones so that the dumped zone file in a non-text
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein format containing updates can be signed directly.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The use of this option does not make much sense for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein non-dynamic zones.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-j <replaceable class="parameter">jitter</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt When signing a zone with a fixed signature lifetime, all
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt RRSIG records issued at the time of signing expires
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt simultaneously. If the zone is incrementally signed, i.e.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt a previously-signed zone is passed as input to the signer,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt all expired signatures have to be regenerated at about the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt same time. The <option>jitter</option> option specifies a
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt jitter window that will be used to randomize the signature
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt expire time, thus spreading incremental signature
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt regeneration over time.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Signature lifetime jitter also to some extent benefits
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington validators and servers by spreading out cache expiration,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington i.e. if large numbers of RRSIGs don't expire at the same time
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein from all caches there will be less congestion than if all
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein validators need to refetch at mostly the same time.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-L <replaceable class="parameter">serial</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington When writing a signed zone to "raw" or "map" format, set the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington "source serial" value in the header to the specified serial
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein number. (This is expected to be used primarily for testing
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman <term>-n <replaceable class="parameter">ncpus</replaceable></term>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman Specifies the number of threads to use. By default, one
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman thread is started for each detected CPU.
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt The SOA serial number format of the signed zone.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Possible formats are <command>"keep"</command> (default),
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <command>"increment"</command>, <command>"unixtime"</command>,
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt <variablelist>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <para>Increment the SOA serial number using RFC 1982
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt arithmetics.</para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <para>Set the SOA serial number to the number of seconds
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt since epoch.</para>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <para>Set the SOA serial number to today's date in
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt YYYYMMDDNN format.</para>
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </variablelist>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-o <replaceable class="parameter">origin</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt The zone origin. If not specified, the name of the zone file
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt is assumed to be the origin.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <term>-O <replaceable class="parameter">output-format</replaceable></term>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt The format of the output file containing the signed zone.
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt Possible formats are <command>"text"</command> (default),
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt which is the standard textual representation of the zone;
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <command>"full"</command>, which is text output in a
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt format suitable for processing by external scripts;
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt and <command>"map"</command>, <command>"raw"</command>,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt and <command>"raw=N"</command>, which store the zone in
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt binary formats for rapid loading by <command>named</command>.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <command>"raw=N"</command> specifies the format version of
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt the raw zone file: if N is 0, the raw file can be read by
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt any version of <command>named</command>; if N is 1, the file
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt can be read by release 9.9.0 or higher; the default is 1.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews Use pseudo-random data when signing the zone. This is faster,
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews but less secure, than using real random data. This option
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews may be useful when signing large zones or when the entropy
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews source is limited.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews </varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews Disable post sign verification tests.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews The post sign verification test ensures that for each algorithm
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews in use there is at least one non revoked self signed KSK key,
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews that all revoked KSK keys are self signed, and that all records
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews in the zone are signed by the algorithm.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews This option skips these tests.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews </varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Remove signatures from keys that are no longer active.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Normally, when a previously-signed zone is passed as input
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to the signer, and a DNSKEY record has been removed and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein replaced with a new one, signatures from the old key
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that are still within their validity period are retained.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This allows the zone to continue to validate with cached
79399226b7bd15afb3e97fa9a5ea678359968997Mark Andrews copies of the old DNSKEY RRset. The <option>-Q</option>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington forces <command>dnssec-signzone</command> to remove
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington signatures from keys that are no longer active. This
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington enables ZSK rollover using the procedure described in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington Remove signatures from keys that are no longer published.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This option is similar to <option>-Q</option>, except it
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington forces <command>dnssec-signzone</command> to signatures from
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington keys that are no longer published. This enables ZSK rollover
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington using the procedure described in RFC 4641, section 4.2.1.2
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein ("Double Signature Zone Signing Key Rollover").
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-r <replaceable class="parameter">randomdev</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the source of randomness. If the operating
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein system does not provide a <filename>/dev/random</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein or equivalent device, the default source of randomness
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is keyboard input. <filename>randomdev</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the name of a character device or file containing random
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington data to be used instead of the default. The special value
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews <filename>keyboard</filename> indicates that keyboard
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews input should be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Smart signing: Instructs <command>dnssec-signzone</command> to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington search the key repository for keys that match the zone being
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signed, and to include them in the zone if appropriate.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When a key is found, its timing metadata is examined to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein determine how it should be used, according to the following
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein rules. Each successive rule takes priority over the prior
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If no timing metadata has been set for the key, the key is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington published in the zone and used to sign the zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If the key's publication date is set and is in the past, the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington key is published in the zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt If the key's activation date is set and in the past, the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington key is published (regardless of publication date) and
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington used to sign the zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If the key's revocation date is set and in the past, and the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington key is published, then the key is revoked, and the revoked key
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is used to sign the zone.
Kexample.com.+003+17247