0N/A<!
DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" 0N/A [<!ENTITY mdash "—">]>
0N/A - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") 0N/A - Copyright (C) 2000-2003 Internet Software Consortium. 0N/A - Permission to use, copy, modify, and distribute this software for any 0N/A - purpose with or without fee is hereby granted, provided that the above 0N/A - copyright notice and this permission notice appear in all copies. 0N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 0N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 0N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 0N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 0N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 0N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 0N/A - PERFORMANCE OF THIS SOFTWARE. 0N/A <
date>June 30, 2000</
date>
0N/A <
refentrytitle><
application>dnssec-signzone</
application></
refentrytitle>
0N/A <
manvolnum>8</
manvolnum>
0N/A <
refmiscinfo>BIND9</
refmiscinfo>
0N/A <
refname><
application>dnssec-signzone</
application></
refname>
0N/A <
refpurpose>DNSSEC zone signing tool</
refpurpose>
0N/A <
holder>Internet Systems Consortium, Inc. ("ISC")</
holder>
0N/A <
holder>Internet Software Consortium.</
holder>
0N/A <
command>dnssec-signzone</
command>
0N/A <
arg><
option>-a</
option></
arg>
0N/A <
arg><
option>-c <
replaceable class="parameter">class</
replaceable></
option></
arg>
0N/A <
arg><
option>-d <
replaceable class="parameter">directory</
replaceable></
option></
arg>
0N/A <
arg><
option>-e <
replaceable class="parameter">end-time</
replaceable></
option></
arg>
0N/A <
arg><
option>-f <
replaceable class="parameter">output-file</
replaceable></
option></
arg>
0N/A <
arg><
option>-g</
option></
arg>
0N/A <
arg><
option>-h</
option></
arg>
0N/A <
arg><
option>-k <
replaceable class="parameter">key</
replaceable></
option></
arg>
0N/A <
arg><
option>-l <
replaceable class="parameter">domain</
replaceable></
option></
arg>
0N/A <
arg><
option>-i <
replaceable class="parameter">interval</
replaceable></
option></
arg>
0N/A <
arg><
option>-j <
replaceable class="parameter">jitter</
replaceable></
option></
arg>
0N/A <
arg><
option>-n <
replaceable class="parameter">nthreads</
replaceable></
option></
arg>
0N/A <
arg><
option>-o <
replaceable class="parameter">origin</
replaceable></
option></
arg>
0N/A <
arg><
option>-p</
option></
arg>
0N/A <
arg><
option>-r <
replaceable class="parameter">randomdev</
replaceable></
option></
arg>
0N/A <
arg><
option>-s <
replaceable class="parameter">start-time</
replaceable></
option></
arg>
0N/A <
arg><
option>-t</
option></
arg>
0N/A <
arg><
option>-v <
replaceable class="parameter">level</
replaceable></
option></
arg>
0N/A <
arg><
option>-z</
option></
arg>
0N/A <
arg choice="req">zonefile</
arg>
0N/A <
arg rep="repeat">key</
arg>
0N/A <
title>DESCRIPTION</
title>
0N/A <
para><
command>dnssec-signzone</
command>
0N/A signs a zone. It generates
0N/A NSEC and RRSIG records and produces a signed version of the
0N/A zone. The security status of delegations from the signed zone
0N/A (that is, whether the child zones are secure or not) is
0N/A determined by the presence or absence of a
0N/A <
filename>keyset</
filename> file for each child zone.
0N/A <
title>OPTIONS</
title>
0N/A Verify all generated signatures.
0N/A <
term>-c <
replaceable class="parameter">class</
replaceable></
term>
0N/A Specifies the DNS class of the zone.
0N/A <
term>-k <
replaceable class="parameter">key</
replaceable></
term>
0N/A Treat specified key as a key signing key ignoring any
0N/A key flags. This option may be specified multiple times.
0N/A <
term>-l <
replaceable class="parameter">domain</
replaceable></
term>
0N/A Generate a DLV set in addition to the key (DNSKEY) and DS sets.
0N/A The domain is appended to the name of the records.
0N/A <
term>-d <
replaceable class="parameter">directory</
replaceable></
term>
0N/A Look for <
filename>keyset</
filename> files in
0N/A <
option>directory</
option> as the directory
0N/A Generate DS records for child zones from keyset files.
0N/A Existing DS records will be removed.
0N/A <
term>-s <
replaceable class="parameter">start-time</
replaceable></
term>
0N/A Specify the date and time when the generated RRSIG records
0N/A become valid. This can be either an absolute or relative
0N/A time. An absolute start time is indicated by a number
0N/A in YYYYMMDDHHMMSS notation; 20000530144500 denotes
0N/A 14:45:00 UTC on May 30th, 2000. A relative start time is
0N/A indicated by +N, which is N seconds from the current time.
0N/A If no <
option>start-time</
option> is specified, the current
0N/A time minus 1 hour (to allow for clock skew) is used.
0N/A <
term>-e <
replaceable class="parameter">end-time</
replaceable></
term>
0N/A Specify the date and time when the generated RRSIG records
0N/A expire. As with <
option>start-time</
option>, an absolute
0N/A time is indicated in YYYYMMDDHHMMSS notation. A time relative
0N/A to the start time is indicated with +N, which is N seconds from
0N/A the start time. A time relative to the current time is
0N/A indicated with now+N. If no <
option>end-time</
option> is
0N/A specified, 30 days from the start time is used as a default.
0N/A <
term>-f <
replaceable class="parameter">output-file</
replaceable></
term>
0N/A The name of the output file containing the signed zone. The
0N/A default is to append <
filename>.signed</
filename> to
0N/A Prints a short summary of the options and arguments to
0N/A <
command>dnssec-signzone</
command>.
0N/A <
term>-i <
replaceable class="parameter">interval</
replaceable></
term>
0N/A When a previously signed zone is passed as input, records
0N/A may be resigned. The <
option>interval</
option> option
0N/A specifies the cycle interval as an offset from the current
0N/A time (in seconds). If a RRSIG record expires after the
0N/A cycle interval, it is retained. Otherwise, it is considered
0N/A to be expiring soon, and it will be replaced.
0N/A The default cycle interval is one quarter of the difference
0N/A between the signature end and start times. So if neither
0N/A <
option>end-time</
option> or <
option>start-time</
option>
0N/A are specified, <
command>dnssec-signzone</
command>
0N/A signatures that are valid for 30 days, with a cycle
0N/A interval of 7.5 days. Therefore, if any existing RRSIG records
0N/A are due to expire in less than 7.5 days, they would be
0N/A <
term>-j <
replaceable class="parameter">jitter</
replaceable></
term>
0N/A When signing a zone with a fixed signature lifetime, all
0N/A RRSIG records issued at the time of signing expires
0N/A simultaneously. If the zone is incrementally signed,
i.e. 0N/A a previously signed zone is passed as input to the signer,
0N/A all expired signatures has to be regenerated at about the
0N/A same time. The <
option>jitter</
option> option specifies a
0N/A jitter window that will be used to randomize the signature
0N/A expire time, thus spreading incremental signature
0N/A regeneration over time.
0N/A Signature lifetime jitter also to some extent benefits
0N/A validators and servers by spreading out cache expiration,
0N/A i.e. if large numbers of RRSIGs don't expire at the same time
0N/A from all caches there will be less congestion than if all
0N/A validators need to refetch at mostly the same time.
0N/A <
term>-n <
replaceable class="parameter">ncpus</
replaceable></
term>
0N/A Specifies the number of threads to use. By default, one
0N/A thread is started for each detected CPU.
0N/A <
term>-o <
replaceable class="parameter">origin</
replaceable></
term>
0N/A The zone origin. If not specified, the name of the zone file
0N/A is assumed to be the origin.
0N/A Use pseudo-random data when signing the zone. This is faster,
0N/A but less secure, than using real random data. This option
0N/A may be useful when signing large zones or when the entropy
0N/A <
term>-r <
replaceable class="parameter">randomdev</
replaceable></
term>
0N/A Specifies the source of randomness. If the operating
0N/A or equivalent device, the default source of randomness
0N/A is keyboard input. <
filename>randomdev</
filename>
0N/A the name of a character device or file containing random
0N/A data to be used instead of the default. The special value
0N/A <
filename>keyboard</
filename> indicates that keyboard
0N/A input should be used.
0N/A Print statistics at completion.
0N/A <
term>-v <
replaceable class="parameter">level</
replaceable></
term>
0N/A Sets the debugging level.
0N/A Ignore KSK flag on key when determining what to sign.
0N/A <
term>zonefile</
term>
0N/A The file containing the zone to be signed.
0N/A Sets the debugging level.
0N/A The keys used to sign the zone. If no keys are specified, the
0N/A default all zone keys that have private key files in the
0N/A <
title>EXAMPLE</
title>
0N/A zone with the DSA key generated in the <
command>dnssec-keygen</
command>
0N/A man page. The zone's keys must be in the zone. If there are
0N/A <
filename>keyset</
filename> files associated with child
0N/A they must be in the current directory.
0N/A The command would print a string of the form:
0N/A In this example, <
command>dnssec-signzone</
command> creates
0N/A should be referenced in a zone statement in a
<
refentrytitle>dnssec-keygen</
refentrytitle><
manvolnum>8</
manvolnum>
<
citetitle>BIND 9 Administrator Reference Manual</
citetitle>,
<
citetitle>RFC 2535</
citetitle>.
<
para><
corpauthor>Internet Systems Consortium</
corpauthor>