dnssec-signzone.html revision 0b062f4990db5cc6db2fe3398926f71b92a67407
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Copyright (C) 2000, 2001 Internet Software Consortium.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Permission to use, copy, modify, and distribute this software for any
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - purpose with or without fee is hereby granted, provided that the above
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - copyright notice and this permission notice appear in all copies.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signzone</TITLE
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonNAME="GENERATOR"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCONTENT="Modular DocBook HTML Stylesheet Version 1.61
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFENTRY"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonBGCOLOR="#FFFFFF"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonTEXT="#000000"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonLINK="#0000FF"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonVLINK="#840084"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonALINK="#0000FF"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="APPLICATION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signzone</SPAN
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFNAMEDIV"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="APPLICATION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signzone</SPAN
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> -- DNSSEC zone signing tool</DIV
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFSYNOPSISDIV"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="COMMAND"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signzone</B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>start-time</I
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>output-file</I
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>] {zonefile} [key...]</P
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFSECT1"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>DESCRIPTION</H2
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="COMMAND"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signzone</B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> signs a zone. It generates NXT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington and SIG records and produces a signed version of the zone. If there
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>signedkey</TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> file from the zone's parent,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the parent's signatures will be incorporated into the generated
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signed zone file. The security status of delegations from the the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signed zone (that is, whether the child zones are secure or not) is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington determined by the presence or absence of a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>signedkey</TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> file for each child zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFSECT1"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="VARIABLELIST"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Verify all generated signatures.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Specifies the DNS class of the zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Look for <TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>signedkey</TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>directory</TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> as the directory
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>start-time</I
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Specify the date and time when the generated SIG records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington become valid. This can be either an absolute or relative
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time. An absolute start time is indicated by a number
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington in YYYYMMDDHHMMSS notation; 20000530144500 denotes
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington 14:45:00 UTC on May 30th, 2000. A relative start time is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington indicated by +N, which is N seconds from the current time.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>start-time</TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> is specified, the current
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time is used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Specify the date and time when the generated SIG records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington expire. As with <TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>start-time</TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>, an absolute
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time is indicated in YYYYMMDDHHMMSS notation. A time relative
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to the start time is indicated with +N, which is N seconds from
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the start time. A time realtive to the current time is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington indicated with now+N. If no <TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington specified, 30 days from the start time is used as a default.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>output-file</I
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> The name of the output file containing the signed zone. The
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington default is to append <TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Prints a short summary of the options and arguments to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="COMMAND"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signzone</B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> When a previously signed zone is passed as input, records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington may be resigned. The <TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington specifies the cycle interval as an offset from the current
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington time (in seconds). If a SIG record expires after the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington cycle interval, it is retained. Otherwise, it is considered
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to be expiring soon, and it will be replaced.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> The default cycle interval is one quarter of the difference
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington between the signature end and start times. So if neither
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="OPTION"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>start-time</TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington are specified, <B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="COMMAND"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signzone</B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington signatures that are valid for 30 days, with a cycle
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington interval of 7.5 days. Therefore, if any existing SIG records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington are due to expire in less than 7.5 days, they would be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Specifies the number of threads to use. By default, one
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington thread is started for each detected CPU.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> The zone origin. If not specified, the name of the zone file
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is assumed to be the origin.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Use pseudo-random data when signing the zone. This is faster,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington but less secure, than using real random data. This option
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington may be useful when signing large zones or when the entropy
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington source is limited.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Specifies the source of randomness. If the operating
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington system does not provide a <TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or equivalent device, the default source of randomness
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is keyboard input. <TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>randomdev</TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the name of a character device or file containing random
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington data to be used instead of the default. The special value
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> indicates that keyboard
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington input should be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Print statistics at completion.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REPLACEABLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> The file containing the zone to be signed.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> The keys used to sign the zone. If no keys are specified, the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington default all zone keys that have private key files in the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington current directory.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFSECT1"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> The following command signs the <TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="USERINPUT"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zone with the DSA key generated in the <B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="COMMAND"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-keygen</B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington man page. The zone's keys must be in the zone. If there are
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>signedkey</TT
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> files associated with this zone
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or any child zones, they must be in the current directory.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="USERINPUT"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>, the following command would be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="USERINPUT"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> The command would print a string of the form:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> In this example, <B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="COMMAND"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signzone</B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington should be referenced in a zone statement in a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="FILENAME"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFSECT1"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="CITEREFENTRY"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFENTRYTITLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-keygen</SPAN
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="CITEREFENTRY"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFENTRYTITLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>dnssec-signkey</SPAN
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="CITETITLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington>BIND 9 Administrator Reference Manual</I
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="CITETITLE"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian WellingtonCLASS="REFSECT1"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington> Internet Software Consortium