dnssec-signzone.html revision 0e1dece22e128f9dfa723316a35c4b3f06912381
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - purpose with or without fee is hereby granted, provided that the above
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - copyright notice and this permission notice appear in all copies.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span><strong class="command">dnssec-signzone</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont signs a zone. It generates
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont NSEC and RRSIG records and produces a signed version of the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone. The security status of delegations from the signed zone
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont (that is, whether the child zones are secure or not) is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User determined by the presence or absence of a
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="filename">keyset</code> file for each child zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Verify all generated signatures.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Specifies the DNS class of the zone.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Compatibility mode: Generate a
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont file in addition to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater when signing a zone, for use by older versions of
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <span><strong class="command">dnssec-signzone</strong></span>.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Look for <code class="filename">dsset-</code> or
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="filename">keyset-</code> files in <code class="option">directory</code>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Output only those record types automatically managed by
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater NSEC3 and NSEC3PARAM records. If smart signing
cd791043c8a6edbcacc2392575a9816d19b8157cTinderbox User (<code class="option">-S</code>) is used, DNSKEY records are also
cd791043c8a6edbcacc2392575a9816d19b8157cTinderbox User included. The resulting file can be included in the original
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater cannot be combined with <code class="option">-O raw</code>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="option">-O map</code>, or serial number updating.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater When applicable, specifies the hardware to use for
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater cryptographic operations, such as a secure key store used
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When BIND is built with OpenSSL PKCS#11 support, this defaults
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont that can drive a cryptographic accelerator or hardware service
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont module. When BIND is built with native PKCS#11 cryptography
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater provider library specified via "--with-pkcs11".
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater Generate DS records for child zones from
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater file. Existing DS records will be removed.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User Key repository: Specify a directory to search for DNSSEC keys.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User If not specified, defaults to the current directory.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User Treat specified key as a key signing key ignoring any
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User key flags. This option may be specified multiple times.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate a DLV set in addition to the key (DNSKEY) and DS sets.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User The domain is appended to the name of the records.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Sets the maximum TTL for the signed zone.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User in the output. This provides certainty as to the largest
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User possible TTL in the signed zone, which is useful to know when
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User rolling keys because it is the longest possible time before
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User signatures that have been retrieved by resolvers will expire
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User from resolver caches. Zones that are signed with this
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User option should be configured to use a matching
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User (Note: This option is incompatible with <code class="option">-D</code>,
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User because it modifies non-DNSSEC data in the output zone.)
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User become valid. This can be either an absolute or relative
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User time. An absolute start time is indicated by a number
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User in YYYYMMDDHHMMSS notation; 20000530144500 denotes
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User 14:45:00 UTC on May 30th, 2000. A relative start time is
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User indicated by +N, which is N seconds from the current time.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User If no <code class="option">start-time</code> is specified, the current
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User time minus 1 hour (to allow for clock skew) is used.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User expire. As with <code class="option">start-time</code>, an absolute
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont time is indicated in YYYYMMDDHHMMSS notation. A time relative
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to the start time is indicated with +N, which is N seconds from
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the start time. A time relative to the current time is
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont indicated with now+N. If no <code class="option">end-time</code> is
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont specified, 30 days from the start time is used as a default.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <code class="option">end-time</code> must be later than
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Specify the date and time when the generated RRSIG records
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater for the DNSKEY RRset will expire. This is to be used in cases
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater when the DNSKEY signatures need to persist longer than
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater signatures on other records; e.g., when the private component
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater of the KSK is kept offline and the KSK signature is to be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User refreshed manually.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont As with <code class="option">start-time</code>, an absolute
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont time is indicated in YYYYMMDDHHMMSS notation. A time relative
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to the start time is indicated with +N, which is N seconds from
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the start time. A time relative to the current time is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User indicated with now+N. If no <code class="option">extended end-time</code> is
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont specified, the value of <code class="option">end-time</code> is used as
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater the default. (<code class="option">end-time</code>, in turn, defaults to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 30 days from the start time.) <code class="option">extended end-time</code>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater must be later than <code class="option">start-time</code>.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The name of the output file containing the signed zone. The
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User default is to append <code class="filename">.signed</code> to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the input filename. If <code class="option">output-file</code> is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt set to <code class="literal">"-"</code>, then the signed zone is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User written to the standard output, with a default output
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater format of "full".
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Prints a short summary of the options and arguments to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span><strong class="command">dnssec-signzone</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater When a previously-signed zone is passed as input, records
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater may be resigned. The <code class="option">interval</code> option
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater specifies the cycle interval as an offset from the current
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater time (in seconds). If a RRSIG record expires after the
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater cycle interval, it is retained. Otherwise, it is considered
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater to be expiring soon, and it will be replaced.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The default cycle interval is one quarter of the difference
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater between the signature end and start times. So if neither
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">end-time</code> or <code class="option">start-time</code>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont are specified, <span><strong class="command">dnssec-signzone</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User signatures that are valid for 30 days, with a cycle
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User are due to expire in less than 7.5 days, they would be
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User The format of the input zone file.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default),
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont This option is primarily intended to be used for dynamic
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User signed zones so that the dumped zone file in a non-text
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont format containing updates can be signed directly.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The use of this option does not make much sense for
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont non-dynamic zones.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When signing a zone with a fixed signature lifetime, all
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User RRSIG records issued at the time of signing expires
6f1205897504b8f50b1785975482c995888dd630Tinderbox User simultaneously. If the zone is incrementally signed, i.e.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User a previously-signed zone is passed as input to the signer,
6f1205897504b8f50b1785975482c995888dd630Tinderbox User all expired signatures have to be regenerated at about the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User same time. The <code class="option">jitter</code> option specifies a
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater jitter window that will be used to randomize the signature
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User expire time, thus spreading incremental signature
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater regeneration over time.
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater Signature lifetime jitter also to some extent benefits
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater validators and servers by spreading out cache expiration,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User i.e. if large numbers of RRSIGs don't expire at the same time
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont from all caches there will be less congestion than if all
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User validators need to refetch at mostly the same time.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater When writing a signed zone to "raw" or "map" format, set the
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater "source serial" value in the header to the specified serial
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater number. (This is expected to be used primarily for testing
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Specifies the number of threads to use. By default, one
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater thread is started for each detected CPU.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The SOA serial number format of the signed zone.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater Possible formats are <span><strong class="command">"keep"</strong></span> (default),
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater <span><strong class="command">"increment"</strong></span> and
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span><strong class="command">"unixtime"</strong></span>.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
5a24d24c8fba3480d707c0c902379ddb36501e12Automatic Updater<dd><p>Do not modify the SOA serial number.</p></dd>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dd><p>Increment the SOA serial number using RFC 1982
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dd><p>Set the SOA serial number to the number of seconds
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The zone origin. If not specified, the name of the zone file
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater is assumed to be the origin.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The format of the output file containing the signed zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default),
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater which is the standard textual representation of the zone;
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater <span><strong class="command">"full"</strong></span>, which is text output in a
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater format suitable for processing by external scripts;
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User binary formats for rapid loading by <span><strong class="command">named</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span><strong class="command">"raw=N"</strong></span> specifies the format version of
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User the raw zone file: if N is 0, the raw file can be read by
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User any version of <span><strong class="command">named</strong></span>; if N is 1, the file
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User can be read by release 9.9.0 or higher; the default is 1.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Use pseudo-random data when signing the zone. This is faster,
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User but less secure, than using real random data. This option
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User may be useful when signing large zones or when the entropy
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User source is limited.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Disable post sign verification tests.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User The post sign verification test ensures that for each algorithm
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User in use there is at least one non revoked self signed KSK key,
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User that all revoked KSK keys are self signed, and that all records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User in the zone are signed by the algorithm.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater This option skips these tests.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Remove signatures from keys that are no longer active.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Normally, when a previously-signed zone is passed as input
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to the signer, and a DNSKEY record has been removed and
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User replaced with a new one, signatures from the old key
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User that are still within their validity period are retained.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User This allows the zone to continue to validate with cached
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User copies of the old DNSKEY RRset. The <code class="option">-Q</code>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater forces <span><strong class="command">dnssec-signzone</strong></span> to remove
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User signatures from keys that are no longer active. This
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User enables ZSK rollover using the procedure described in
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Remove signatures from keys that are no longer published.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont This option is similar to <code class="option">-Q</code>, except it
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont keys that are no longer published. This enables ZSK rollover
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont using the procedure described in RFC 4641, section 4.2.1.2
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont ("Double Signature Zone Signing Key Rollover").
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Specifies the source of randomness. If the operating
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont system does not provide a <code class="filename">/dev/random</code>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont or equivalent device, the default source of randomness
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is keyboard input. <code class="filename">randomdev</code>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the name of a character device or file containing random
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User data to be used instead of the default. The special value
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="filename">keyboard</code> indicates that keyboard
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User input should be used.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont search the key repository for keys that match the zone being
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont signed, and to include them in the zone if appropriate.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When a key is found, its timing metadata is examined to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont determine how it should be used, according to the following
50066670817cdf9e86c832066d73715232b29680Tinderbox User rules. Each successive rule takes priority over the prior
922312472e2e05ebc64993d465999c5351b83036Automatic Updater If no timing metadata has been set for the key, the key is
50066670817cdf9e86c832066d73715232b29680Tinderbox User published in the zone and used to sign the zone.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont If the key's publication date is set and is in the past, the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont key is published in the zone.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont If the key's activation date is set and in the past, the
Kexample.com.+003+17247