dnssec-signzone.html revision 0e1dece22e128f9dfa723316a35c4b3f06912381
dd1ce8b52478fa98c844720af9e77fae2978f18dTinderbox User - Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - purpose with or without fee is hereby granted, provided that the above
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - copyright notice and this permission notice appear in all copies.
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-signzone</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signs a zone. It generates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NSEC and RRSIG records and produces a signed version of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone. The security status of delegations from the signed zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (that is, whether the child zones are secure or not) is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein determined by the presence or absence of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">keyset</code> file for each child zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Verify all generated signatures.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the DNS class of the zone.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Compatibility mode: Generate a
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater file in addition to
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater when signing a zone, for use by older versions of
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <span><strong class="command">dnssec-signzone</strong></span>.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Look for <code class="filename">dsset-</code> or
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="filename">keyset-</code> files in <code class="option">directory</code>.
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater Output only those record types automatically managed by
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater NSEC3 and NSEC3PARAM records. If smart signing
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater (<code class="option">-S</code>) is used, DNSKEY records are also
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater included. The resulting file can be included in the original
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
dba3c818ae00b10388d31703e86a28415db398acTinderbox User cannot be combined with <code class="option">-O raw</code>,
43b94483957d3168796a816ed86cf097518817dcTinderbox User <code class="option">-O map</code>, or serial number updating.
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User When applicable, specifies the hardware to use for
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User cryptographic operations, such as a secure key store used
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User that can drive a cryptographic accelerator or hardware service
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User module. When BIND is built with native PKCS#11 cryptography
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User provider library specified via "--with-pkcs11".
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Generate DS records for child zones from
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater file. Existing DS records will be removed.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Key repository: Specify a directory to search for DNSSEC keys.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If not specified, defaults to the current directory.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Treat specified key as a key signing key ignoring any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein key flags. This option may be specified multiple times.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a DLV set in addition to the key (DNSKEY) and DS sets.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The domain is appended to the name of the records.
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User Sets the maximum TTL for the signed zone.
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User in the output. This provides certainty as to the largest
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User possible TTL in the signed zone, which is useful to know when
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User rolling keys because it is the longest possible time before
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User signatures that have been retrieved by resolvers will expire
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User from resolver caches. Zones that are signed with this
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User option should be configured to use a matching
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User (Note: This option is incompatible with <code class="option">-D</code>,
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User because it modifies non-DNSSEC data in the output zone.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the date and time when the generated RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein become valid. This can be either an absolute or relative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time. An absolute start time is indicated by a number
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in YYYYMMDDHHMMSS notation; 20000530144500 denotes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 14:45:00 UTC on May 30th, 2000. A relative start time is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein indicated by +N, which is N seconds from the current time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If no <code class="option">start-time</code> is specified, the current
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time minus 1 hour (to allow for clock skew) is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the date and time when the generated RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein expire. As with <code class="option">start-time</code>, an absolute
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time is indicated in YYYYMMDDHHMMSS notation. A time relative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the start time is indicated with +N, which is N seconds from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the start time. A time relative to the current time is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein indicated with now+N. If no <code class="option">end-time</code> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified, 30 days from the start time is used as a default.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">end-time</code> must be later than
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater Specify the date and time when the generated RRSIG records
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater for the DNSKEY RRset will expire. This is to be used in cases
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater when the DNSKEY signatures need to persist longer than
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater signatures on other records; e.g., when the private component
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater of the KSK is kept offline and the KSK signature is to be
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater refreshed manually.
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater As with <code class="option">start-time</code>, an absolute
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater time is indicated in YYYYMMDDHHMMSS notation. A time relative
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater to the start time is indicated with +N, which is N seconds from
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater the start time. A time relative to the current time is
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater indicated with now+N. If no <code class="option">extended end-time</code> is
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater specified, the value of <code class="option">end-time</code> is used as
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater the default. (<code class="option">end-time</code>, in turn, defaults to
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater 30 days from the start time.) <code class="option">extended end-time</code>
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater must be later than <code class="option">start-time</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The name of the output file containing the signed zone. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default is to append <code class="filename">.signed</code> to
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater the input filename. If <code class="option">output-file</code> is
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater set to <code class="literal">"-"</code>, then the signed zone is
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater written to the standard output, with a default output
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater format of "full".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Prints a short summary of the options and arguments to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dnssec-signzone</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews When a previously-signed zone is passed as input, records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may be resigned. The <code class="option">interval</code> option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specifies the cycle interval as an offset from the current
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time (in seconds). If a RRSIG record expires after the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cycle interval, it is retained. Otherwise, it is considered
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to be expiring soon, and it will be replaced.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The default cycle interval is one quarter of the difference
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein between the signature end and start times. So if neither
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">end-time</code> or <code class="option">start-time</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are specified, <span><strong class="command">dnssec-signzone</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signatures that are valid for 30 days, with a cycle
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein interval of 7.5 days. Therefore, if any existing RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are due to expire in less than 7.5 days, they would be
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews The format of the input zone file.
dba3c818ae00b10388d31703e86a28415db398acTinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default),
43b94483957d3168796a816ed86cf097518817dcTinderbox User <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews This option is primarily intended to be used for dynamic
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews signed zones so that the dumped zone file in a non-text
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews format containing updates can be signed directly.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews The use of this option does not make much sense for
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews non-dynamic zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When signing a zone with a fixed signature lifetime, all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RRSIG records issued at the time of signing expires
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein simultaneously. If the zone is incrementally signed, i.e.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews a previously-signed zone is passed as input to the signer,
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews all expired signatures have to be regenerated at about the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein same time. The <code class="option">jitter</code> option specifies a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein jitter window that will be used to randomize the signature
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein expire time, thus spreading incremental signature
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein regeneration over time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Signature lifetime jitter also to some extent benefits
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein validators and servers by spreading out cache expiration,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein i.e. if large numbers of RRSIGs don't expire at the same time
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from all caches there will be less congestion than if all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein validators need to refetch at mostly the same time.
97e74139b19368e385a3564746d42db70879195eAutomatic Updater<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
43b94483957d3168796a816ed86cf097518817dcTinderbox User When writing a signed zone to "raw" or "map" format, set the
dba3c818ae00b10388d31703e86a28415db398acTinderbox User "source serial" value in the header to the specified serial
dba3c818ae00b10388d31703e86a28415db398acTinderbox User number. (This is expected to be used primarily for testing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the number of threads to use. By default, one
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein thread is started for each detected CPU.
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews The SOA serial number format of the signed zone.
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews Possible formats are <span><strong class="command">"keep"</strong></span> (default),
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews <span><strong class="command">"increment"</strong></span> and
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews <span><strong class="command">"unixtime"</strong></span>.
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dd><p>Do not modify the SOA serial number.</p></dd>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dd><p>Increment the SOA serial number using RFC 1982
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dd><p>Set the SOA serial number to the number of seconds
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The zone origin. If not specified, the name of the zone file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is assumed to be the origin.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews The format of the output file containing the signed zone.
dba3c818ae00b10388d31703e86a28415db398acTinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default),
dba3c818ae00b10388d31703e86a28415db398acTinderbox User which is the standard textual representation of the zone;
72938578c985138165e7a4b0a38f16daacbad95eAutomatic Updater <span><strong class="command">"full"</strong></span>, which is text output in a
dba3c818ae00b10388d31703e86a28415db398acTinderbox User format suitable for processing by external scripts;
43b94483957d3168796a816ed86cf097518817dcTinderbox User and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
dba3c818ae00b10388d31703e86a28415db398acTinderbox User and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
dba3c818ae00b10388d31703e86a28415db398acTinderbox User binary formats for rapid loading by <span><strong class="command">named</strong></span>.
dba3c818ae00b10388d31703e86a28415db398acTinderbox User <span><strong class="command">"raw=N"</strong></span> specifies the format version of
dba3c818ae00b10388d31703e86a28415db398acTinderbox User the raw zone file: if N is 0, the raw file can be read by
dba3c818ae00b10388d31703e86a28415db398acTinderbox User any version of <span><strong class="command">named</strong></span>; if N is 1, the file
dba3c818ae00b10388d31703e86a28415db398acTinderbox User can be read by release 9.9.0 or higher; the default is 1.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use pseudo-random data when signing the zone. This is faster,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein but less secure, than using real random data. This option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may be useful when signing large zones or when the entropy
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source is limited.
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater Disable post sign verification tests.
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater The post sign verification test ensures that for each algorithm
1c51f79aba598e5e20bde66aea0237e347f6d5ceAutomatic Updater in use there is at least one non revoked self signed KSK key,
1c51f79aba598e5e20bde66aea0237e347f6d5ceAutomatic Updater that all revoked KSK keys are self signed, and that all records
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater in the zone are signed by the algorithm.
1c51f79aba598e5e20bde66aea0237e347f6d5ceAutomatic Updater This option skips these tests.
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User Remove signatures from keys that are no longer active.
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater Normally, when a previously-signed zone is passed as input
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater to the signer, and a DNSKEY record has been removed and
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater replaced with a new one, signatures from the old key
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater that are still within their validity period are retained.
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater This allows the zone to continue to validate with cached
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User copies of the old DNSKEY RRset. The <code class="option">-Q</code>
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User forces <span><strong class="command">dnssec-signzone</strong></span> to remove
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User signatures from keys that are no longer active. This
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User enables ZSK rollover using the procedure described in
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User Remove signatures from keys that are no longer published.
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User This option is similar to <code class="option">-Q</code>, except it
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User keys that are no longer published. This enables ZSK rollover
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User using the procedure described in RFC 4641, section 4.2.1.2
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User ("Double Signature Zone Signing Key Rollover").
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the source of randomness. If the operating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein system does not provide a <code class="filename">/dev/random</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or equivalent device, the default source of randomness
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is keyboard input. <code class="filename">randomdev</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the name of a character device or file containing random
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein data to be used instead of the default. The special value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">keyboard</code> indicates that keyboard
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein input should be used.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater search the key repository for keys that match the zone being
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater signed, and to include them in the zone if appropriate.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater When a key is found, its timing metadata is examined to
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater determine how it should be used, according to the following
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater rules. Each successive rule takes priority over the prior
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If no timing metadata has been set for the key, the key is
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater published in the zone and used to sign the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If the key's publication date is set and is in the past, the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater key is published in the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If the key's activation date is set and in the past, the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater key is published (regardless of publication date) and
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater used to sign the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If the key's revocation date is set and in the past, and the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater key is published, then the key is revoked, and the revoked key
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater is used to sign the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If either of the key's unpublication or deletion dates are set
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater and in the past, the key is NOT published or used to sign the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater zone, regardless of any other metadata.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Specifies a TTL to be used for new DNSKEY records imported
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater into the zone from the key repository. If not
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater specified, the default is the TTL value from the zone's SOA
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater record. This option is ignored when signing without
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">-S</code>, since DNSKEY records are not imported
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater from the key repository in that case. It is also ignored if
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater there are any pre-existing DNSKEY records at the zone apex,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater in which case new records' TTL values will be set to match
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater them, or if any of the imported DNSKEY records had a default
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater TTL value. In the event of a a conflict between TTL values in
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater imported keys, the shortest one is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Print statistics at completion.
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater Update NSEC/NSEC3 chain when re-signing a previously signed
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater zone. With this option, a zone signed with NSEC can be
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater switched to NSEC3, or a zone signed with NSEC3 can
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater be switch to NSEC or to NSEC3 with different parameters.
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater retain the existing chain when re-signing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the debugging level.
8de0d8a6905e397ed0a26054815420685f9b435eAutomatic Updater Only sign the DNSKEY RRset with key-signing keys, and omit
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater signatures from zone-signing keys. (This is similar to the
089c63b69cdf6803aa8901aae3f2fbae58969511Automatic Updater <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater <span><strong class="command">named</strong></span>.)
8de0d8a6905e397ed0a26054815420685f9b435eAutomatic Updater Ignore KSK flag on key when determining what to sign. This
8de0d8a6905e397ed0a26054815420685f9b435eAutomatic Updater causes KSK-flagged keys to sign all records, not just the
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater DNSKEY RRset. (This is similar to the
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater <span><strong class="command">update-check-ksk no;</strong></span> zone option in
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater <span><strong class="command">named</strong></span>.)
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
66fec05962ae85e63c4aa568d44a962db5bbc902Automatic Updater Generate an NSEC3 chain with the given hex encoded salt.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater A dash (<em class="replaceable"><code>salt</code></em>) can
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater be used to indicate that no salt is to be used when generating the NSEC3 chain.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
77b7c54f1aa220a2f806b5883161c3027f62b1dbTinderbox User When generating an NSEC3 chain, use this many iterations. The
66fec05962ae85e63c4aa568d44a962db5bbc902Automatic Updater default is 10.
66fec05962ae85e63c4aa568d44a962db5bbc902Automatic Updater When generating an NSEC3 chain set the OPTOUT flag on all
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater NSEC3 records and do not generate NSEC3 records for insecure
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater Using this option twice (i.e., <code class="option">-AA</code>)
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater turns the OPTOUT flag off for all records. This is useful
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater when using the <code class="option">-u</code> option to modify an NSEC3
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater chain which previously had OPTOUT set.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The file containing the zone to be signed.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews Specify which keys should be used to sign the zone. If
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews no keys are specified, then the zone will be examined
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews for DNSKEY records at the zone apex. If these are found and
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews there are matching private keys, in the current directory,
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews then these will be used for signing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The following command signs the <strong class="userinput"><code>example.com</code></strong>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater is not being used, the zone's keys must be in the master file
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater (<code class="filename">db.example.com</code>). This invocation looks
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater for <code class="filename">dsset</code> files, in the current directory,
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the file <code class="filename">db.example.com.signed</code>. This
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews file should be referenced in a zone statement in a
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews This example re-signs a previously signed zone with default parameters.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews The private keys are assumed to be in the current directory.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews<pre class="programlisting">% cp db.example.com.signed db.example.com
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="corpauthor">Internet Systems Consortium</span>