dnssec-signzone.html revision 2eeb74d1cf5355dd98f6d507a10086e16bb08c4b
010a51c427bfb6ab658fc0056955a1a5b69810beTinderbox User - Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - purpose with or without fee is hereby granted, provided that the above
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - copyright notice and this permission notice appear in all copies.
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.76.1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="dnssec-signzone">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span class="application">dnssec-signzone</span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User — DNSSEC zone signing tool
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>]
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<a name="idp61133136"></a><h2>DESCRIPTION</h2>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User <p><span class="command"><strong>dnssec-signzone</strong></span>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User signs a zone. It generates
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User NSEC and RRSIG records and produces a signed version of the
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User zone. The security status of delegations from the signed zone
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User (that is, whether the child zones are secure or not) is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User determined by the presence or absence of a
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="filename">keyset</code> file for each child zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Verify all generated signatures.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the DNS class of the zone.
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User Compatibility mode: Generate a
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User file in addition to
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User when signing a zone, for use by older versions of
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User <span class="command"><strong>dnssec-signzone</strong></span>.
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Look for <code class="filename">dsset-</code> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">keyset-</code> files in <code class="option">directory</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Output only those record types automatically managed by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NSEC3 and NSEC3PARAM records. If smart signing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (<code class="option">-S</code>) is used, DNSKEY records are also
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User included. The resulting file can be included in the original
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User cannot be combined with <code class="option">-O raw</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-O map</code>, or serial number updating.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When applicable, specifies the hardware to use for
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater cryptographic operations, such as a secure key store used
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater When BIND is built with OpenSSL PKCS#11 support, this defaults
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater that can drive a cryptographic accelerator or hardware service
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater module. When BIND is built with native PKCS#11 cryptography
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater (--enable-native-pkcs11), it defaults to the path of the PKCS#11
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater provider library specified via "--with-pkcs11".
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater Generate DS records for child zones from
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater file. Existing DS records will be removed.
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater Key repository: Specify a directory to search for DNSSEC keys.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User If not specified, defaults to the current directory.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater Treat specified key as a key signing key ignoring any
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater key flags. This option may be specified multiple times.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Generate a DLV set in addition to the key (DNSKEY) and DS sets.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The domain is appended to the name of the records.
6f1205897504b8f50b1785975482c995888dd630Tinderbox User<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the maximum TTL for the signed zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in the output. This provides certainty as to the largest
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein possible TTL in the signed zone, which is useful to know when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rolling keys because it is the longest possible time before
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signatures that have been retrieved by resolvers will expire
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from resolver caches. Zones that are signed with this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option should be configured to use a matching
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (Note: This option is incompatible with <code class="option">-D</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein because it modifies non-DNSSEC data in the output zone.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the date and time when the generated RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein become valid. This can be either an absolute or relative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time. An absolute start time is indicated by a number
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User in YYYYMMDDHHMMSS notation; 20000530144500 denotes
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews 14:45:00 UTC on May 30th, 2000. A relative start time is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User indicated by +N, which is N seconds from the current time.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews If no <code class="option">start-time</code> is specified, the current
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User time minus 1 hour (to allow for clock skew) is used.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User expire. As with <code class="option">start-time</code>, an absolute
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time is indicated in YYYYMMDDHHMMSS notation. A time relative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the start time is indicated with +N, which is N seconds from
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the start time. A time relative to the current time is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein indicated with now+N. If no <code class="option">end-time</code> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified, 30 days from the start time is used as a default.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">end-time</code> must be later than
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User for the DNSKEY RRset will expire. This is to be used in cases
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein when the DNSKEY signatures need to persist longer than
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signatures on other records; e.g., when the private component
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the KSK is kept offline and the KSK signature is to be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein refreshed manually.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User As with <code class="option">start-time</code>, an absolute
97e74139b19368e385a3564746d42db70879195eAutomatic Updater time is indicated in YYYYMMDDHHMMSS notation. A time relative
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to the start time is indicated with +N, which is N seconds from
43b94483957d3168796a816ed86cf097518817dcTinderbox User the start time. A time relative to the current time is
dba3c818ae00b10388d31703e86a28415db398acTinderbox User indicated with now+N. If no <code class="option">extended end-time</code> is
dba3c818ae00b10388d31703e86a28415db398acTinderbox User specified, the value of <code class="option">end-time</code> is used as
dba3c818ae00b10388d31703e86a28415db398acTinderbox User the default. (<code class="option">end-time</code>, in turn, defaults to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 30 days from the start time.) <code class="option">extended end-time</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein must be later than <code class="option">start-time</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews The name of the output file containing the signed zone. The
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User default is to append <code class="filename">.signed</code> to
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews the input filename. If <code class="option">output-file</code> is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User set to <code class="literal">"-"</code>, then the signed zone is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User written to the standard output, with a default output
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User format of "full".
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Prints a short summary of the options and arguments to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span class="command"><strong>dnssec-signzone</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Prints version information.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When a previously-signed zone is passed as input, records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User may be resigned. The <code class="option">interval</code> option
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews specifies the cycle interval as an offset from the current
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User time (in seconds). If a RRSIG record expires after the
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews cycle interval, it is retained. Otherwise, it is considered
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to be expiring soon, and it will be replaced.
dba3c818ae00b10388d31703e86a28415db398acTinderbox User The default cycle interval is one quarter of the difference
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User between the signature end and start times. So if neither
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="option">end-time</code> or <code class="option">start-time</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User are specified, <span class="command"><strong>dnssec-signzone</strong></span>
dba3c818ae00b10388d31703e86a28415db398acTinderbox User signatures that are valid for 30 days, with a cycle
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
dba3c818ae00b10388d31703e86a28415db398acTinderbox User are due to expire in less than 7.5 days, they would be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The format of the input zone file.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Possible formats are <span class="command"><strong>"text"</strong></span> (default),
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater This option is primarily intended to be used for dynamic
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User signed zones so that the dumped zone file in a non-text
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater format containing updates can be signed directly.
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater The use of this option does not make much sense for
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User non-dynamic zones.
1c51f79aba598e5e20bde66aea0237e347f6d5ceAutomatic Updater<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater When signing a zone with a fixed signature lifetime, all
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User RRSIG records issued at the time of signing expires
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User simultaneously. If the zone is incrementally signed, i.e.
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater a previously-signed zone is passed as input to the signer,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User all expired signatures have to be regenerated at about the
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User same time. The <code class="option">jitter</code> option specifies a
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater jitter window that will be used to randomize the signature
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User expire time, thus spreading incremental signature
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater regeneration over time.
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater Signature lifetime jitter also to some extent benefits
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater validators and servers by spreading out cache expiration,
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User i.e. if large numbers of RRSIGs don't expire at the same time
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User from all caches there will be less congestion than if all
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User validators need to refetch at mostly the same time.
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User When writing a signed zone to "raw" or "map" format, set the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User "source serial" value in the header to the specified serial
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User number. (This is expected to be used primarily for testing
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User Specifies the number of threads to use. By default, one
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater thread is started for each detected CPU.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The SOA serial number format of the signed zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and <span class="command"><strong>"date"</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <p>Do not modify the SOA serial number.</p>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <p>Increment the SOA serial number using RFC 1982
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater arithmetics.</p>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <p>Set the SOA serial number to the number of seconds
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater since epoch.</p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <p>Set the SOA serial number to today's date in
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater YYYYMMDDNN format.</p>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater The zone origin. If not specified, the name of the zone file
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is assumed to be the origin.
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The format of the output file containing the signed zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Possible formats are <span class="command"><strong>"text"</strong></span> (default),
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater which is the standard textual representation of the zone;
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <span class="command"><strong>"full"</strong></span>, which is text output in a
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User format suitable for processing by external scripts;
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater the raw zone file: if N is 0, the raw file can be read by
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater can be read by release 9.9.0 or higher; the default is 1.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Use pseudo-random data when signing the zone. This is faster,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater but less secure, than using real random data. This option
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater may be useful when signing large zones or when the entropy
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater source is limited.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Disable post sign verification tests.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The post sign verification test ensures that for each algorithm
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User in use there is at least one non revoked self signed KSK key,
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater that all revoked KSK keys are self signed, and that all records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User in the zone are signed by the algorithm.
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater This option skips these tests.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Remove signatures from keys that are no longer active.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Normally, when a previously-signed zone is passed as input
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to the signer, and a DNSKEY record has been removed and
8de0d8a6905e397ed0a26054815420685f9b435eAutomatic Updater replaced with a new one, signatures from the old key
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User that are still within their validity period are retained.
8de0d8a6905e397ed0a26054815420685f9b435eAutomatic Updater This allows the zone to continue to validate with cached
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater copies of the old DNSKEY RRset. The <code class="option">-Q</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User signatures from keys that are no longer active. This
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User enables ZSK rollover using the procedure described in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Remove signatures from keys that are no longer published.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User This option is similar to <code class="option">-Q</code>, except it
66fec05962ae85e63c4aa568d44a962db5bbc902Automatic Updater forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater keys that are no longer published. This enables ZSK rollover
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater using the procedure described in RFC 4641, section 4.2.1.2
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User ("Double Signature Zone Signing Key Rollover").
77b7c54f1aa220a2f806b5883161c3027f62b1dbTinderbox User<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater Specifies the source of randomness. If the operating
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater system does not provide a <code class="filename">/dev/random</code>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User or equivalent device, the default source of randomness
66fec05962ae85e63c4aa568d44a962db5bbc902Automatic Updater is keyboard input. <code class="filename">randomdev</code>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater the name of a character device or file containing random
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater data to be used instead of the default. The special value
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="filename">keyboard</code> indicates that keyboard
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater input should be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User search the key repository for keys that match the zone being
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signed, and to include them in the zone if appropriate.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User When a key is found, its timing metadata is examined to
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews determine how it should be used, according to the following
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews rules. Each successive rule takes priority over the prior
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User If no timing metadata has been set for the key, the key is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User published in the zone and used to sign the zone.
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater If the key's publication date is set and is in the past, the
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater key is published in the zone.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews If the key's activation date is set and in the past, the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User key is published (regardless of publication date) and
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User used to sign the zone.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews If the key's revocation date is set and in the past, and the
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews key is published, then the key is revoked, and the revoked key
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews is used to sign the zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User If either of the key's unpublication or deletion dates are set
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User and in the past, the key is NOT published or used to sign the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User zone, regardless of any other metadata.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
Kexample.com.+003+17247