dnssec-signzone.html revision 5a4557e8de2951a2796676b5ec4b6a90caa5be14
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and distribute this software for any
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - purpose with or without fee is hereby granted, provided that the above
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - copyright notice and this permission notice appear in all copies.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<!-- $Id: dnssec-signzone.html,v 1.24 2005/07/19 06:12:15 marka Exp $ -->
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span><strong class="command">dnssec-signzone</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont signs a zone. It generates
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont NSEC and RRSIG records and produces a signed version of the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone. The security status of delegations from the signed zone
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont (that is, whether the child zones are secure or not) is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User determined by the presence or absence of a
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="filename">keyset</code> file for each child zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Verify all generated signatures.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Specifies the DNS class of the zone.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Treat specified key as a key signing key ignoring any
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User key flags. This option may be specified multiple times.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Generate a DLV set in addition to the key (DNSKEY) and DS sets.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The domain is appended to the name of the records.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Look for <code class="filename">keyset</code> files in
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="option">directory</code> as the directory
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater Generate DS records for child zones from keyset files.
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater Existing DS records will be removed.
cd791043c8a6edbcacc2392575a9816d19b8157cTinderbox User<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User become valid. This can be either an absolute or relative
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater time. An absolute start time is indicated by a number
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater in YYYYMMDDHHMMSS notation; 20000530144500 denotes
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater 14:45:00 UTC on May 30th, 2000. A relative start time is
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater indicated by +N, which is N seconds from the current time.
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater If no <code class="option">start-time</code> is specified, the current
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater time minus 1 hour (to allow for clock skew) is used.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User expire. As with <code class="option">start-time</code>, an absolute
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont time is indicated in YYYYMMDDHHMMSS notation. A time relative
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to the start time is indicated with +N, which is N seconds from
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the start time. A time relative to the current time is
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater indicated with now+N. If no <code class="option">end-time</code> is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User specified, 30 days from the start time is used as a default.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater The name of the output file containing the signed zone. The
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User default is to append <code class="filename">.signed</code> to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Prints a short summary of the options and arguments to
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User <span><strong class="command">dnssec-signzone</strong></span>.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User When a previously signed zone is passed as input, records
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User may be resigned. The <code class="option">interval</code> option
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User specifies the cycle interval as an offset from the current
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont time (in seconds). If a RRSIG record expires after the
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User cycle interval, it is retained. Otherwise, it is considered
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to be expiring soon, and it will be replaced.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The default cycle interval is one quarter of the difference
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User between the signature end and start times. So if neither
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User <code class="option">end-time</code> or <code class="option">start-time</code>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User are specified, <span><strong class="command">dnssec-signzone</strong></span>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User signatures that are valid for 30 days, with a cycle
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User are due to expire in less than 7.5 days, they would be
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User The format of the input zone file.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default)
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User and <span><strong class="command">"raw"</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User This option is primarily intended to be used for dynamic
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User signed zones so that the dumped zone file in a non-text
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User format containing updates can be signed directly.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User The use of this option does not make much sense for
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User non-dynamic zones.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User When signing a zone with a fixed signature lifetime, all
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont RRSIG records issued at the time of signing expires
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User simultaneously. If the zone is incrementally signed, i.e.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont a previously signed zone is passed as input to the signer,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont all expired signatures has to be regenerated at about the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont same time. The <code class="option">jitter</code> option specifies a
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont jitter window that will be used to randomize the signature
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont expire time, thus spreading incremental signature
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater regeneration over time.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Signature lifetime jitter also to some extent benefits
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater validators and servers by spreading out cache expiration,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt i.e. if large numbers of RRSIGs don't expire at the same time
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater from all caches there will be less congestion than if all
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater validators need to refetch at mostly the same time.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the number of threads to use. By default, one
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User thread is started for each detected CPU.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The zone origin. If not specified, the name of the zone file
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is assumed to be the origin.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater The format of the output file containing the signed zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default)
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater and <span><strong class="command">"raw"</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Use pseudo-random data when signing the zone. This is faster,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont but less secure, than using real random data. This option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt may be useful when signing large zones or when the entropy
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User source is limited.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Specifies the source of randomness. If the operating
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont system does not provide a <code class="filename">/dev/random</code>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User or equivalent device, the default source of randomness
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is keyboard input. <code class="filename">randomdev</code>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater the name of a character device or file containing random
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User data to be used instead of the default. The special value
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater <code class="filename">keyboard</code> indicates that keyboard
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater input should be used.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Print statistics at completion.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the debugging level.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Ignore KSK flag on key when determining what to sign.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User The file containing the zone to be signed.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User The keys used to sign the zone. If no keys are specified, the
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User default all zone keys that have private key files in the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User current directory.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The following command signs the <strong class="userinput"><code>example.com</code></strong>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User man page. The zone's keys must be in the zone. If there are
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="filename">keyset</code> files associated with child
6f1205897504b8f50b1785975482c995888dd630Tinderbox User they must be in the current directory.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <strong class="userinput"><code>example.com</code></strong>, the following command would be
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater The command would print a string of the form:
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the file <code class="filename">db.example.com.signed</code>. This
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User should be referenced in a zone statement in a
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="filename">named.conf</code> file.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="corpauthor">Internet Systems Consortium</span>