dnssec-signzone.html revision 731cc132f22dbc9e0ecd7035dce314a61076d31b
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync - Permission to use, copy, modify, and distribute this software for any
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync - purpose with or without fee is hereby granted, provided that the above
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync - copyright notice and this permission notice appear in all copies.
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync - PERFORMANCE OF THIS SOFTWARE.
d46ee884c41b808b239563b1978468aae12e33a2vboxsync<!-- $Id: dnssec-signzone.html,v 1.32 2008/09/25 04:45:04 tbox Exp $ -->
904810c4c6668233349b025cc58013cb7c11c701vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d46ee884c41b808b239563b1978468aae12e33a2vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
d46ee884c41b808b239563b1978468aae12e33a2vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
1c94c0a63ba68be1a7b2c640e70d7a06464e4fcavboxsync<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
1c94c0a63ba68be1a7b2c640e70d7a06464e4fcavboxsync<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
1c94c0a63ba68be1a7b2c640e70d7a06464e4fcavboxsync<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
1c94c0a63ba68be1a7b2c640e70d7a06464e4fcavboxsync<p><span><strong class="command">dnssec-signzone</strong></span>
1c94c0a63ba68be1a7b2c640e70d7a06464e4fcavboxsync signs a zone. It generates
d46ee884c41b808b239563b1978468aae12e33a2vboxsync NSEC and RRSIG records and produces a signed version of the
d46ee884c41b808b239563b1978468aae12e33a2vboxsync zone. The security status of delegations from the signed zone
d46ee884c41b808b239563b1978468aae12e33a2vboxsync (that is, whether the child zones are secure or not) is
d46ee884c41b808b239563b1978468aae12e33a2vboxsync determined by the presence or absence of a
d46ee884c41b808b239563b1978468aae12e33a2vboxsync <code class="filename">keyset</code> file for each child zone.
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync Verify all generated signatures.
2a229554eb081e98411c81dcdef146c35a000f80vboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
635fe52d5adf7b894207be82370e49e1fae64af0vboxsync Specifies the DNS class of the zone.
635fe52d5adf7b894207be82370e49e1fae64af0vboxsync<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
635fe52d5adf7b894207be82370e49e1fae64af0vboxsync Treat specified key as a key signing key ignoring any
635fe52d5adf7b894207be82370e49e1fae64af0vboxsync key flags. This option may be specified multiple times.
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync Generate a DLV set in addition to the key (DNSKEY) and DS sets.
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync The domain is appended to the name of the records.
d46ee884c41b808b239563b1978468aae12e33a2vboxsync<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
d46ee884c41b808b239563b1978468aae12e33a2vboxsync Look for <code class="filename">keyset</code> files in
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync <code class="option">directory</code> as the directory
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync Generate DS records for child zones from keyset files.
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync Existing DS records will be removed.
e33247bff4fddfdba92538374bcc9e2753044a38vboxsync<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync Specify the date and time when the generated RRSIG records
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync become valid. This can be either an absolute or relative
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync time. An absolute start time is indicated by a number
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync in YYYYMMDDHHMMSS notation; 20000530144500 denotes
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync 14:45:00 UTC on May 30th, 2000. A relative start time is
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync indicated by +N, which is N seconds from the current time.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync If no <code class="option">start-time</code> is specified, the current
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync time minus 1 hour (to allow for clock skew) is used.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync Specify the date and time when the generated RRSIG records
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync expire. As with <code class="option">start-time</code>, an absolute
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync time is indicated in YYYYMMDDHHMMSS notation. A time relative
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync to the start time is indicated with +N, which is N seconds from
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync the start time. A time relative to the current time is
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync indicated with now+N. If no <code class="option">end-time</code> is
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync specified, 30 days from the start time is used as a default.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync The name of the output file containing the signed zone. The
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync default is to append <code class="filename">.signed</code> to
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync input filename.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync Prints a short summary of the options and arguments to
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync <span><strong class="command">dnssec-signzone</strong></span>.
64836f6a22eea42b83b0ec64abcb3aa7ccc27f25vboxsync<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync When a previously-signed zone is passed as input, records
71e8510a26b72d539cf6d7d7157bd87a53de8cf4vboxsync may be resigned. The <code class="option">interval</code> option
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync specifies the cycle interval as an offset from the current
e33247bff4fddfdba92538374bcc9e2753044a38vboxsync time (in seconds). If a RRSIG record expires after the
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync cycle interval, it is retained. Otherwise, it is considered
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync to be expiring soon, and it will be replaced.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync The default cycle interval is one quarter of the difference
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync between the signature end and start times. So if neither
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync <code class="option">end-time</code> or <code class="option">start-time</code>
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync are specified, <span><strong class="command">dnssec-signzone</strong></span>
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync signatures that are valid for 30 days, with a cycle
6063286f0f0d78e627c9ef48073f5753da93ba10vboxsync interval of 7.5 days. Therefore, if any existing RRSIG records
6063286f0f0d78e627c9ef48073f5753da93ba10vboxsync are due to expire in less than 7.5 days, they would be
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync The format of the input zone file.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync Possible formats are <span><strong class="command">"text"</strong></span> (default)
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync and <span><strong class="command">"raw"</strong></span>.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync This option is primarily intended to be used for dynamic
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync signed zones so that the dumped zone file in a non-text
64836f6a22eea42b83b0ec64abcb3aa7ccc27f25vboxsync format containing updates can be signed directly.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync The use of this option does not make much sense for
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync non-dynamic zones.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync When signing a zone with a fixed signature lifetime, all
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync RRSIG records issued at the time of signing expires
b099c6398b85f527d7343cb1da573e1e95f9fd10vboxsync simultaneously. If the zone is incrementally signed, i.e.
b099c6398b85f527d7343cb1da573e1e95f9fd10vboxsync a previously-signed zone is passed as input to the signer,
b099c6398b85f527d7343cb1da573e1e95f9fd10vboxsync all expired signatures have to be regenerated at about the
b099c6398b85f527d7343cb1da573e1e95f9fd10vboxsync same time. The <code class="option">jitter</code> option specifies a
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync jitter window that will be used to randomize the signature
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync expire time, thus spreading incremental signature
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync regeneration over time.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync Signature lifetime jitter also to some extent benefits
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync validators and servers by spreading out cache expiration,
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync i.e. if large numbers of RRSIGs don't expire at the same time
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync from all caches there will be less congestion than if all
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync validators need to refetch at mostly the same time.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
71626c00d9eb0b73ed7254794a6dfb000f4bb65cvboxsync Specifies the number of threads to use. By default, one
c09430453634ebc72695a69d12366a8fb57132e3vboxsync thread is started for each detected CPU.
e4e800c40799670522fcc976b0e07345cf459297vboxsync<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
e4e800c40799670522fcc976b0e07345cf459297vboxsync The SOA serial number format of the signed zone.
e4e800c40799670522fcc976b0e07345cf459297vboxsync Possible formats are <span><strong class="command">"keep"</strong></span> (default),
e4e800c40799670522fcc976b0e07345cf459297vboxsync <span><strong class="command">"increment"</strong></span> and
e4e800c40799670522fcc976b0e07345cf459297vboxsync <span><strong class="command">"unixtime"</strong></span>.
e4e800c40799670522fcc976b0e07345cf459297vboxsync<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
e4e800c40799670522fcc976b0e07345cf459297vboxsync<dd><p>Do not modify the SOA serial number.</p></dd>
e4e800c40799670522fcc976b0e07345cf459297vboxsync<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
e4e800c40799670522fcc976b0e07345cf459297vboxsync<dd><p>Increment the SOA serial number using RFC 1982
e4e800c40799670522fcc976b0e07345cf459297vboxsync<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
e4e800c40799670522fcc976b0e07345cf459297vboxsync<dd><p>Set the SOA serial number to the number of seconds
e4e800c40799670522fcc976b0e07345cf459297vboxsync<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
e4e800c40799670522fcc976b0e07345cf459297vboxsync The zone origin. If not specified, the name of the zone file
e4e800c40799670522fcc976b0e07345cf459297vboxsync is assumed to be the origin.
e4e800c40799670522fcc976b0e07345cf459297vboxsync<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
c09430453634ebc72695a69d12366a8fb57132e3vboxsync The format of the output file containing the signed zone.
689351c3b85a73743a522136a28262299e30b7fdvboxsync Possible formats are <span><strong class="command">"text"</strong></span> (default)
689351c3b85a73743a522136a28262299e30b7fdvboxsync and <span><strong class="command">"raw"</strong></span>.
689351c3b85a73743a522136a28262299e30b7fdvboxsync Use pseudo-random data when signing the zone. This is faster,
689351c3b85a73743a522136a28262299e30b7fdvboxsync but less secure, than using real random data. This option
689351c3b85a73743a522136a28262299e30b7fdvboxsync may be useful when signing large zones or when the entropy
689351c3b85a73743a522136a28262299e30b7fdvboxsync source is limited.
689351c3b85a73743a522136a28262299e30b7fdvboxsync<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
689351c3b85a73743a522136a28262299e30b7fdvboxsync Specifies the source of randomness. If the operating
689351c3b85a73743a522136a28262299e30b7fdvboxsync system does not provide a <code class="filename">/dev/random</code>
689351c3b85a73743a522136a28262299e30b7fdvboxsync or equivalent device, the default source of randomness
689351c3b85a73743a522136a28262299e30b7fdvboxsync is keyboard input. <code class="filename">randomdev</code>
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync the name of a character device or file containing random
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync data to be used instead of the default. The special value
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync <code class="filename">keyboard</code> indicates that keyboard
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync input should be used.
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync Print statistics at completion.
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync Sets the debugging level.
1d9143584d5616e94efe0ff5ce57e04708529775vboxsync Ignore KSK flag on key when determining what to sign.
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync Generate a NSEC3 chain with the given hex encoded salt.
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync A dash (<em class="replaceable"><code>salt</code></em>) can
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync be used to indicate that no salt is to be used when generating the NSEC3 chain.
e33247bff4fddfdba92538374bcc9e2753044a38vboxsync<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
e33247bff4fddfdba92538374bcc9e2753044a38vboxsync When generating a NSEC3 chain use this many interations. The
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync default is 100.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync When generating a NSEC3 chain set the OPTOUT flag on all
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync NSEC3 records and do not generate NSEC3 records for insecure
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync delegations.
ec037c82be3787508e228c537bd15ad9de28bac0vboxsync The file containing the zone to be signed.
d8523ff7d948462e328eec88b602effe2e7f7080vboxsync Specify which keys should be used to sign the zone. If
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync no keys are specified, then the zone will be examined
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync for DNSKEY records at the zone apex. If these are found and
ee00a0b29854e7f513198772bccb6650f6dd2184vboxsync there are matching private keys, in the current directory,
ee00a0b29854e7f513198772bccb6650f6dd2184vboxsync then these will be used for signing.
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync The following command signs the <strong class="userinput"><code>example.com</code></strong>
d46ee884c41b808b239563b1978468aae12e33a2vboxsync zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync (Kexample.com.+003+17247). The zone's keys must be in the master
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync file (<code class="filename">db.example.com</code>). This invocation looks
d46ee884c41b808b239563b1978468aae12e33a2vboxsync for <code class="filename">keyset</code> files, in the current directory,
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
d46ee884c41b808b239563b1978468aae12e33a2vboxsync<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
8cd393943ea52545c4d063f5a94436639f0f80b6vboxsync the file <code class="filename">db.example.com.signed</code>. This
358a99c385080f7f31166943f3ac3a2aea6b5263vboxsync file should be referenced in a zone statement in a
d46ee884c41b808b239563b1978468aae12e33a2vboxsync This example re-signs a previously signed zone with default parameters.
358a99c385080f7f31166943f3ac3a2aea6b5263vboxsync The private keys are assumed to be in the current directory.
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync<pre class="programlisting">% cp db.example.com.signed db.example.com
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
fe06619ae576367ff3568e6abd99fb8ad28cc73avboxsync <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
9ca017ceee656f9d33f2cb6652e401b5f17fcfb7vboxsync<p><span class="corpauthor">Internet Systems Consortium</span>