dnssec-signzone.html revision 9d557856c2a19ec95ee73245f60a92f8675cf5ba
dd1ce8b52478fa98c844720af9e77fae2978f18dTinderbox User - Copyright (C) 2004-2009, 2011-2015 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - purpose with or without fee is hereby granted, provided that the above
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - copyright notice and this permission notice appear in all copies.
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<p><span class="command"><strong>dnssec-signzone</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signs a zone. It generates
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User NSEC and RRSIG records and produces a signed version of the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User zone. The security status of delegations from the signed zone
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (that is, whether the child zones are secure or not) is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User determined by the presence or absence of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">keyset</code> file for each child zone.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<div class="variablelist"><dl class="variablelist">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Verify all generated signatures.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Specifies the DNS class of the zone.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Compatibility mode: Generate a
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User file in addition to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User when signing a zone, for use by older versions of
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>dnssec-signzone</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Look for <code class="filename">dsset-</code> or
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="filename">keyset-</code> files in <code class="option">directory</code>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Output only those record types automatically managed by
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User NSEC3 and NSEC3PARAM records. If smart signing
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (<code class="option">-S</code>) is used, DNSKEY records are also
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User included. The resulting file can be included in the original
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User cannot be combined with <code class="option">-O raw</code>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="option">-O map</code>, or serial number updating.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User When applicable, specifies the hardware to use for
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User cryptographic operations, such as a secure key store used
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to the string "pkcs11", which identifies an OpenSSL engine
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User that can drive a cryptographic accelerator or hardware service
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein module. When BIND is built with native PKCS#11 cryptography
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (--enable-native-pkcs11), it defaults to the path of the PKCS#11
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein provider library specified via "--with-pkcs11".
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Generate DS records for child zones from
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User file. Existing DS records will be removed.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Key repository: Specify a directory to search for DNSSEC keys.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If not specified, defaults to the current directory.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Treat specified key as a key signing key ignoring any
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User key flags. This option may be specified multiple times.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a DLV set in addition to the key (DNSKEY) and DS sets.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The domain is appended to the name of the records.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Sets the maximum TTL for the signed zone.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater in the output. This provides certainty as to the largest
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater possible TTL in the signed zone, which is useful to know when
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater rolling keys because it is the longest possible time before
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User signatures that have been retrieved by resolvers will expire
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User from resolver caches. Zones that are signed with this
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User option should be configured to use a matching
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (Note: This option is incompatible with <code class="option">-D</code>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User because it modifies non-DNSSEC data in the output zone.)
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Specify the date and time when the generated RRSIG records
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater become valid. This can be either an absolute or relative
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User time. An absolute start time is indicated by a number
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User in YYYYMMDDHHMMSS notation; 20000530144500 denotes
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater 14:45:00 UTC on May 30th, 2000. A relative start time is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User indicated by +N, which is N seconds from the current time.
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater If no <code class="option">start-time</code> is specified, the current
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater time minus 1 hour (to allow for clock skew) is used.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
43b94483957d3168796a816ed86cf097518817dcTinderbox User Specify the date and time when the generated RRSIG records
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User expire. As with <code class="option">start-time</code>, an absolute
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User time is indicated in YYYYMMDDHHMMSS notation. A time relative
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater to the start time is indicated with +N, which is N seconds from
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User the start time. A time relative to the current time is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User indicated with now+N. If no <code class="option">end-time</code> is
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User specified, 30 days from the start time is used as a default.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User <code class="option">end-time</code> must be later than
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User Specify the date and time when the generated RRSIG records
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User for the DNSKEY RRset will expire. This is to be used in cases
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User when the DNSKEY signatures need to persist longer than
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User signatures on other records; e.g., when the private component
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User of the KSK is kept offline and the KSK signature is to be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User refreshed manually.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User As with <code class="option">start-time</code>, an absolute
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater time is indicated in YYYYMMDDHHMMSS notation. A time relative
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater to the start time is indicated with +N, which is N seconds from
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater the start time. A time relative to the current time is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User indicated with now+N. If no <code class="option">extended end-time</code> is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User specified, the value of <code class="option">end-time</code> is used as
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater the default. (<code class="option">end-time</code>, in turn, defaults to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User 30 days from the start time.) <code class="option">extended end-time</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User must be later than <code class="option">start-time</code>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The name of the output file containing the signed zone. The
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User default is to append <code class="filename">.signed</code> to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the input filename. If <code class="option">output-file</code> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein set to <code class="literal">"-"</code>, then the signed zone is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein written to the standard output, with a default output
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User format of "full".
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Prints a short summary of the options and arguments to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>dnssec-signzone</strong></span>.
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User Prints version information.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User When a previously-signed zone is passed as input, records
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User may be resigned. The <code class="option">interval</code> option
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User specifies the cycle interval as an offset from the current
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User time (in seconds). If a RRSIG record expires after the
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User cycle interval, it is retained. Otherwise, it is considered
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User to be expiring soon, and it will be replaced.
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User The default cycle interval is one quarter of the difference
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User between the signature end and start times. So if neither
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="option">end-time</code> or <code class="option">start-time</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User are specified, <span class="command"><strong>dnssec-signzone</strong></span>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User signatures that are valid for 30 days, with a cycle
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are due to expire in less than 7.5 days, they would be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The format of the input zone file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Possible formats are <span class="command"><strong>"text"</strong></span> (default),
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User This option is primarily intended to be used for dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signed zones so that the dumped zone file in a non-text
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User format containing updates can be signed directly.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The use of this option does not make much sense for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein non-dynamic zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When signing a zone with a fixed signature lifetime, all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RRSIG records issued at the time of signing expires
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater simultaneously. If the zone is incrementally signed, i.e.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater a previously-signed zone is passed as input to the signer,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User all expired signatures have to be regenerated at about the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User same time. The <code class="option">jitter</code> option specifies a
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater jitter window that will be used to randomize the signature
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater expire time, thus spreading incremental signature
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User regeneration over time.
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater Signature lifetime jitter also to some extent benefits
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater validators and servers by spreading out cache expiration,
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater i.e. if large numbers of RRSIGs don't expire at the same time
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater from all caches there will be less congestion than if all
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater validators need to refetch at mostly the same time.
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater When writing a signed zone to "raw" or "map" format, set the
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater "source serial" value in the header to the specified serial
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater number. (This is expected to be used primarily for testing
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Specifies the number of threads to use. By default, one
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein thread is started for each detected CPU.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater The SOA serial number format of the signed zone.
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater and <span class="command"><strong>"date"</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<div class="variablelist"><dl class="variablelist">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dd><p>Do not modify the SOA serial number.</p></dd>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>Increment the SOA serial number using RFC 1982
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dd><p>Set the SOA serial number to the number of seconds
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dd><p>Set the SOA serial number to today's date in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The zone origin. If not specified, the name of the zone file
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews is assumed to be the origin.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The format of the output file containing the signed zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Possible formats are <span class="command"><strong>"text"</strong></span> (default),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein which is the standard textual representation of the zone;
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>"full"</strong></span>, which is text output in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein format suitable for processing by external scripts;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the raw zone file: if N is 0, the raw file can be read by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be read by release 9.9.0 or higher; the default is 1.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews Use pseudo-random data when signing the zone. This is faster,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User but less secure, than using real random data. This option
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User may be useful when signing large zones or when the entropy
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews source is limited.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews Disable post sign verification tests.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The post sign verification test ensures that for each algorithm
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User in use there is at least one non revoked self signed KSK key,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that all revoked KSK keys are self signed, and that all records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in the zone are signed by the algorithm.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User This option skips these tests.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Remove signatures from keys that are no longer active.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Normally, when a previously-signed zone is passed as input
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the signer, and a DNSKEY record has been removed and
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User replaced with a new one, signatures from the old key
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that are still within their validity period are retained.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This allows the zone to continue to validate with cached
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein copies of the old DNSKEY RRset. The <code class="option">-Q</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signatures from keys that are no longer active. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein enables ZSK rollover using the procedure described in
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
dba3c818ae00b10388d31703e86a28415db398acTinderbox User Remove signatures from keys that are no longer published.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User This option is similar to <code class="option">-Q</code>, except it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User keys that are no longer published. This enables ZSK rollover
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User using the procedure described in RFC 4641, section 4.2.1.2
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ("Double Signature Zone Signing Key Rollover").
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews Specifies the source of randomness. If the operating
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User system does not provide a <code class="filename">/dev/random</code>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews or equivalent device, the default source of randomness
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User is keyboard input. <code class="filename">randomdev</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the name of a character device or file containing random
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User data to be used instead of the default. The special value
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="filename">keyboard</code> indicates that keyboard
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User input should be used.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User search the key repository for keys that match the zone being
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User signed, and to include them in the zone if appropriate.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User When a key is found, its timing metadata is examined to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User determine how it should be used, according to the following
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User rules. Each successive rule takes priority over the prior
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<div class="variablelist"><dl class="variablelist">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User If no timing metadata has been set for the key, the key is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User published in the zone and used to sign the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If the key's publication date is set and is in the past, the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User key is published in the zone.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User If the key's activation date is set and in the past, the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User key is published (regardless of publication date) and
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews used to sign the zone.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User If the key's revocation date is set and in the past, and the
dba3c818ae00b10388d31703e86a28415db398acTinderbox User key is published, then the key is revoked, and the revoked key
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User is used to sign the zone.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User If either of the key's unpublication or deletion dates are set
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and in the past, the key is NOT published or used to sign the
dba3c818ae00b10388d31703e86a28415db398acTinderbox User zone, regardless of any other metadata.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Specifies a TTL to be used for new DNSKEY records imported
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User into the zone from the key repository. If not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified, the default is the TTL value from the zone's SOA
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein record. This option is ignored when signing without
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-S</code>, since DNSKEY records are not imported
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from the key repository in that case. It is also ignored if
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User there are any pre-existing DNSKEY records at the zone apex,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User in which case new records' TTL values will be set to match
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater them, or if any of the imported DNSKEY records had a default
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater TTL value. In the event of a a conflict between TTL values in
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User imported keys, the shortest one is used.
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater Print statistics at completion.
1c51f79aba598e5e20bde66aea0237e347f6d5ceAutomatic Updater Update NSEC/NSEC3 chain when re-signing a previously signed
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater zone. With this option, a zone signed with NSEC can be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User switched to NSEC3, or a zone signed with NSEC3 can
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User be switch to NSEC or to NSEC3 with different parameters.
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User retain the existing chain when re-signing.
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater Sets the debugging level.
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater Only sign the DNSKEY RRset with key-signing keys, and omit
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User signatures from zone-signing keys. (This is similar to the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User <span class="command"><strong>named</strong></span>.)
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Ignore KSK flag on key when determining what to sign. This
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User causes KSK-flagged keys to sign all records, not just the
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User DNSKEY RRset. (This is similar to the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User <span class="command"><strong>named</strong></span>.)
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Generate an NSEC3 chain with the given hex encoded salt.
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User A dash (<em class="replaceable"><code>salt</code></em>) can
3f9791eac42b243d9f328d604e117f91a3f67a37Tinderbox User be used to indicate that no salt is to be used when generating the NSEC3 chain.
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When generating an NSEC3 chain, use this many iterations. The
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User default is 10.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When generating an NSEC3 chain set the OPTOUT flag on all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NSEC3 records and do not generate NSEC3 records for insecure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein delegations.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Using this option twice (i.e., <code class="option">-AA</code>)
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User turns the OPTOUT flag off for all records. This is useful
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User when using the <code class="option">-u</code> option to modify an NSEC3
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater chain which previously had OPTOUT set.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater The file containing the zone to be signed.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Specify which keys should be used to sign the zone. If
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater no keys are specified, then the zone will be examined
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater for DNSKEY records at the zone apex. If these are found and
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater there are matching private keys, in the current directory,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User then these will be used for signing.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The following command signs the <strong class="userinput"><code>example.com</code></strong>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (Kexample.com.+003+17247). Because the <span class="command"><strong>-S</strong></span> option
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User is not being used, the zone's keys must be in the master file
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater (<code class="filename">db.example.com</code>). This invocation looks
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater for <code class="filename">dsset</code> files, in the current directory,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the file <code class="filename">db.example.com.signed</code>. This
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User file should be referenced in a zone statement in a
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="filename">named.conf</code> file.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater This example re-signs a previously signed zone with default parameters.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater The private keys are assumed to be in the current directory.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<pre class="programlisting">% cp db.example.com.signed db.example.com
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User% dnssec-signzone -o example.com db.example.com
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.