dnssec-signzone.html revision c6c78f699b55b3344fb6b17ddc854cbae4610468
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews - Permission to use, copy, modify, and distribute this software for any
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - purpose with or without fee is hereby granted, provided that the above
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - copyright notice and this permission notice appear in all copies.
5e047890ac9b745db060d95f7d1b4f876511240dTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
137fdbc214e99c4cbe57551e9e14f2015c2e42aeTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
02b47c5d62e1e827743684c28a08e871da454a2dMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User - PERFORMANCE OF THIS SOFTWARE.
e20309353e6246485c521278131d3fced73d7957Tinderbox User<!-- $Id: dnssec-signzone.html,v 1.33 2008/10/15 01:11:35 tbox Exp $ -->
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<p><span><strong class="command">dnssec-signzone</strong></span>
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater signs a zone. It generates
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater NSEC and RRSIG records and produces a signed version of the
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt zone. The security status of delegations from the signed zone
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater (that is, whether the child zones are secure or not) is
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User determined by the presence or absence of a
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <code class="filename">keyset</code> file for each child zone.
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater Verify all generated signatures.
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater Specifies the DNS class of the zone.
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews Treat specified key as a key signing key ignoring any
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews key flags. This option may be specified multiple times.
e20309353e6246485c521278131d3fced73d7957Tinderbox User<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User Generate a DLV set in addition to the key (DNSKEY) and DS sets.
e20309353e6246485c521278131d3fced73d7957Tinderbox User The domain is appended to the name of the records.
7feccf248d2a20a2ae48b290f58ded5abc853e9aTinderbox User<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
ad411d8ccf8a27eb903b842ab507ba6729d0246bTinderbox User Look for <code class="filename">keyset</code> files in
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater <code class="option">directory</code> as the directory
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews Generate DS records for child zones from keyset files.
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews Existing DS records will be removed.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Specify the date and time when the generated RRSIG records
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater become valid. This can be either an absolute or relative
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews time. An absolute start time is indicated by a number
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater in YYYYMMDDHHMMSS notation; 20000530144500 denotes
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson 14:45:00 UTC on May 30th, 2000. A relative start time is
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater indicated by +N, which is N seconds from the current time.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater If no <code class="option">start-time</code> is specified, the current
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson time minus 1 hour (to allow for clock skew) is used.
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Specify the date and time when the generated RRSIG records
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User expire. As with <code class="option">start-time</code>, an absolute
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User time is indicated in YYYYMMDDHHMMSS notation. A time relative
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews to the start time is indicated with +N, which is N seconds from
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews the start time. A time relative to the current time is
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews indicated with now+N. If no <code class="option">end-time</code> is
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews specified, 30 days from the start time is used as a default.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User The name of the output file containing the signed zone. The
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont default is to append <code class="filename">.signed</code> to
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User input filename.
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews Prints a short summary of the options and arguments to
24bf1e02f03577db0feb50b80238c4150c96d05dAutomatic Updater <span><strong class="command">dnssec-signzone</strong></span>.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews When a previously-signed zone is passed as input, records
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews may be resigned. The <code class="option">interval</code> option
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User specifies the cycle interval as an offset from the current
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews time (in seconds). If a RRSIG record expires after the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews cycle interval, it is retained. Otherwise, it is considered
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews to be expiring soon, and it will be replaced.
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews The default cycle interval is one quarter of the difference
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User between the signature end and start times. So if neither
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews <code class="option">end-time</code> or <code class="option">start-time</code>
df4ebd8217d02dafc12145b55c4d93d0255d1ec7Tinderbox User are specified, <span><strong class="command">dnssec-signzone</strong></span>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater signatures that are valid for 30 days, with a cycle
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater interval of 7.5 days. Therefore, if any existing RRSIG records
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater are due to expire in less than 7.5 days, they would be
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater The format of the input zone file.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Possible formats are <span><strong class="command">"text"</strong></span> (default)
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson and <span><strong class="command">"raw"</strong></span>.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater This option is primarily intended to be used for dynamic
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews signed zones so that the dumped zone file in a non-text
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson format containing updates can be signed directly.
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater The use of this option does not make much sense for
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater non-dynamic zones.
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater When signing a zone with a fixed signature lifetime, all
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson RRSIG records issued at the time of signing expires
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater simultaneously. If the zone is incrementally signed, i.e.
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User a previously-signed zone is passed as input to the signer,
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User all expired signatures have to be regenerated at about the
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User same time. The <code class="option">jitter</code> option specifies a
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User jitter window that will be used to randomize the signature
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews expire time, thus spreading incremental signature
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User regeneration over time.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Signature lifetime jitter also to some extent benefits
f132a836c4e386b1af045dd8fe7106ae61b90bffAutomatic Updater validators and servers by spreading out cache expiration,
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews i.e. if large numbers of RRSIGs don't expire at the same time
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews from all caches there will be less congestion than if all
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews validators need to refetch at mostly the same time.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater Specifies the number of threads to use. By default, one
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater thread is started for each detected CPU.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User The SOA serial number format of the signed zone.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Possible formats are <span><strong class="command">"keep"</strong></span> (default),
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <span><strong class="command">"increment"</strong></span> and
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater <span><strong class="command">"unixtime"</strong></span>.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dd><p>Do not modify the SOA serial number.</p></dd>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater<dd><p>Increment the SOA serial number using RFC 1982
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<dd><p>Set the SOA serial number to the number of seconds
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater The zone origin. If not specified, the name of the zone file
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is assumed to be the origin.
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews The format of the output file containing the signed zone.
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default)
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User and <span><strong class="command">"raw"</strong></span>.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater Use pseudo-random data when signing the zone. This is faster,
bbb069be941f649228760edcc241122933c066d2Automatic Updater but less secure, than using real random data. This option
8638278ed8ce58c4709477d250d109dd5b3ccc70Tinderbox User may be useful when signing large zones or when the entropy
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater source is limited.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Specifies the source of randomness. If the operating
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater system does not provide a <code class="filename">/dev/random</code>
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User or equivalent device, the default source of randomness
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews is keyboard input. <code class="filename">randomdev</code>
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews the name of a character device or file containing random
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews data to be used instead of the default. The special value
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User <code class="filename">keyboard</code> indicates that keyboard
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews input should be used.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Print statistics at completion.
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Sets the debugging level.
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews Ignore KSK flag on key when determining what to sign.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater Generate a NSEC3 chain with the given hex encoded salt.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson A dash (<em class="replaceable"><code>salt</code></em>) can
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater be used to indicate that no salt is to be used when generating the NSEC3 chain.
a382ca49c874d38ad3ac8995b49f9f27128e4ca9Automatic Updater<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User When generating a NSEC3 chain use this many interations. The
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User default is 100.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User When generating a NSEC3 chain set the OPTOUT flag on all
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews NSEC3 records and do not generate NSEC3 records for insecure
e2caa7536302de34de6cc04025abcd53dc3a499aAutomatic Updater<dt><span class="term">zonefile</span></dt>
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews The file containing the zone to be signed.
e31cfd80616deb9781902306b34a69aa7309b6cbTinderbox User Specify which keys should be used to sign the zone. If
e31cfd80616deb9781902306b34a69aa7309b6cbTinderbox User no keys are specified, then the zone will be examined
e31cfd80616deb9781902306b34a69aa7309b6cbTinderbox User for DNSKEY records at the zone apex. If these are found and
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews there are matching private keys, in the current directory,
b109432c3a939bff66a463be86c371bd88efe3aaAutomatic Updater then these will be used for signing.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews The following command signs the <strong class="userinput"><code>example.com</code></strong>
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater (Kexample.com.+003+17247). The zone's keys must be in the master
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews file (<code class="filename">db.example.com</code>). This invocation looks
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews for <code class="filename">keyset</code> files, in the current directory,
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater the file <code class="filename">db.example.com.signed</code>. This
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater file should be referenced in a zone statement in a
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <code class="filename">named.conf</code> file.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User This example re-signs a previously signed zone with default parameters.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User The private keys are assumed to be in the current directory.
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<pre class="programlisting">% cp db.example.com.signed db.example.com
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User% dnssec-signzone -o example.com db.example.com
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>