bin/dnssec/dnssec-signzone.html

	dnssec-signzone.html revision 089c63b69cdf6803aa8901aae3f2fbae58969511
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<!--
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
eae67738cba5ca069e9d1d4e7b836a2f7b00a374Mark Andrews -
eae67738cba5ca069e9d1d4e7b836a2f7b00a374Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
2a40fdc2d34adb8a5c72a748449699666032d461Mark Andrews - purpose with or without fee is hereby granted, provided that the above
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews - copyright notice and this permission notice appear in all copies.
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews -
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d56e188030368b835122d759ebbf8d9613c166f4Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews - PERFORMANCE OF THIS SOFTWARE.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews-->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id: dnssec-signzone.html,v 1.45 2009/12/04 01:13:44 tbox Exp $ -->
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<html>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<head>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<title>dnssec-signzone</title>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews</head>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<div class="refnamediv">
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews<h2>Name</h2>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews</div>
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews<div class="refsynopsisdiv">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<h2>Synopsis</h2>
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</div>
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews<div class="refsect1" lang="en">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="id2543596"></a><h2>DESCRIPTION</h2>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<p><span><strong class="command">dnssec-signzone</strong></span>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews      signs a zone.  It generates
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews      NSEC and RRSIG records and produces a signed version of the
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews      zone. The security status of delegations from the signed zone
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews      (that is, whether the child zones are secure or not) is
c069a20053d41ae299eb9457e50ea44ae9f73ed2Mark Andrews      determined by the presence or absence of a
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews      <code class="filename">keyset</code> file for each child zone.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews    </p>
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews</div>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="refsect1" lang="en">
3f6174bffe227be44e241a29d186add00c032ff6Mark Andrews<a name="id2543611"></a><h2>OPTIONS</h2>
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews<div class="variablelist"><dl>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-a</span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dd><p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            Verify all generated signatures.
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews          </p></dd>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dd><p>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews            Specifies the DNS class of the zone.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          </p></dd>
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews<dt><span class="term">-C</span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dd><p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            Compatibility mode: Generate a
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            file in addition to
26a77b80bb7ee886c6fa704348d5e80a011d8811Mark Andrews            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            when signing a zone, for use by older versions of
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews            <span><strong class="command">dnssec-signzone</strong></span>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          </p></dd>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dd><p>
62ee2c9f460d2e2e45dcf1abc8b4b4a4a43f5618Mark Andrews            Look for <code class="filename">dsset-</code> or
e086341ea57e618a60c9f166b95daee1fab71b3bMark Andrews            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dd><p>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews            Uses a crypto hardware (OpenSSL engine) for the crypto operations
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews            it supports, for instance signing with private keys from
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews            a secure key store. When compiled with PKCS#11 support
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            it defaults to pkcs11; the empty name resets it to no engine.
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews          </p></dd>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="term">-g</span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dd><p>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews            Generate DS records for child zones from
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews            file.  Existing DS records will be removed.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
c25080dc50542213058c240226c9f342186e6285Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            Key repository: Specify a directory to search for DNSSEC keys.
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            If not specified, defaults to the current directory.
dd9ad704c3800e3ab07ede8595871eac79984871Mark Andrews          </p></dd>
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
ab81f57ca0c3addfec3df3babdcea9644757cf23Mark Andrews            Treat specified key as a key signing key ignoring any
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews            key flags.  This option may be specified multiple times.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews          </p></dd>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews<dd><p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            The domain is appended to the name of the records.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            Specify the date and time when the generated RRSIG records
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            become valid.  This can be either an absolute or relative
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            time.  An absolute start time is indicated by a number
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews            14:45:00 UTC on May 30th, 2000.  A relative start time is
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            indicated by +N, which is N seconds from the current time.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            If no <code class="option">start-time</code> is specified, the current
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            time minus 1 hour (to allow for clock skew) is used.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews          </p></dd>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            Specify the date and time when the generated RRSIG records
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            expire.  As with <code class="option">start-time</code>, an absolute
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
d3a3e690ab1f87fa02b3fa77be5ddea5c1fe0cd4Mark Andrews            to the start time is indicated with +N, which is N seconds from
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            the start time.  A time relative to the current time is
d56e188030368b835122d759ebbf8d9613c166f4Mark Andrews            indicated with now+N.  If no <code class="option">end-time</code> is
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            specified, 30 days from the start time is used as a default.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            <code class="option">end-time</code> must be later than
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            <code class="option">start-time</code>.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews          </p></dd>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            The name of the output file containing the signed zone.  The
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            default is to append <code class="filename">.signed</code> to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            the
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            input filename.
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews          </p></dd>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-h</span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            Prints a short summary of the options and arguments to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            <span><strong class="command">dnssec-signzone</strong></span>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          </p></dd>
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dd>
dd9ad704c3800e3ab07ede8595871eac79984871Mark Andrews<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            When a previously-signed zone is passed as input, records
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            may be resigned.  The <code class="option">interval</code> option
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            specifies the cycle interval as an offset from the current
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            time (in seconds).  If a RRSIG record expires after the
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            cycle interval, it is retained.  Otherwise, it is considered
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            to be expiring soon, and it will be replaced.
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            The default cycle interval is one quarter of the difference
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            between the signature end and start times.  So if neither
62ee2c9f460d2e2e45dcf1abc8b4b4a4a43f5618Mark Andrews            <code class="option">end-time</code> or <code class="option">start-time</code>
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews            are specified, <span><strong class="command">dnssec-signzone</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            generates
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews            signatures that are valid for 30 days, with a cycle
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews            interval of 7.5 days.  Therefore, if any existing RRSIG records
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            are due to expire in less than 7.5 days, they would be
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews            replaced.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p>
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews</dd>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            The format of the input zone file.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews        Possible formats are <span><strong class="command">"text"</strong></span> (default)
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews        and <span><strong class="command">"raw"</strong></span>.
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews        This option is primarily intended to be used for dynamic
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews            signed zones so that the dumped zone file in a non-text
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            format containing updates can be signed directly.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews        The use of this option does not make much sense for
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson        non-dynamic zones.
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            When signing a zone with a fixed signature lifetime, all
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            RRSIG records issued at the time of signing expires
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews            simultaneously.  If the zone is incrementally signed, i.e.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            a previously-signed zone is passed as input to the signer,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            all expired signatures have to be regenerated at about the
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            same time.  The <code class="option">jitter</code> option specifies a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            jitter window that will be used to randomize the signature
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            expire time, thus spreading incremental signature
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            regeneration over time.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          </p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            Signature lifetime jitter also to some extent benefits
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson            validators and servers by spreading out cache expiration,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            i.e. if large numbers of RRSIGs don't expire at the same time
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            from all caches there will be less congestion than if all
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            validators need to refetch at mostly the same time.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews          </p>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews</dd>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews<dd><p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            Specifies the number of threads to use.  By default, one
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews            thread is started for each detected CPU.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          </p></dd>
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dd>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            The SOA serial number format of the signed zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        Possible formats are <span><strong class="command">"keep"</strong></span> (default),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <span><strong class="command">"increment"</strong></span> and
282e38d96feb488fddbbc0b0409491094786977fMark Andrews        <span><strong class="command">"unixtime"</strong></span>.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews          </p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="variablelist"><dl>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>Do not modify the SOA serial number.</p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>Increment the SOA serial number using RFC 1982
abf32d940f8f674b3971ef41b306a01b3da8d2cfMark Andrews                      arithmetics.</p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dd><p>Set the SOA serial number to the number of seconds
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            since epoch.</p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dl></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            The zone origin.  If not specified, the name of the zone file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            is assumed to be the origin.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            The format of the output file containing the signed zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        Possible formats are <span><strong class="command">"text"</strong></span> (default)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        and <span><strong class="command">"raw"</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-p</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Use pseudo-random data when signing the zone.  This is faster,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            but less secure, than using real random data.  This option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            may be useful when signing large zones or when the entropy
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            source is limited.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-P</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        Disable post sign verification tests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        The post sign verification test ensures that for each algorithm
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        in use there is at least one non revoked self signed KSK key,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        that all revoked KSK keys are self signed, and that all records
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        in the zone are signed by the algorithm.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        This option skips these tests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Specifies the source of randomness.  If the operating
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            system does not provide a <code class="filename">/dev/random</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            or equivalent device, the default source of randomness
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            is keyboard input.  <code class="filename">randomdev</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            specifies
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            the name of a character device or file containing random
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            data to be used instead of the default.  The special value
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <code class="filename">keyboard</code> indicates that keyboard
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            input should be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-S</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews            search the key repository for keys that match the zone being
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews            signed, and to include them in the zone if appropriate.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<p>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington            When a key is found, its timing metadata is examined to
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington            determine how it should be used, according to the following
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington            rules.  Each successive rule takes priority over the prior
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington            ones:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="variablelist"><dl>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<dt></dt>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<dd><p>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington                  If no timing metadata has been set for the key, the key is
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews                  published in the zone and used to sign the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                </p></dd>
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews<dt></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  If the key's publication date is set and is in the past, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  key is published in the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                </p></dd>
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews<dt></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews                  If the key's activation date is set and in the past, the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews                  key is published (regardless of publication date) and
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews                  used to sign the zone.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews                </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt></dt>
68baa2d193672c482b7ea07ece349e7b1ceb96e6Mark Andrews<dd><p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews                  If the key's revocation date is set and in the past, and the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews                  key is published, then the key is revoked, and the revoked key
67a0e14fa9c3c160116f0671f4ac5874306b1150Mark Andrews                  is used to sign the zone.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews                </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews                  If either of the key's unpublication or deletion dates are set
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews                  and in the past, the key is NOT published or used to sign the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews                  zone, regardless of any other metadata.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                </p></dd>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews</dl></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Specifies the TTL to be used for new DNSKEY records imported
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            into the zone from the key repository.  If not specified,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            the default is the minimum TTL value from the zone's SOA
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            record.  This option is ignored when signing without
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <code class="option">-S</code>, since DNSKEY records are not imported
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            from the key repository in that case.  It is also ignored if
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            there are any pre-existing DNSKEY records at the zone apex,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            in which case new records' TTL values will be set to match
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            them.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-t</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Print statistics at completion.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-u</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Update NSEC/NSEC3 chain when re-signing a previously signed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            zone.  With this option, a zone signed with NSEC can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            switched to NSEC3, or a zone signed with NSEC3 can
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews            be switch to NSEC or to NSEC3 with different parameters.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            retain the existing chain when re-signing.
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews          </p></dd>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dd><p>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews            Sets the debugging level.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-x</span></dt>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Only sign the DNSKEY RRset with key-signing keys, and omit
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            signatures from zone-signing keys.  (This is similar to the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <span><strong class="command">named</strong></span>.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-z</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Ignore KSK flag on key when determining what to sign.  This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            causes KSK-flagged keys to sign all records, not just the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            DNSKEY RRset.  (This is similar to the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <span><strong class="command">update-check-ksk no;</strong></span> zone option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <span><strong class="command">named</strong></span>.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Generate an NSEC3 chain with the given hex encoded salt.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        A dash (<em class="replaceable"><code>salt</code></em>) can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        be used to indicate that no salt is to be used when generating          the NSEC3 chain.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        When generating an NSEC3 chain, use this many interations.  The
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        default is 10.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-A</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        When generating an NSEC3 chain set the OPTOUT flag on all
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        NSEC3 records and do not generate NSEC3 records for insecure
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        delegations.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        Using this option twice (i.e., <code class="option">-AA</code>)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        turns the OPTOUT flag off for all records.  This is useful
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        when using the <code class="option">-u</code> option to modify an NSEC3
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews        chain which previously had OPTOUT set.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dd>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dt><span class="term">zonefile</span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dd><p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            The file containing the zone to be signed.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p></dd>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="term">key</span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dd><p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews        Specify which keys should be used to sign the zone.  If
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews        no keys are specified, then the zone will be examined
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews        for DNSKEY records at the zone apex.  If these are found and
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews        there are matching private keys, in the current directory,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        then these will be used for signing.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dl></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="refsect1" lang="en">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2544896"></a><h2>EXAMPLE</h2>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      The following command signs the <strong class="userinput"><code>example.com</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      (Kexample.com.+003+17247).  Because the <span><strong class="command">-S</strong></span> option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      is not being used, the zone's keys must be in the master file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      (<code class="filename">db.example.com</code>).  This invocation looks
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      for <code class="filename">dsset</code> files, in the current directory,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington    </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonKexample.com.+003+17247
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtondb.example.com.signed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington%</pre>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      the file <code class="filename">db.example.com.signed</code>.  This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      file should be referenced in a zone statement in a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      <code class="filename">named.conf</code> file.
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews    </p>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      This example re-signs a previously signed zone with default parameters.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews      The private keys are assumed to be in the current directory.
abf32d940f8f674b3971ef41b306a01b3da8d2cfMark Andrews    </p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<pre class="programlisting">% cp db.example.com.signed db.example.com
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews% dnssec-signzone -o example.com db.example.com
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewsdb.example.com.signed
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews%</pre>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews</div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="refsect1" lang="en">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2545019"></a><h2>SEE ALSO</h2>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews      <em class="citetitle">RFC 4033</em>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington    </p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews</div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="refsect1" lang="en">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2545044"></a><h2>AUTHOR</h2>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<p><span class="corpauthor">Internet Systems Consortium</span>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington    </p>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington</div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews</div></body>
83a810eba60ae87341a2d177ff60d834e26d7a90Mark Andrews</html>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington