dnssec-signzone.html revision 1c51f79aba598e5e20bde66aea0237e347f6d5ce
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User<!-- $Id: dnssec-signzone.html,v 1.35 2009/06/06 01:12:32 tbox Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-signzone</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signs a zone. It generates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NSEC and RRSIG records and produces a signed version of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone. The security status of delegations from the signed zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (that is, whether the child zones are secure or not) is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein determined by the presence or absence of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">keyset</code> file for each child zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Verify all generated signatures.
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the DNS class of the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Treat specified key as a key signing key ignoring any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein key flags. This option may be specified multiple times.
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Generate a DLV set in addition to the key (DNSKEY) and DS sets.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The domain is appended to the name of the records.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Look for <code class="filename">keyset</code> files in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">directory</code> as the directory
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate DS records for child zones from keyset files.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Existing DS records will be removed.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the date and time when the generated RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein become valid. This can be either an absolute or relative
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User time. An absolute start time is indicated by a number
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User in YYYYMMDDHHMMSS notation; 20000530144500 denotes
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User 14:45:00 UTC on May 30th, 2000. A relative start time is
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User indicated by +N, which is N seconds from the current time.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User If no <code class="option">start-time</code> is specified, the current
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User time minus 1 hour (to allow for clock skew) is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater Specify the date and time when the generated RRSIG records
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater expire. As with <code class="option">start-time</code>, an absolute
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater time is indicated in YYYYMMDDHHMMSS notation. A time relative
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to the start time is indicated with +N, which is N seconds from
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater the start time. A time relative to the current time is
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater indicated with now+N. If no <code class="option">end-time</code> is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews specified, 30 days from the start time is used as a default.
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The name of the output file containing the signed zone. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce default is to append <code class="filename">.signed</code> to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce input filename.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Prints a short summary of the options and arguments to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">dnssec-signzone</strong></span>.
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When a previously-signed zone is passed as input, records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce may be resigned. The <code class="option">interval</code> option
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce specifies the cycle interval as an offset from the current
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time (in seconds). If a RRSIG record expires after the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cycle interval, it is retained. Otherwise, it is considered
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User to be expiring soon, and it will be replaced.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The default cycle interval is one quarter of the difference
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User between the signature end and start times. So if neither
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <code class="option">end-time</code> or <code class="option">start-time</code>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User are specified, <span><strong class="command">dnssec-signzone</strong></span>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User signatures that are valid for 30 days, with a cycle
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User are due to expire in less than 7.5 days, they would be
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The format of the input zone file.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default)
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User and <span><strong class="command">"raw"</strong></span>.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User This option is primarily intended to be used for dynamic
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User signed zones so that the dumped zone file in a non-text
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User format containing updates can be signed directly.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The use of this option does not make much sense for
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User non-dynamic zones.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User When signing a zone with a fixed signature lifetime, all
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User RRSIG records issued at the time of signing expires
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User simultaneously. If the zone is incrementally signed, i.e.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User a previously-signed zone is passed as input to the signer,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User all expired signatures have to be regenerated at about the
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User same time. The <code class="option">jitter</code> option specifies a
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User jitter window that will be used to randomize the signature
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User expire time, thus spreading incremental signature
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User regeneration over time.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Signature lifetime jitter also to some extent benefits
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User validators and servers by spreading out cache expiration,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User i.e. if large numbers of RRSIGs don't expire at the same time
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User from all caches there will be less congestion than if all
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User validators need to refetch at mostly the same time.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Specifies the number of threads to use. By default, one
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User thread is started for each detected CPU.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The SOA serial number format of the signed zone.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Possible formats are <span><strong class="command">"keep"</strong></span> (default),
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <span><strong class="command">"increment"</strong></span> and
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <span><strong class="command">"unixtime"</strong></span>.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dd><p>Do not modify the SOA serial number.</p></dd>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dd><p>Increment the SOA serial number using RFC 1982
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dd><p>Set the SOA serial number to the number of seconds
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The zone origin. If not specified, the name of the zone file
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User is assumed to be the origin.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The format of the output file containing the signed zone.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default)
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User and <span><strong class="command">"raw"</strong></span>.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Use pseudo-random data when signing the zone. This is faster,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User but less secure, than using real random data. This option
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User may be useful when signing large zones or when the entropy
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User source is limited.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Disable post sign verification tests.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The post sign verification test ensures that for each algorithm
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User in use there is at least one non revoked self signed KSK key,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User that all revoked KSK keys are self signed, and that all records
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User in the zone are signed by the algorithm.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User This option skips these tests.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Specifies the source of randomness. If the operating
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User system does not provide a <code class="filename">/dev/random</code>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User or equivalent device, the default source of randomness
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User is keyboard input. <code class="filename">randomdev</code>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User the name of a character device or file containing random
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User data to be used instead of the default. The special value
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <code class="filename">keyboard</code> indicates that keyboard
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User input should be used.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Print statistics at completion.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Sets the debugging level.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Ignore KSK flag on key when determining what to sign.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a NSEC3 chain with the given hex encoded salt.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A dash (<em class="replaceable"><code>salt</code></em>) can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be used to indicate that no salt is to be used when generating the NSEC3 chain.
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When generating a NSEC3 chain use this many interations. The
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater default is 100.
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater When generating a NSEC3 chain set the OPTOUT flag on all
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater NSEC3 records and do not generate NSEC3 records for insecure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The file containing the zone to be signed.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Specify which keys should be used to sign the zone. If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein no keys are specified, then the zone will be examined
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for DNSKEY records at the zone apex. If these are found and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein there are matching private keys, in the current directory,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein then these will be used for signing.
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews The following command signs the <strong class="userinput"><code>example.com</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (Kexample.com.+003+17247). The zone's keys must be in the master
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file (<code class="filename">db.example.com</code>). This invocation looks
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for <code class="filename">keyset</code> files, in the current directory,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews the file <code class="filename">db.example.com.signed</code>. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file should be referenced in a zone statement in a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This example re-signs a previously signed zone with default parameters.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The private keys are assumed to be in the current directory.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">% cp db.example.com.signed db.example.com
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>