dnssec-signzone.html revision 1c51f79aba598e5e20bde66aea0237e347f6d5ce
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd - Copyright (C) 2000-2003 Internet Software Consortium.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd - Permission to use, copy, modify, and distribute this software for any
a3d2b657dd7ca66251b562b6a82c2335135b9172nd - purpose with or without fee is hereby granted, provided that the above
031b91a62d25106ae69d4693475c79618dd5e884fielding - copyright notice and this permission notice appear in all copies.
031b91a62d25106ae69d4693475c79618dd5e884fielding - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
031b91a62d25106ae69d4693475c79618dd5e884fielding - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
031b91a62d25106ae69d4693475c79618dd5e884fielding - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
031b91a62d25106ae69d4693475c79618dd5e884fielding - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a3d2b657dd7ca66251b562b6a82c2335135b9172nd - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a3d2b657dd7ca66251b562b6a82c2335135b9172nd - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a3d2b657dd7ca66251b562b6a82c2335135b9172nd - PERFORMANCE OF THIS SOFTWARE.
a3d2b657dd7ca66251b562b6a82c2335135b9172nd<!-- $Id: dnssec-signzone.html,v 1.35 2009/06/06 01:12:32 tbox Exp $ -->
a3d2b657dd7ca66251b562b6a82c2335135b9172nd<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a3d2b657dd7ca66251b562b6a82c2335135b9172nd<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<p><span><strong class="command">dnssec-signzone</strong></span>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd signs a zone. It generates
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd NSEC and RRSIG records and produces a signed version of the
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd zone. The security status of delegations from the signed zone
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd (that is, whether the child zones are secure or not) is
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd determined by the presence or absence of a
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd <code class="filename">keyset</code> file for each child zone.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Verify all generated signatures.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd Specifies the DNS class of the zone.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Treat specified key as a key signing key ignoring any
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd key flags. This option may be specified multiple times.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Generate a DLV set in addition to the key (DNSKEY) and DS sets.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd The domain is appended to the name of the records.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Generate DS records for child zones from keyset files.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Existing DS records will be removed.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Specify the date and time when the generated RRSIG records
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd become valid. This can be either an absolute or relative
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd time. An absolute start time is indicated by a number
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd in YYYYMMDDHHMMSS notation; 20000530144500 denotes
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd 14:45:00 UTC on May 30th, 2000. A relative start time is
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd indicated by +N, which is N seconds from the current time.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd If no <code class="option">start-time</code> is specified, the current
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd time minus 1 hour (to allow for clock skew) is used.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd Specify the date and time when the generated RRSIG records
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd expire. As with <code class="option">start-time</code>, an absolute
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd time is indicated in YYYYMMDDHHMMSS notation. A time relative
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd to the start time is indicated with +N, which is N seconds from
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd the start time. A time relative to the current time is
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd indicated with now+N. If no <code class="option">end-time</code> is
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd specified, 30 days from the start time is used as a default.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd The name of the output file containing the signed zone. The
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd default is to append <code class="filename">.signed</code> to
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd input filename.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd Prints a short summary of the options and arguments to
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd <span><strong class="command">dnssec-signzone</strong></span>.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd When a previously-signed zone is passed as input, records
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd may be resigned. The <code class="option">interval</code> option
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd specifies the cycle interval as an offset from the current
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd time (in seconds). If a RRSIG record expires after the
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd cycle interval, it is retained. Otherwise, it is considered
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd to be expiring soon, and it will be replaced.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd The default cycle interval is one quarter of the difference
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd between the signature end and start times. So if neither
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd <code class="option">end-time</code> or <code class="option">start-time</code>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd are specified, <span><strong class="command">dnssec-signzone</strong></span>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd signatures that are valid for 30 days, with a cycle
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd interval of 7.5 days. Therefore, if any existing RRSIG records
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd are due to expire in less than 7.5 days, they would be
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd The format of the input zone file.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Possible formats are <span><strong class="command">"text"</strong></span> (default)
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd This option is primarily intended to be used for dynamic
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd signed zones so that the dumped zone file in a non-text
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd format containing updates can be signed directly.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd The use of this option does not make much sense for
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd non-dynamic zones.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd When signing a zone with a fixed signature lifetime, all
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd RRSIG records issued at the time of signing expires
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd simultaneously. If the zone is incrementally signed, i.e.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd a previously-signed zone is passed as input to the signer,
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd all expired signatures have to be regenerated at about the
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd same time. The <code class="option">jitter</code> option specifies a
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd jitter window that will be used to randomize the signature
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd expire time, thus spreading incremental signature
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd regeneration over time.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd Signature lifetime jitter also to some extent benefits
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd validators and servers by spreading out cache expiration,
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd i.e. if large numbers of RRSIGs don't expire at the same time
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd from all caches there will be less congestion than if all
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd validators need to refetch at mostly the same time.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd Specifies the number of threads to use. By default, one
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd thread is started for each detected CPU.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd The SOA serial number format of the signed zone.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd Possible formats are <span><strong class="command">"keep"</strong></span> (default),
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd <span><strong class="command">"increment"</strong></span> and
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd <span><strong class="command">"unixtime"</strong></span>.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd The zone origin. If not specified, the name of the zone file
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd is assumed to be the origin.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd The format of the output file containing the signed zone.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd Possible formats are <span><strong class="command">"text"</strong></span> (default)
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Use pseudo-random data when signing the zone. This is faster,
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd but less secure, than using real random data. This option
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd may be useful when signing large zones or when the entropy
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd source is limited.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Disable post sign verification tests.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd The post sign verification test ensures that for each algorithm
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd in use there is at least one non revoked self signed KSK key,
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd that all revoked KSK keys are self signed, and that all records
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd in the zone are signed by the algorithm.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd This option skips these tests.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Specifies the source of randomness. If the operating
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd system does not provide a <code class="filename">/dev/random</code>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd or equivalent device, the default source of randomness
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd is keyboard input. <code class="filename">randomdev</code>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd the name of a character device or file containing random
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd data to be used instead of the default. The special value
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd <code class="filename">keyboard</code> indicates that keyboard
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd input should be used.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Print statistics at completion.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd Sets the debugging level.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd Ignore KSK flag on key when determining what to sign.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd Generate a NSEC3 chain with the given hex encoded salt.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd A dash (<em class="replaceable"><code>salt</code></em>) can
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd be used to indicate that no salt is to be used when generating the NSEC3 chain.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd When generating a NSEC3 chain use this many interations. The
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd default is 100.
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd When generating a NSEC3 chain set the OPTOUT flag on all
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd NSEC3 records and do not generate NSEC3 records for insecure
5718d2b6ea423b4eb2d45f64bbc4c8eb61e0400fnd delegations.
d78d735dbf7c5ce5ae545eecd8ee2c052224db77nd The file containing the zone to be signed.
(Kexample.com.+003+17247). The zone's keys must be in the master
Kexample.com.+003+17247