dnssec-signzone.html revision 6283056805887de88040698685b8e1936a1f7a2d
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - Permission to use, copy, modify, and distribute this software for any
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - purpose with or without fee is hereby granted, provided that the above
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - copyright notice and this permission notice appear in all copies.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync - PERFORMANCE OF THIS SOFTWARE.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<!-- $Id: dnssec-signzone.html,v 1.34 2009/06/05 01:12:33 tbox Exp $ -->
8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ba914db0d5754765dd1e2b860a90f8f8be15051avboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
36545c63b2aab948161e4a712913a4f2dce17d2fvboxsync<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync<p><span><strong class="command">dnssec-signzone</strong></span>
8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync signs a zone. It generates
8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync NSEC and RRSIG records and produces a signed version of the
8bf8c6b1914c9e7e60b1547888400668f1774497vboxsync zone. The security status of delegations from the signed zone
cae5cca5168e18e168df5541b11f462b60062a7avboxsync (that is, whether the child zones are secure or not) is
8d1ef2acf41d1d8a0f69bfe0ac1f41638160399cvboxsync determined by the presence or absence of a
83fd17a3a00dc7bf6a36e23bbd2393dfc953da06vboxsync <code class="filename">keyset</code> file for each child zone.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync Verify all generated signatures.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Specifies the DNS class of the zone.
83fd17a3a00dc7bf6a36e23bbd2393dfc953da06vboxsync<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync Treat specified key as a key signing key ignoring any
83fd17a3a00dc7bf6a36e23bbd2393dfc953da06vboxsync key flags. This option may be specified multiple times.
8d1ef2acf41d1d8a0f69bfe0ac1f41638160399cvboxsync<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
4fccfb05d1c02ba8c7a61968974eb2e0c8df943bvboxsync Generate a DLV set in addition to the key (DNSKEY) and DS sets.
83fd17a3a00dc7bf6a36e23bbd2393dfc953da06vboxsync The domain is appended to the name of the records.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync Look for <code class="filename">keyset</code> files in
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync <code class="option">directory</code> as the directory
83fd17a3a00dc7bf6a36e23bbd2393dfc953da06vboxsync Generate DS records for child zones from keyset files.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Existing DS records will be removed.
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync Specify the date and time when the generated RRSIG records
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync become valid. This can be either an absolute or relative
453ae3ee24693b7cc05e53375f90331a8d2fad40vboxsync time. An absolute start time is indicated by a number
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync in YYYYMMDDHHMMSS notation; 20000530144500 denotes
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync 14:45:00 UTC on May 30th, 2000. A relative start time is
636c1d4a4a3c99faa799d834c46ef21923302da6vboxsync indicated by +N, which is N seconds from the current time.
636c1d4a4a3c99faa799d834c46ef21923302da6vboxsync If no <code class="option">start-time</code> is specified, the current
636c1d4a4a3c99faa799d834c46ef21923302da6vboxsync time minus 1 hour (to allow for clock skew) is used.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync Specify the date and time when the generated RRSIG records
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync expire. As with <code class="option">start-time</code>, an absolute
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync time is indicated in YYYYMMDDHHMMSS notation. A time relative
546a09aeb20e5fb8b2977b6888f18893624bead0vboxsync to the start time is indicated with +N, which is N seconds from
546a09aeb20e5fb8b2977b6888f18893624bead0vboxsync the start time. A time relative to the current time is
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync indicated with now+N. If no <code class="option">end-time</code> is
546a09aeb20e5fb8b2977b6888f18893624bead0vboxsync specified, 30 days from the start time is used as a default.
9f72be0517ae135bdd3e6ee140d3321b40aeb6e7vboxsync<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync The name of the output file containing the signed zone. The
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync default is to append <code class="filename">.signed</code> to
9f72be0517ae135bdd3e6ee140d3321b40aeb6e7vboxsync input filename.
015ab419ebadda91ca674a865a53d0b9c86e5f1avboxsync Prints a short summary of the options and arguments to
015ab419ebadda91ca674a865a53d0b9c86e5f1avboxsync <span><strong class="command">dnssec-signzone</strong></span>.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync When a previously-signed zone is passed as input, records
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync may be resigned. The <code class="option">interval</code> option
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync specifies the cycle interval as an offset from the current
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync time (in seconds). If a RRSIG record expires after the
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync cycle interval, it is retained. Otherwise, it is considered
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync to be expiring soon, and it will be replaced.
546a09aeb20e5fb8b2977b6888f18893624bead0vboxsync The default cycle interval is one quarter of the difference
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync between the signature end and start times. So if neither
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync <code class="option">end-time</code> or <code class="option">start-time</code>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync are specified, <span><strong class="command">dnssec-signzone</strong></span>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync signatures that are valid for 30 days, with a cycle
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync interval of 7.5 days. Therefore, if any existing RRSIG records
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync are due to expire in less than 7.5 days, they would be
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
1910146bc46e3eee5b8668806da594107fe9aabfvboxsync The format of the input zone file.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync Possible formats are <span><strong class="command">"text"</strong></span> (default)
191716f67b1980c4ba1fd832f8dba8c3b0b17c32vboxsync and <span><strong class="command">"raw"</strong></span>.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync This option is primarily intended to be used for dynamic
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync signed zones so that the dumped zone file in a non-text
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync format containing updates can be signed directly.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync The use of this option does not make much sense for
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync non-dynamic zones.
191716f67b1980c4ba1fd832f8dba8c3b0b17c32vboxsync<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync When signing a zone with a fixed signature lifetime, all
83fd17a3a00dc7bf6a36e23bbd2393dfc953da06vboxsync RRSIG records issued at the time of signing expires
83fd17a3a00dc7bf6a36e23bbd2393dfc953da06vboxsync simultaneously. If the zone is incrementally signed, i.e.
83fd17a3a00dc7bf6a36e23bbd2393dfc953da06vboxsync a previously-signed zone is passed as input to the signer,
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync all expired signatures have to be regenerated at about the
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync same time. The <code class="option">jitter</code> option specifies a
546a09aeb20e5fb8b2977b6888f18893624bead0vboxsync jitter window that will be used to randomize the signature
546a09aeb20e5fb8b2977b6888f18893624bead0vboxsync expire time, thus spreading incremental signature
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync regeneration over time.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync Signature lifetime jitter also to some extent benefits
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync validators and servers by spreading out cache expiration,
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync i.e. if large numbers of RRSIGs don't expire at the same time
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync from all caches there will be less congestion than if all
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync validators need to refetch at mostly the same time.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync Specifies the number of threads to use. By default, one
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync thread is started for each detected CPU.
19a29c5b8ea65c618ae3825b6cf84bc3688a36b0vboxsync<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
19a29c5b8ea65c618ae3825b6cf84bc3688a36b0vboxsync The SOA serial number format of the signed zone.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync Possible formats are <span><strong class="command">"keep"</strong></span> (default),
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync <span><strong class="command">"increment"</strong></span> and
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync <span><strong class="command">"unixtime"</strong></span>.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync<dd><p>Do not modify the SOA serial number.</p></dd>
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync<dd><p>Increment the SOA serial number using RFC 1982
fdfd8111eabcf538c2848b194953e7cfb5dbcd4bvboxsync<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync<dd><p>Set the SOA serial number to the number of seconds
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
fdfd8111eabcf538c2848b194953e7cfb5dbcd4bvboxsync The zone origin. If not specified, the name of the zone file
fdfd8111eabcf538c2848b194953e7cfb5dbcd4bvboxsync is assumed to be the origin.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync The format of the output file containing the signed zone.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync Possible formats are <span><strong class="command">"text"</strong></span> (default)
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync and <span><strong class="command">"raw"</strong></span>.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync Use pseudo-random data when signing the zone. This is faster,
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync but less secure, than using real random data. This option
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync may be useful when signing large zones or when the entropy
19a29c5b8ea65c618ae3825b6cf84bc3688a36b0vboxsync source is limited.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync Disable post sign verification tests.
16afd2d976f255ed0b7b443770e4fa93fb4847d1vboxsync The post sign verification test ensures that for each algorithm
19a29c5b8ea65c618ae3825b6cf84bc3688a36b0vboxsync in use there is at least one non revoked self signed KSK key.
19a29c5b8ea65c618ae3825b6cf84bc3688a36b0vboxsync That all revoked KSK keys are self signed. That all records
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync in the zone are signed by the algorithm.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync Specifies the source of randomness. If the operating
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync system does not provide a <code class="filename">/dev/random</code>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync or equivalent device, the default source of randomness
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync is keyboard input. <code class="filename">randomdev</code>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync the name of a character device or file containing random
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync data to be used instead of the default. The special value
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync <code class="filename">keyboard</code> indicates that keyboard
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync input should be used.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync Print statistics at completion.
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
4a7a0d68cae413e6f422d597644c16681f475bdavboxsync Sets the debugging level.
(Kexample.com.+003+17247). The zone's keys must be in the master
Kexample.com.+003+17247