dnssec-signzone.html revision 72938578c985138165e7a4b0a38f16daacbad95e
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg - Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
16f23f109da3b82fdca8695789bec9f06e2e3383humbedooh - Copyright (C) 2000-2003 Internet Software Consortium.
54d750a84a175d8e338880514d440773eb986b50covener - Permission to use, copy, modify, and/or distribute this software for any
54d750a84a175d8e338880514d440773eb986b50covener - purpose with or without fee is hereby granted, provided that the above
54d750a84a175d8e338880514d440773eb986b50covener - copyright notice and this permission notice appear in all copies.
54d750a84a175d8e338880514d440773eb986b50covener - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
54d750a84a175d8e338880514d440773eb986b50covener - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
54d750a84a175d8e338880514d440773eb986b50covener - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
54d750a84a175d8e338880514d440773eb986b50covener - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
54d750a84a175d8e338880514d440773eb986b50covener - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
54d750a84a175d8e338880514d440773eb986b50covener - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
83b50288fa7d306324bba68832011ea08f5c7832covener - PERFORMANCE OF THIS SOFTWARE.
83b50288fa7d306324bba68832011ea08f5c7832covener<!-- $Id: dnssec-signzone.html,v 1.51 2011/12/10 01:14:52 tbox Exp $ -->
ac95effcd4bcdf02e41becbec4e9f2d3c577e7fdcovener<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f628b0e7cb9bf51de44af6b4355bc520fda84f4ecovener<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
f628b0e7cb9bf51de44af6b4355bc520fda84f4ecovener<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
f628b0e7cb9bf51de44af6b4355bc520fda84f4ecovener<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
2e15620d724fb8e3a5be183b917359a2fd6e9468covener<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
b3a6e12c9577d9dfc6529bc5ad908f2073810df1kbrand<p><span><strong class="command">dnssec-signzone</strong></span>
3130cec5e1377ddd4203284dabf4dbc25cb759a0kbrand signs a zone. It generates
3130cec5e1377ddd4203284dabf4dbc25cb759a0kbrand NSEC and RRSIG records and produces a signed version of the
3130cec5e1377ddd4203284dabf4dbc25cb759a0kbrand zone. The security status of delegations from the signed zone
7b82bb697a4957f302e43df708dda478dea80e05trawick (that is, whether the child zones are secure or not) is
7b82bb697a4957f302e43df708dda478dea80e05trawick determined by the presence or absence of a
7b82bb697a4957f302e43df708dda478dea80e05trawick <code class="filename">keyset</code> file for each child zone.
b352b6577c91eee28506a1d7db4b6951a45b8faekbrand Verify all generated signatures.
e42e58d225104194ba5e894eb616be1ce2258e13jailletc<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
e42e58d225104194ba5e894eb616be1ce2258e13jailletc Specifies the DNS class of the zone.
10b01707470385065764d144de9bb5297fe8ecf2ylavic Compatibility mode: Generate a
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener file in addition to
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
c12b284247f00b5696adabb0b855ce0669465764ylavic when signing a zone, for use by older versions of
c12b284247f00b5696adabb0b855ce0669465764ylavic <span><strong class="command">dnssec-signzone</strong></span>.
c12b284247f00b5696adabb0b855ce0669465764ylavic<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
6029353b43240f5fa7feede018ce0e3ab1600c96covener <code class="filename">keyset-</code> files in <code class="option">directory</code>.
e1f43cac62f6960a6945e1fb6e3288ef7082ac53rpluem Output only those record types automatically managed by
e1f43cac62f6960a6945e1fb6e3288ef7082ac53rpluem <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
e1f43cac62f6960a6945e1fb6e3288ef7082ac53rpluem NSEC3 and NSEC3PARAM records. If smart signing
e1f43cac62f6960a6945e1fb6e3288ef7082ac53rpluem (<code class="option">-S</code>) is used, DNSKEY records are also
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd included. The resulting file can be included in the original
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd cannot be combined with <code class="option">-O raw</code> or serial
179565be4043d7e5f9161aa75271fa0a001866d9covener number updating.
179565be4043d7e5f9161aa75271fa0a001866d9covener<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener Uses a crypto hardware (OpenSSL engine) for the crypto operations
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener it supports, for instance signing with private keys from
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener a secure key store. When compiled with PKCS#11 support
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener it defaults to pkcs11; the empty name resets it to no engine.
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz Generate DS records for child zones from
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz file. Existing DS records will be removed.
d522f82d7ada07a0cedb8dc6b71eacf3477d7188trawick<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
1e1539a1e7d64b1af92636b81aac5aa50ee3163bminfrin Key repository: Specify a directory to search for DNSSEC keys.
1e1539a1e7d64b1af92636b81aac5aa50ee3163bminfrin If not specified, defaults to the current directory.
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza Treat specified key as a key signing key ignoring any
efe780dcf13b2b95effabf897d694d8f23feac74trawick key flags. This option may be specified multiple times.
81849cd8925f6ffaf57412aaaac8a6df0d33cbb6covener<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
c8e4ae58e7b9eb27e5158d6980770d5064c50ba7trawick Generate a DLV set in addition to the key (DNSKEY) and DS sets.
c8e4ae58e7b9eb27e5158d6980770d5064c50ba7trawick The domain is appended to the name of the records.
c8e4ae58e7b9eb27e5158d6980770d5064c50ba7trawick<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin Specify the date and time when the generated RRSIG records
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin become valid. This can be either an absolute or relative
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin time. An absolute start time is indicated by a number
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza in YYYYMMDDHHMMSS notation; 20000530144500 denotes
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza 14:45:00 UTC on May 30th, 2000. A relative start time is
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza indicated by +N, which is N seconds from the current time.
ba050a6f942b9fa0e81ed73437588005c569655ccovener If no <code class="option">start-time</code> is specified, the current
ba050a6f942b9fa0e81ed73437588005c569655ccovener time minus 1 hour (to allow for clock skew) is used.
ba050a6f942b9fa0e81ed73437588005c569655ccovener<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
ba050a6f942b9fa0e81ed73437588005c569655ccovener Specify the date and time when the generated RRSIG records
ba050a6f942b9fa0e81ed73437588005c569655ccovener expire. As with <code class="option">start-time</code>, an absolute
135ddda3a989215d2bedbcf1529bfb269c3eda23niq time is indicated in YYYYMMDDHHMMSS notation. A time relative
135ddda3a989215d2bedbcf1529bfb269c3eda23niq to the start time is indicated with +N, which is N seconds from
135ddda3a989215d2bedbcf1529bfb269c3eda23niq the start time. A time relative to the current time is
1122585e1e00bb81e9d0f054bf5c318cec23aa7dminfrin indicated with now+N. If no <code class="option">end-time</code> is
1122585e1e00bb81e9d0f054bf5c318cec23aa7dminfrin specified, 30 days from the start time is used as a default.
1122585e1e00bb81e9d0f054bf5c318cec23aa7dminfrin <code class="option">end-time</code> must be later than
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
cc5a4a08dc9783fcbc52ce86f11e01c281a43810minfrin Specify the date and time when the generated RRSIG records
33124689065ade0dfc8c54d8ebb734f9439cb89btrawick for the DNSKEY RRset will expire. This is to be used in cases
33124689065ade0dfc8c54d8ebb734f9439cb89btrawick when the DNSKEY signatures need to persist longer than
33124689065ade0dfc8c54d8ebb734f9439cb89btrawick signatures on other records; e.g., when the private component
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener of the KSK is kept offline and the KSK signature is to be
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener refreshed manually.
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza As with <code class="option">start-time</code>, an absolute
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza time is indicated in YYYYMMDDHHMMSS notation. A time relative
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza to the start time is indicated with +N, which is N seconds from
56589be3d7a3e9343370df240010c6928cc78b39jkaluza the start time. A time relative to the current time is
56589be3d7a3e9343370df240010c6928cc78b39jkaluza indicated with now+N. If no <code class="option">extended end-time</code> is
56589be3d7a3e9343370df240010c6928cc78b39jkaluza specified, the value of <code class="option">end-time</code> is used as
652bacc79dd7f980249784cc8c4838e8f1de7e8acovener the default. (<code class="option">end-time</code>, in turn, defaults to
652bacc79dd7f980249784cc8c4838e8f1de7e8acovener 30 days from the start time.) <code class="option">extended end-time</code>
652bacc79dd7f980249784cc8c4838e8f1de7e8acovener must be later than <code class="option">start-time</code>.
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc The name of the output file containing the signed zone. The
50cfe8bbbaf4279375802531268e2bf0155215fetrawick default is to append <code class="filename">.signed</code> to
50cfe8bbbaf4279375802531268e2bf0155215fetrawick the input filename. If <code class="option">output-file</code> is
50cfe8bbbaf4279375802531268e2bf0155215fetrawick set to <code class="literal">"-"</code>, then the signed zone is
50cfe8bbbaf4279375802531268e2bf0155215fetrawick written to the standard output, with a default output
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick format of "full".
4d12805e6c18253040223ea637acd6b3b3c18f60jorton Prints a short summary of the options and arguments to
4d12805e6c18253040223ea637acd6b3b3c18f60jorton <span><strong class="command">dnssec-signzone</strong></span>.
4d12805e6c18253040223ea637acd6b3b3c18f60jorton<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener When a previously-signed zone is passed as input, records
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener may be resigned. The <code class="option">interval</code> option
cb666b29f81df1d11d65002250153353568021fccovener specifies the cycle interval as an offset from the current
cb666b29f81df1d11d65002250153353568021fccovener time (in seconds). If a RRSIG record expires after the
cb666b29f81df1d11d65002250153353568021fccovener cycle interval, it is retained. Otherwise, it is considered
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener to be expiring soon, and it will be replaced.
75a230a728338d84dcfe81edd375352f34de22d0covener The default cycle interval is one quarter of the difference
75a230a728338d84dcfe81edd375352f34de22d0covener between the signature end and start times. So if neither
75a230a728338d84dcfe81edd375352f34de22d0covener <code class="option">end-time</code> or <code class="option">start-time</code>
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener are specified, <span><strong class="command">dnssec-signzone</strong></span>
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener signatures that are valid for 30 days, with a cycle
63a5ea80bddcc84a462e40f402b4f330e0e05411covener interval of 7.5 days. Therefore, if any existing RRSIG records
63a5ea80bddcc84a462e40f402b4f330e0e05411covener are due to expire in less than 7.5 days, they would be
986f3ea2c314d4d4b3b937149853a0f23f6119aaminfrin<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
65a4e663b82f8bce28ac22ab2edfd7502de36998sf The format of the input zone file.
65a4e663b82f8bce28ac22ab2edfd7502de36998sf Possible formats are <span><strong class="command">"text"</strong></span> (default)
65a4e663b82f8bce28ac22ab2edfd7502de36998sf This option is primarily intended to be used for dynamic
c7de1955eb0eaeabf7042902476397692672d549sf signed zones so that the dumped zone file in a non-text
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin format containing updates can be signed directly.
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin The use of this option does not make much sense for
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin non-dynamic zones.
a511a29faf2ff7ead3b67680154a624effb31aafminfrin<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
a511a29faf2ff7ead3b67680154a624effb31aafminfrin When signing a zone with a fixed signature lifetime, all
a511a29faf2ff7ead3b67680154a624effb31aafminfrin RRSIG records issued at the time of signing expires
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin simultaneously. If the zone is incrementally signed, i.e.
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin a previously-signed zone is passed as input to the signer,
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin all expired signatures have to be regenerated at about the
deec48c67d4786bc77112ffbf3a4e70b931097edminfrin same time. The <code class="option">jitter</code> option specifies a
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin jitter window that will be used to randomize the signature
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin expire time, thus spreading incremental signature
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin regeneration over time.
4c02bab56a528a180bbe394d8b6e6fd9c1a3ac1esf Signature lifetime jitter also to some extent benefits
4c02bab56a528a180bbe394d8b6e6fd9c1a3ac1esf validators and servers by spreading out cache expiration,
4c02bab56a528a180bbe394d8b6e6fd9c1a3ac1esf i.e. if large numbers of RRSIGs don't expire at the same time
2c487ac43b583db869e743772a7a10b278aa2bcfminfrin from all caches there will be less congestion than if all
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener validators need to refetch at mostly the same time.
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq Specifies the number of threads to use. By default, one
26c5829347f6a355c00f1ba0301d575056b69536niq thread is started for each detected CPU.
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq The SOA serial number format of the signed zone.
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq Possible formats are <span><strong class="command">"keep"</strong></span> (default),
413ee814748f37be168ff12407fa6dba0ceeabe6trawick <span><strong class="command">"increment"</strong></span> and
c12917da693bae4028a1d5a5e8224bceed8c739dsf <span><strong class="command">"unixtime"</strong></span>.
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
9811aed12bbc71783d2e544ccb5fecd193843eadsf<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
9811aed12bbc71783d2e544ccb5fecd193843eadsf The zone origin. If not specified, the name of the zone file
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung is assumed to be the origin.
bd3f5647b96d378d9c75c954e3f13582af32c643sf<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
bd3f5647b96d378d9c75c954e3f13582af32c643sf The format of the output file containing the signed zone.
bd3f5647b96d378d9c75c954e3f13582af32c643sf Possible formats are <span><strong class="command">"text"</strong></span> (default)
bd3f5647b96d378d9c75c954e3f13582af32c643sf <span><strong class="command">"full"</strong></span>, which is text output in a
2a7beea91d46beb41f043a84eaad060047ee04aafabien format suitable for processing by external scripts,
2a7beea91d46beb41f043a84eaad060047ee04aafabien and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
2a7beea91d46beb41f043a84eaad060047ee04aafabien which store the zone in a binary format for rapid loading
2a7beea91d46beb41f043a84eaad060047ee04aafabien by <span><strong class="command">named</strong></span>. <span><strong class="command">"raw=N"</strong></span>
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf specifies the format version of the raw zone file: if N
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf is 0, the raw file can be read by any version of
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf <span><strong class="command">named</strong></span>; if N is 1, the file can be
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf read by release 9.9.0 or higher. The default is 1.
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf Use pseudo-random data when signing the zone. This is faster,
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf but less secure, than using real random data. This option
132ee6ac1c26d6e8953836316ba50734eefab47bsf may be useful when signing large zones or when the entropy
132ee6ac1c26d6e8953836316ba50734eefab47bsf source is limited.
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick Disable post sign verification tests.
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick The post sign verification test ensures that for each algorithm
79c5787b92ac5f0e1cc82393816c77a006399316trawick in use there is at least one non revoked self signed KSK key,
79c5787b92ac5f0e1cc82393816c77a006399316trawick that all revoked KSK keys are self signed, and that all records
79c5787b92ac5f0e1cc82393816c77a006399316trawick in the zone are signed by the algorithm.
79c5787b92ac5f0e1cc82393816c77a006399316trawick This option skips these tests.
79c5787b92ac5f0e1cc82393816c77a006399316trawick Remove signatures from keys that no longer exist.
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton Normally, when a previously-signed zone is passed as input
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton to the signer, and a DNSKEY record has been removed and
536e48c08d674acac5d44929318f2ad928edc361jorton replaced with a new one, signatures from the old key
536e48c08d674acac5d44929318f2ad928edc361jorton that are still within their validity period are retained.
e81785da447b469da66f218b3f0244aab507958djorton This allows the zone to continue to validate with cached
e81785da447b469da66f218b3f0244aab507958djorton copies of the old DNSKEY RRset. The <code class="option">-R</code> forces
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton <span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton signatures.
53e9b27aba029b18be814df40bcf6f0428771d1efuankg<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
53e9b27aba029b18be814df40bcf6f0428771d1efuankg Specifies the source of randomness. If the operating
53e9b27aba029b18be814df40bcf6f0428771d1efuankg system does not provide a <code class="filename">/dev/random</code>
6bb524f1895f30265a1431afc460977d391cb36bsf or equivalent device, the default source of randomness
6bb524f1895f30265a1431afc460977d391cb36bsf is keyboard input. <code class="filename">randomdev</code>
6bb524f1895f30265a1431afc460977d391cb36bsf the name of a character device or file containing random
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin data to be used instead of the default. The special value
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <code class="filename">keyboard</code> indicates that keyboard
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin input should be used.
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung search the key repository for keys that match the zone being
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung signed, and to include them in the zone if appropriate.
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung When a key is found, its timing metadata is examined to
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung determine how it should be used, according to the following
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung rules. Each successive rule takes priority over the prior
ae600ca541efc686b34f8b1f21bd3d0741d37674covener If no timing metadata has been set for the key, the key is
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick published in the zone and used to sign the zone.
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim If the key's publication date is set and is in the past, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key is published in the zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the key's activation date is set and in the past, the
Kexample.com.+003+17247