dnssec-signzone.html revision 75c0816e8295e180f4bc7f10db3d0d880383bc1c
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - Copyright (C) 2000-2003 Internet Software Consortium.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - Permission to use, copy, modify, and distribute this software for any
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz - purpose with or without fee is hereby granted, provided that the above
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - copyright notice and this permission notice appear in all copies.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix - PERFORMANCE OF THIS SOFTWARE.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<!-- $Id: dnssec-signzone.html,v 1.20 2005/05/13 03:14:05 marka Exp $ -->
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
980f39d0ea2b51d4b46d2ea552d9b8e02dbea8c2Markus Engel<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
980f39d0ea2b51d4b46d2ea552d9b8e02dbea8c2Markus Engel<p><span><strong class="command">dnssec-signzone</strong></span>
980f39d0ea2b51d4b46d2ea552d9b8e02dbea8c2Markus Engel signs a zone. It generates
980f39d0ea2b51d4b46d2ea552d9b8e02dbea8c2Markus Engel NSEC and RRSIG records and produces a signed version of the
a2e796b608034e2c62290378d713058b8b58ef8fMarkus Engel zone. The security status of delegations from the signed zone
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel (that is, whether the child zones are secure or not) is
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel determined by the presence or absence of a
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel <code class="filename">keyset</code> file for each child zone.
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel Verify all generated signatures.
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix Specifies the DNS class of the zone.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
e088d9411bbbcb9b6d8ede3b887d98985d8ba7d1Markus Engel Treat specified key as a key signing key ignoring any
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel key flags. This option may be specified multiple times.
403939b9b80571887cc36b75f3054af73d0b9e7fcilix<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix Generate a DLV set in addition to the key (DNSKEY) and DS sets.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix The domain is appended to the name of the records.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix Look for <code class="filename">keyset</code> files in
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix <code class="option">directory</code> as the directory
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel Generate DS records for child zones from keyset files.
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel Existing DS records will be removed.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix Specify the date and time when the generated RRSIG records
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel become valid. This can be either an absolute or relative
7b24a1fa06853c0ac55ccd3c1504e47db021d457johanengelen time. An absolute start time is indicated by a number
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix in YYYYMMDDHHMMSS notation; 20000530144500 denotes
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix 14:45:00 UTC on May 30th, 2000. A relative start time is
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix indicated by +N, which is N seconds from the current time.
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel If no <code class="option">start-time</code> is specified, the current
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix time minus 1 hour (to allow for clock skew) is used.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel Specify the date and time when the generated RRSIG records
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix expire. As with <code class="option">start-time</code>, an absolute
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix time is indicated in YYYYMMDDHHMMSS notation. A time relative
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix to the start time is indicated with +N, which is N seconds from
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix the start time. A time relative to the current time is
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix indicated with now+N. If no <code class="option">end-time</code> is
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix specified, 30 days from the start time is used as a default.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix The name of the output file containing the signed zone. The
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix default is to append <code class="filename">.signed</code> to
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix Prints a short summary of the options and arguments to
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel <span><strong class="command">dnssec-signzone</strong></span>.
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix When a previously signed zone is passed as input, records
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix may be resigned. The <code class="option">interval</code> option
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix specifies the cycle interval as an offset from the current
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel time (in seconds). If a RRSIG record expires after the
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix cycle interval, it is retained. Otherwise, it is considered
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix to be expiring soon, and it will be replaced.
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel The default cycle interval is one quarter of the difference
9e470e2bfedc3d5550406c9996463013721355a3buliabyak between the signature end and start times. So if neither
9e470e2bfedc3d5550406c9996463013721355a3buliabyak <code class="option">end-time</code> or <code class="option">start-time</code>
9e470e2bfedc3d5550406c9996463013721355a3buliabyak are specified, <span><strong class="command">dnssec-signzone</strong></span>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix signatures that are valid for 30 days, with a cycle
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix interval of 7.5 days. Therefore, if any existing RRSIG records
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix are due to expire in less than 7.5 days, they would be
e088d9411bbbcb9b6d8ede3b887d98985d8ba7d1Markus Engel<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix When signing a zone with a fixed signature lifetime, all
ab7e48d728d662fc17b5ce6874688c87cf714d2dAbhishek Sharma Public RRSIG records issued at the time of signing expires
ab7e48d728d662fc17b5ce6874688c87cf714d2dAbhishek Sharma Public simultaneously. If the zone is incrementally signed, i.e.
ab7e48d728d662fc17b5ce6874688c87cf714d2dAbhishek Sharma Public a previously signed zone is passed as input to the signer,
ab7e48d728d662fc17b5ce6874688c87cf714d2dAbhishek Sharma Public all expired signatures has to be regenerated at about the
ab7e48d728d662fc17b5ce6874688c87cf714d2dAbhishek Sharma Public same time. The <code class="option">jitter</code> option specifies a
ab7e48d728d662fc17b5ce6874688c87cf714d2dAbhishek Sharma Public jitter window that will be used to randomize the signature
ab7e48d728d662fc17b5ce6874688c87cf714d2dAbhishek Sharma Public expire time, thus spreading incremental signature
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz regeneration over time.
ab7e48d728d662fc17b5ce6874688c87cf714d2dAbhishek Sharma Public Signature lifetime jitter also to some extent benefits
094dc7c249a0253b9bbed67205e341a05b59eca7Abhishek Sharma Public validators and servers by spreading out cache expiration,
094dc7c249a0253b9bbed67205e341a05b59eca7Abhishek Sharma Public i.e. if large numbers of RRSIGs don't expire at the same time
094dc7c249a0253b9bbed67205e341a05b59eca7Abhishek Sharma Public from all caches there will be less congestion than if all
094dc7c249a0253b9bbed67205e341a05b59eca7Abhishek Sharma Public validators need to refetch at mostly the same time.
094dc7c249a0253b9bbed67205e341a05b59eca7Abhishek Sharma Public<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix Specifies the number of threads to use. By default, one
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix thread is started for each detected CPU.
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
9afeede0d946047f0421ae5f766568927eda11d6Jon A. Cruz The zone origin. If not specified, the name of the zone file
9afeede0d946047f0421ae5f766568927eda11d6Jon A. Cruz is assumed to be the origin.
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel Use pseudo-random data when signing the zone. This is faster,
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix but less secure, than using real random data. This option
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix may be useful when signing large zones or when the entropy
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix source is limited.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel Specifies the source of randomness. If the operating
71dea9c6fbd2fd6d73cce6f1ed96151d51ada58fcilix system does not provide a <code class="filename">/dev/random</code>
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel or equivalent device, the default source of randomness
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix is keyboard input. <code class="filename">randomdev</code>
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel the name of a character device or file containing random
71dea9c6fbd2fd6d73cce6f1ed96151d51ada58fcilix data to be used instead of the default. The special value
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix <code class="filename">keyboard</code> indicates that keyboard
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel input should be used.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix Print statistics at completion.
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix Sets the debugging level.
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel Ignore KSK flag on key when determining what to sign.
cc149fbbfc6340eac5a43b04d30212732b3966f2scislac The file containing the zone to be signed.
cc149fbbfc6340eac5a43b04d30212732b3966f2scislac Sets the debugging level.
cc149fbbfc6340eac5a43b04d30212732b3966f2scislac The keys used to sign the zone. If no keys are specified, the
cc149fbbfc6340eac5a43b04d30212732b3966f2scislac default all zone keys that have private key files in the
cc149fbbfc6340eac5a43b04d30212732b3966f2scislac current directory.
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould The following command signs the <strong class="userinput"><code>example.com</code></strong>
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould man page. The zone's keys must be in the zone. If there are
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel <code class="filename">keyset</code> files associated with child
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel they must be in the current directory.
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould <strong class="userinput"><code>example.com</code></strong>, the following command would be
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould The command would print a string of the form:
ff10ef00a3847886fff81e690d2f329f5eba2253johanengelen In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix the file <code class="filename">db.example.com.signed</code>. This
9dc68827cbd515262ecb8d5ae8547d9e82c72e00Jon A. Cruz should be referenced in a zone statement in a
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
4358ff6156766a315e38e72a5c3c83d6d5f7486bcilix <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
f95c73968bfb1cf8b034637253732dde83afab80Markus Engel<p><span class="corpauthor">Internet Systems Consortium</span>