dnssec-signzone.html revision 75c0816e8295e180f4bc7f10db3d0d880383bc1c
2N/A<!--
2N/A - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
2N/A - Copyright (C) 2000-2003 Internet Software Consortium.
2N/A -
2N/A - Permission to use, copy, modify, and distribute this software for any
2N/A - purpose with or without fee is hereby granted, provided that the above
2N/A - copyright notice and this permission notice appear in all copies.
2N/A -
2N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2N/A - PERFORMANCE OF THIS SOFTWARE.
2N/A-->
2N/A<!-- $Id: dnssec-signzone.html,v 1.20 2005/05/13 03:14:05 marka Exp $ -->
2N/A<html>
2N/A<head>
2N/A<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2N/A<title>dnssec-signzone</title>
2N/A<meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
2N/A</head>
2N/A<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
2N/A<a name="id2456836"></a><div class="titlepage"></div>
2N/A<div class="refnamediv">
2N/A<h2>Name</h2>
2N/A<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
2N/A</div>
2N/A<div class="refsynopsisdiv">
2N/A<h2>Synopsis</h2>
2N/A<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
2N/A</div>
2N/A<div class="refsect1" lang="en">
2N/A<a name="id2514329"></a><h2>DESCRIPTION</h2>
2N/A<p><span><strong class="command">dnssec-signzone</strong></span>
2N/A signs a zone. It generates
2N/A NSEC and RRSIG records and produces a signed version of the
2N/A zone. The security status of delegations from the signed zone
2N/A (that is, whether the child zones are secure or not) is
2N/A determined by the presence or absence of a
2N/A <code class="filename">keyset</code> file for each child zone.
2N/A </p>
2N/A</div>
2N/A<div class="refsect1" lang="en">
2N/A<a name="id2514344"></a><h2>OPTIONS</h2>
2N/A<div class="variablelist"><dl>
2N/A<dt><span class="term">-a</span></dt>
2N/A<dd><p>
2N/A Verify all generated signatures.
2N/A </p></dd>
2N/A<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2N/A<dd><p>
2N/A Specifies the DNS class of the zone.
2N/A </p></dd>
2N/A<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
2N/A<dd><p>
2N/A Treat specified key as a key signing key ignoring any
2N/A key flags. This option may be specified multiple times.
2N/A </p></dd>
2N/A<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
2N/A<dd><p>
2N/A Generate a DLV set in addition to the key (DNSKEY) and DS sets.
2N/A The domain is appended to the name of the records.
2N/A </p></dd>
2N/A<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
2N/A<dd><p>
2N/A Look for <code class="filename">keyset</code> files in
2N/A <code class="option">directory</code> as the directory
2N/A </p></dd>
2N/A<dt><span class="term">-g</span></dt>
2N/A<dd><p>
2N/A Generate DS records for child zones from keyset files.
2N/A Existing DS records will be removed.
2N/A </p></dd>
2N/A<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
2N/A<dd><p>
2N/A Specify the date and time when the generated RRSIG records
2N/A become valid. This can be either an absolute or relative
2N/A time. An absolute start time is indicated by a number
2N/A in YYYYMMDDHHMMSS notation; 20000530144500 denotes
2N/A 14:45:00 UTC on May 30th, 2000. A relative start time is
2N/A indicated by +N, which is N seconds from the current time.
2N/A If no <code class="option">start-time</code> is specified, the current
2N/A time minus 1 hour (to allow for clock skew) is used.
2N/A </p></dd>
2N/A<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
2N/A<dd><p>
2N/A Specify the date and time when the generated RRSIG records
2N/A expire. As with <code class="option">start-time</code>, an absolute
2N/A time is indicated in YYYYMMDDHHMMSS notation. A time relative
2N/A to the start time is indicated with +N, which is N seconds from
2N/A the start time. A time relative to the current time is
2N/A indicated with now+N. If no <code class="option">end-time</code> is
2N/A specified, 30 days from the start time is used as a default.
2N/A </p></dd>
2N/A<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
2N/A<dd><p>
2N/A The name of the output file containing the signed zone. The
2N/A default is to append <code class="filename">.signed</code> to
2N/A the
2N/A input file.
2N/A </p></dd>
2N/A<dt><span class="term">-h</span></dt>
2N/A<dd><p>
2N/A Prints a short summary of the options and arguments to
2N/A <span><strong class="command">dnssec-signzone</strong></span>.
2N/A </p></dd>
2N/A<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
2N/A<dd>
2N/A<p>
2N/A When a previously signed zone is passed as input, records
2N/A may be resigned. The <code class="option">interval</code> option
2N/A specifies the cycle interval as an offset from the current
2N/A time (in seconds). If a RRSIG record expires after the
2N/A cycle interval, it is retained. Otherwise, it is considered
2N/A to be expiring soon, and it will be replaced.
2N/A </p>
2N/A<p>
2N/A The default cycle interval is one quarter of the difference
2N/A between the signature end and start times. So if neither
2N/A <code class="option">end-time</code> or <code class="option">start-time</code>
2N/A are specified, <span><strong class="command">dnssec-signzone</strong></span>
2N/A generates
2N/A signatures that are valid for 30 days, with a cycle
2N/A interval of 7.5 days. Therefore, if any existing RRSIG records
2N/A are due to expire in less than 7.5 days, they would be
2N/A replaced.
2N/A </p>
2N/A</dd>
2N/A<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
2N/A<dd>
2N/A<p>
2N/A When signing a zone with a fixed signature lifetime, all
2N/A RRSIG records issued at the time of signing expires
2N/A simultaneously. If the zone is incrementally signed, i.e.
2N/A a previously signed zone is passed as input to the signer,
2N/A all expired signatures has to be regenerated at about the
2N/A same time. The <code class="option">jitter</code> option specifies a
2N/A jitter window that will be used to randomize the signature
2N/A expire time, thus spreading incremental signature
2N/A regeneration over time.
2N/A </p>
2N/A<p>
2N/A Signature lifetime jitter also to some extent benefits
2N/A validators and servers by spreading out cache expiration,
2N/A i.e. if large numbers of RRSIGs don't expire at the same time
2N/A from all caches there will be less congestion than if all
2N/A validators need to refetch at mostly the same time.
2N/A </p>
2N/A</dd>
2N/A<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
2N/A<dd><p>
2N/A Specifies the number of threads to use. By default, one
2N/A thread is started for each detected CPU.
2N/A </p></dd>
2N/A<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
2N/A<dd><p>
2N/A The zone origin. If not specified, the name of the zone file
2N/A is assumed to be the origin.
2N/A </p></dd>
2N/A<dt><span class="term">-p</span></dt>
2N/A<dd><p>
2N/A Use pseudo-random data when signing the zone. This is faster,
2N/A but less secure, than using real random data. This option
2N/A may be useful when signing large zones or when the entropy
2N/A source is limited.
2N/A </p></dd>
2N/A<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
2N/A<dd><p>
2N/A Specifies the source of randomness. If the operating
2N/A system does not provide a <code class="filename">/dev/random</code>
2N/A or equivalent device, the default source of randomness
2N/A is keyboard input. <code class="filename">randomdev</code>
2N/A specifies
2N/A the name of a character device or file containing random
2N/A data to be used instead of the default. The special value
2N/A <code class="filename">keyboard</code> indicates that keyboard
2N/A input should be used.
2N/A </p></dd>
2N/A<dt><span class="term">-t</span></dt>
2N/A<dd><p>
2N/A Print statistics at completion.
2N/A </p></dd>
2N/A<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
2N/A<dd><p>
2N/A Sets the debugging level.
2N/A </p></dd>
2N/A<dt><span class="term">-z</span></dt>
2N/A<dd><p>
2N/A Ignore KSK flag on key when determining what to sign.
2N/A </p></dd>
2N/A<dt><span class="term">zonefile</span></dt>
2N/A<dd><p>
2N/A The file containing the zone to be signed.
2N/A Sets the debugging level.
2N/A </p></dd>
2N/A<dt><span class="term">key</span></dt>
2N/A<dd><p>
2N/A The keys used to sign the zone. If no keys are specified, the
2N/A default all zone keys that have private key files in the
2N/A current directory.
2N/A </p></dd>
2N/A</dl></div>
2N/A</div>
2N/A<div class="refsect1" lang="en">
2N/A<a name="id2514874"></a><h2>EXAMPLE</h2>
2N/A<p>
2N/A The following command signs the <strong class="userinput"><code>example.com</code></strong>
2N/A zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
2N/A man page. The zone's keys must be in the zone. If there are
2N/A <code class="filename">keyset</code> files associated with child
2N/A zones,
2N/A they must be in the current directory.
2N/A <strong class="userinput"><code>example.com</code></strong>, the following command would be
2N/A issued:
2N/A </p>
2N/A<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
2N/A Kexample.com.+003+26160</code></strong>
2N/A </p>
2N/A<p>
2N/A The command would print a string of the form:
2N/A </p>
2N/A<p>
2N/A In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
2N/A the file <code class="filename">db.example.com.signed</code>. This
2N/A file
2N/A should be referenced in a zone statement in a
2N/A <code class="filename">named.conf</code> file.
2N/A </p>
2N/A</div>
2N/A<div class="refsect1" lang="en">
2N/A<a name="id2514922"></a><h2>SEE ALSO</h2>
2N/A<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
2N/A <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2N/A <em class="citetitle">RFC 2535</em>.
2N/A </p>
2N/A</div>
2N/A<div class="refsect1" lang="en">
2N/A<a name="id2514947"></a><h2>AUTHOR</h2>
2N/A<p><span class="corpauthor">Internet Systems Consortium</span>
2N/A </p>
2N/A</div>
2N/A</div></body>
2N/A</html>
2N/A