2N/A - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") 2N/A - Copyright (C) 2000-2003 Internet Software Consortium. 2N/A - Permission to use, copy, modify, and distribute this software for any 2N/A - purpose with or without fee is hereby granted, provided that the above 2N/A - copyright notice and this permission notice appear in all copies. 2N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 2N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 2N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 2N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 2N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 2N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 2N/A - PERFORMANCE OF THIS SOFTWARE. 2N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2N/A<
title>dnssec-signzone</
title>
2N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
2N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><
div class="refentry" lang="en">
2N/A<
a name="id2456836"></
a><
div class="titlepage"></
div>
2N/A<
div class="refnamediv">
2N/A<
p><
span class="application">dnssec-signzone</
span> — DNSSEC zone signing tool</
p>
2N/A<
div class="refsynopsisdiv">
2N/A<
div class="cmdsynopsis"><
p><
code class="command">dnssec-signzone</
code> [<
code class="option">-a</
code>] [<
code class="option">-c <
em class="replaceable"><
code>class</
code></
em></
code>] [<
code class="option">-d <
em class="replaceable"><
code>directory</
code></
em></
code>] [<
code class="option">-e <
em class="replaceable"><
code>end-time</
code></
em></
code>] [<
code class="option">-f <
em class="replaceable"><
code>output-file</
code></
em></
code>] [<
code class="option">-g</
code>] [<
code class="option">-h</
code>] [<
code class="option">-k <
em class="replaceable"><
code>key</
code></
em></
code>] [<
code class="option">-l <
em class="replaceable"><
code>domain</
code></
em></
code>] [<
code class="option">-i <
em class="replaceable"><
code>interval</
code></
em></
code>] [<
code class="option">-j <
em class="replaceable"><
code>jitter</
code></
em></
code>] [<
code class="option">-n <
em class="replaceable"><
code>nthreads</
code></
em></
code>] [<
code class="option">-o <
em class="replaceable"><
code>origin</
code></
em></
code>] [<
code class="option">-p</
code>] [<
code class="option">-r <
em class="replaceable"><
code>randomdev</
code></
em></
code>] [<
code class="option">-s <
em class="replaceable"><
code>start-time</
code></
em></
code>] [<
code class="option">-t</
code>] [<
code class="option">-v <
em class="replaceable"><
code>level</
code></
em></
code>] [<
code class="option">-z</
code>] {zonefile} [key...]</
p></
div>
2N/A<
div class="refsect1" lang="en">
2N/A<
a name="id2514329"></
a><
h2>DESCRIPTION</
h2>
2N/A<
p><
span><
strong class="command">dnssec-signzone</
strong></
span>
2N/A signs a zone. It generates
2N/A NSEC and RRSIG records and produces a signed version of the
2N/A zone. The security status of delegations from the signed zone
2N/A (that is, whether the child zones are secure or not) is
2N/A determined by the presence or absence of a
2N/A <
code class="filename">keyset</
code> file for each child zone.
2N/A<
div class="refsect1" lang="en">
2N/A<
a name="id2514344"></
a><
h2>OPTIONS</
h2>
2N/A<
div class="variablelist"><
dl>
2N/A<
dt><
span class="term">-a</
span></
dt>
2N/A Verify all generated signatures.
2N/A<
dt><
span class="term">-c <
em class="replaceable"><
code>class</
code></
em></
span></
dt>
2N/A Specifies the DNS class of the zone.
2N/A<
dt><
span class="term">-k <
em class="replaceable"><
code>key</
code></
em></
span></
dt>
2N/A Treat specified key as a key signing key ignoring any
2N/A key flags. This option may be specified multiple times.
2N/A<
dt><
span class="term">-l <
em class="replaceable"><
code>domain</
code></
em></
span></
dt>
2N/A Generate a DLV set in addition to the key (DNSKEY) and DS sets.
2N/A The domain is appended to the name of the records.
2N/A<
dt><
span class="term">-d <
em class="replaceable"><
code>directory</
code></
em></
span></
dt>
2N/A Look for <
code class="filename">keyset</
code> files in
2N/A <
code class="option">directory</
code> as the directory
2N/A<
dt><
span class="term">-g</
span></
dt>
2N/A Generate DS records for child zones from keyset files.
2N/A Existing DS records will be removed.
2N/A<
dt><
span class="term">-s <
em class="replaceable"><
code>start-time</
code></
em></
span></
dt>
2N/A Specify the date and time when the generated RRSIG records
2N/A become valid. This can be either an absolute or relative
2N/A time. An absolute start time is indicated by a number
2N/A in YYYYMMDDHHMMSS notation; 20000530144500 denotes
2N/A 14:45:00 UTC on May 30th, 2000. A relative start time is
2N/A indicated by +N, which is N seconds from the current time.
2N/A If no <
code class="option">start-time</
code> is specified, the current
2N/A time minus 1 hour (to allow for clock skew) is used.
2N/A<
dt><
span class="term">-e <
em class="replaceable"><
code>end-time</
code></
em></
span></
dt>
2N/A Specify the date and time when the generated RRSIG records
2N/A expire. As with <
code class="option">start-time</
code>, an absolute
2N/A time is indicated in YYYYMMDDHHMMSS notation. A time relative
2N/A to the start time is indicated with +N, which is N seconds from
2N/A the start time. A time relative to the current time is
2N/A indicated with now+N. If no <
code class="option">end-time</
code> is
2N/A specified, 30 days from the start time is used as a default.
2N/A<
dt><
span class="term">-f <
em class="replaceable"><
code>output-file</
code></
em></
span></
dt>
2N/A The name of the output file containing the signed zone. The
2N/A default is to append <
code class="filename">.signed</
code> to
2N/A<
dt><
span class="term">-h</
span></
dt>
2N/A Prints a short summary of the options and arguments to
2N/A <
span><
strong class="command">dnssec-signzone</
strong></
span>.
2N/A<
dt><
span class="term">-i <
em class="replaceable"><
code>interval</
code></
em></
span></
dt>
2N/A When a previously signed zone is passed as input, records
2N/A may be resigned. The <
code class="option">interval</
code> option
2N/A specifies the cycle interval as an offset from the current
2N/A time (in seconds). If a RRSIG record expires after the
2N/A cycle interval, it is retained. Otherwise, it is considered
2N/A to be expiring soon, and it will be replaced.
2N/A The default cycle interval is one quarter of the difference
2N/A between the signature end and start times. So if neither
2N/A <
code class="option">end-time</
code> or <
code class="option">start-time</
code>
2N/A are specified, <
span><
strong class="command">dnssec-signzone</
strong></
span>
2N/A signatures that are valid for 30 days, with a cycle
2N/A interval of 7.5 days. Therefore, if any existing RRSIG records
2N/A are due to expire in less than 7.5 days, they would be
2N/A<
dt><
span class="term">-j <
em class="replaceable"><
code>jitter</
code></
em></
span></
dt>
2N/A When signing a zone with a fixed signature lifetime, all
2N/A RRSIG records issued at the time of signing expires
2N/A simultaneously. If the zone is incrementally signed,
i.e. 2N/A a previously signed zone is passed as input to the signer,
2N/A all expired signatures has to be regenerated at about the
2N/A same time. The <
code class="option">jitter</
code> option specifies a
2N/A jitter window that will be used to randomize the signature
2N/A expire time, thus spreading incremental signature
2N/A regeneration over time.
2N/A Signature lifetime jitter also to some extent benefits
2N/A validators and servers by spreading out cache expiration,
2N/A i.e. if large numbers of RRSIGs don't expire at the same time
2N/A from all caches there will be less congestion than if all
2N/A validators need to refetch at mostly the same time.
2N/A<
dt><
span class="term">-n <
em class="replaceable"><
code>ncpus</
code></
em></
span></
dt>
2N/A Specifies the number of threads to use. By default, one
2N/A thread is started for each detected CPU.
2N/A<
dt><
span class="term">-o <
em class="replaceable"><
code>origin</
code></
em></
span></
dt>
2N/A The zone origin. If not specified, the name of the zone file
2N/A is assumed to be the origin.
2N/A<
dt><
span class="term">-p</
span></
dt>
2N/A Use pseudo-random data when signing the zone. This is faster,
2N/A but less secure, than using real random data. This option
2N/A may be useful when signing large zones or when the entropy
2N/A<
dt><
span class="term">-r <
em class="replaceable"><
code>randomdev</
code></
em></
span></
dt>
2N/A Specifies the source of randomness. If the operating
2N/A system does not provide a <
code class="filename">/
dev/
random</
code>
2N/A or equivalent device, the default source of randomness
2N/A is keyboard input. <
code class="filename">randomdev</
code>
2N/A the name of a character device or file containing random
2N/A data to be used instead of the default. The special value
2N/A <
code class="filename">keyboard</
code> indicates that keyboard
2N/A input should be used.
2N/A<
dt><
span class="term">-t</
span></
dt>
2N/A Print statistics at completion.
2N/A<
dt><
span class="term">-v <
em class="replaceable"><
code>level</
code></
em></
span></
dt>
2N/A Sets the debugging level.
2N/A<
dt><
span class="term">-z</
span></
dt>
2N/A Ignore KSK flag on key when determining what to sign.
2N/A<
dt><
span class="term">zonefile</
span></
dt>
2N/A The file containing the zone to be signed.
2N/A Sets the debugging level.
2N/A<
dt><
span class="term">key</
span></
dt>
2N/A The keys used to sign the zone. If no keys are specified, the
2N/A default all zone keys that have private key files in the
2N/A<
div class="refsect1" lang="en">
2N/A<
a name="id2514874"></
a><
h2>EXAMPLE</
h2>
2N/A The following command signs the <
strong class="userinput"><
code>
example.com</
code></
strong>
2N/A zone with the DSA key generated in the <
span><
strong class="command">dnssec-keygen</
strong></
span>
2N/A man page. The zone's keys must be in the zone. If there are
2N/A <
code class="filename">keyset</
code> files associated with child
2N/A they must be in the current directory.
2N/A <
strong class="userinput"><
code>
example.com</
code></
strong>, the following command would be
2N/A The command would print a string of the form:
2N/A In this example, <
span><
strong class="command">dnssec-signzone</
strong></
span> creates
2N/A should be referenced in a zone statement in a
2N/A<
div class="refsect1" lang="en">
2N/A<
a name="id2514922"></
a><
h2>SEE ALSO</
h2>
2N/A<
p><
span class="citerefentry"><
span class="refentrytitle">dnssec-keygen</
span>(8)</
span>,
2N/A <
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
2N/A <
em class="citetitle">RFC 2535</
em>.
2N/A<
div class="refsect1" lang="en">
2N/A<
a name="id2514947"></
a><
h2>AUTHOR</
h2>
2N/A<
p><
span class="corpauthor">Internet Systems Consortium</
span>