dnssec-signzone.html revision c52dde922980a55e22f6f9f9f97544922a9d67f8
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith - Copyright (C) 2000-2009, 2011-2017 Internet Systems Consortium, Inc. ("ISC")
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith - This Source Code Form is subject to the terms of the Mozilla Public
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith - License, v. 2.0. If a copy of the MPL was not distributed with this
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith - file, You can obtain one at http://mozilla.org/MPL/2.0/.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith — DNSSEC zone signing tool
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <p><span class="command"><strong>dnssec-signzone</strong></span>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith signs a zone. It generates
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith NSEC and RRSIG records and produces a signed version of the
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith zone. The security status of delegations from the signed zone
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith (that is, whether the child zones are secure or not) is
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith determined by the presence or absence of a
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <code class="filename">keyset</code> file for each child zone.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <div class="variablelist"><dl class="variablelist">
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Verify all generated signatures.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Specifies the DNS class of the zone.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Compatibility mode: Generate a
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith file in addition to
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith when signing a zone, for use by older versions of
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <span class="command"><strong>dnssec-signzone</strong></span>.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <code class="filename">keyset-</code> files in <code class="option">directory</code>.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Output only those record types automatically managed by
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith NSEC3 and NSEC3PARAM records. If smart signing
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith (<code class="option">-S</code>) is used, DNSKEY records are also
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith included. The resulting file can be included in the original
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith cannot be combined with <code class="option">-O raw</code>,
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <code class="option">-O map</code>, or serial number updating.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith When applicable, specifies the hardware to use for
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith cryptographic operations, such as a secure key store used
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith for signing.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith When BIND is built with OpenSSL PKCS#11 support, this defaults
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith to the string "pkcs11", which identifies an OpenSSL engine
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith that can drive a cryptographic accelerator or hardware service
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith module. When BIND is built with native PKCS#11 cryptography
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith (--enable-native-pkcs11), it defaults to the path of the PKCS#11
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith provider library specified via "--with-pkcs11".
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Generate DS records for child zones from
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith file. Existing DS records will be removed.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Key repository: Specify a directory to search for DNSSEC keys.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith If not specified, defaults to the current directory.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Treat specified key as a key signing key ignoring any
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith key flags. This option may be specified multiple times.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Generate a DLV set in addition to the key (DNSKEY) and DS sets.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith The domain is appended to the name of the records.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Sets the maximum TTL for the signed zone.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith in the output. This provides certainty as to the largest
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith possible TTL in the signed zone, which is useful to know when
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith rolling keys because it is the longest possible time before
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith signatures that have been retrieved by resolvers will expire
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith from resolver caches. Zones that are signed with this
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith option should be configured to use a matching
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith (Note: This option is incompatible with <code class="option">-D</code>,
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith because it modifies non-DNSSEC data in the output zone.)
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Specify the date and time when the generated RRSIG records
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith become valid. This can be either an absolute or relative
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith time. An absolute start time is indicated by a number
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith in YYYYMMDDHHMMSS notation; 20000530144500 denotes
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith 14:45:00 UTC on May 30th, 2000. A relative start time is
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith indicated by +N, which is N seconds from the current time.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith If no <code class="option">start-time</code> is specified, the current
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith time minus 1 hour (to allow for clock skew) is used.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Specify the date and time when the generated RRSIG records
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith expire. As with <code class="option">start-time</code>, an absolute
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith time is indicated in YYYYMMDDHHMMSS notation. A time relative
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith to the start time is indicated with +N, which is N seconds from
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith the start time. A time relative to the current time is
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith indicated with now+N. If no <code class="option">end-time</code> is
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith specified, 30 days from the start time is used as a default.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <code class="option">end-time</code> must be later than
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Specify the date and time when the generated RRSIG records
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith for the DNSKEY RRset will expire. This is to be used in cases
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith when the DNSKEY signatures need to persist longer than
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith signatures on other records; e.g., when the private component
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith of the KSK is kept offline and the KSK signature is to be
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith refreshed manually.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith As with <code class="option">start-time</code>, an absolute
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith time is indicated in YYYYMMDDHHMMSS notation. A time relative
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith to the start time is indicated with +N, which is N seconds from
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith the start time. A time relative to the current time is
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith indicated with now+N. If no <code class="option">extended end-time</code> is
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith specified, the value of <code class="option">end-time</code> is used as
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith the default. (<code class="option">end-time</code>, in turn, defaults to
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith 30 days from the start time.) <code class="option">extended end-time</code>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith must be later than <code class="option">start-time</code>.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith The name of the output file containing the signed zone. The
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith default is to append <code class="filename">.signed</code> to
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith the input filename. If <code class="option">output-file</code> is
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith set to <code class="literal">"-"</code>, then the signed zone is
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith written to the standard output, with a default output
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith format of "full".
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Prints a short summary of the options and arguments to
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <span class="command"><strong>dnssec-signzone</strong></span>.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Prints version information.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith When a previously-signed zone is passed as input, records
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith may be resigned. The <code class="option">interval</code> option
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith specifies the cycle interval as an offset from the current
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith time (in seconds). If a RRSIG record expires after the
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith cycle interval, it is retained. Otherwise, it is considered
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith to be expiring soon, and it will be replaced.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith The default cycle interval is one quarter of the difference
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith between the signature end and start times. So if neither
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <code class="option">end-time</code> or <code class="option">start-time</code>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith are specified, <span class="command"><strong>dnssec-signzone</strong></span>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith signatures that are valid for 30 days, with a cycle
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith interval of 7.5 days. Therefore, if any existing RRSIG records
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith are due to expire in less than 7.5 days, they would be
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith The format of the input zone file.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Possible formats are <span class="command"><strong>"text"</strong></span> (default),
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith This option is primarily intended to be used for dynamic
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith signed zones so that the dumped zone file in a non-text
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith format containing updates can be signed directly.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith The use of this option does not make much sense for
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith non-dynamic zones.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith When signing a zone with a fixed signature lifetime, all
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith RRSIG records issued at the time of signing expires
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith simultaneously. If the zone is incrementally signed, i.e.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith a previously-signed zone is passed as input to the signer,
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith all expired signatures have to be regenerated at about the
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith same time. The <code class="option">jitter</code> option specifies a
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith jitter window that will be used to randomize the signature
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith expire time, thus spreading incremental signature
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith regeneration over time.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Signature lifetime jitter also to some extent benefits
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith validators and servers by spreading out cache expiration,
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith i.e. if large numbers of RRSIGs don't expire at the same time
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith from all caches there will be less congestion than if all
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith validators need to refetch at mostly the same time.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith When writing a signed zone to "raw" or "map" format, set the
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith "source serial" value in the header to the specified serial
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith number. (This is expected to be used primarily for testing
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Specifies the number of threads to use. By default, one
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith thread is started for each detected CPU.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith The SOA serial number format of the signed zone.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith and <span class="command"><strong>"date"</strong></span>.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <div class="variablelist"><dl class="variablelist">
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <p>Increment the SOA serial number using RFC 1982
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith arithmetics.</p>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <p>Set the SOA serial number to the number of seconds
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith since epoch.</p>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <p>Set the SOA serial number to today's date in
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith YYYYMMDDNN format.</p>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith The zone origin. If not specified, the name of the zone file
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith is assumed to be the origin.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith The format of the output file containing the signed zone.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Possible formats are <span class="command"><strong>"text"</strong></span> (default),
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith which is the standard textual representation of the zone;
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <span class="command"><strong>"full"</strong></span>, which is text output in a
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith format suitable for processing by external scripts;
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith the raw zone file: if N is 0, the raw file can be read by
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith can be read by release 9.9.0 or higher; the default is 1.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Use pseudo-random data when signing the zone. This is faster,
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith but less secure, than using real random data. This option
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith may be useful when signing large zones or when the entropy
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith source is limited.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Disable post sign verification tests.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith The post sign verification test ensures that for each algorithm
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith in use there is at least one non revoked self signed KSK key,
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith that all revoked KSK keys are self signed, and that all records
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith in the zone are signed by the algorithm.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith This option skips these tests.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Remove signatures from keys that are no longer active.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Normally, when a previously-signed zone is passed as input
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith to the signer, and a DNSKEY record has been removed and
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith replaced with a new one, signatures from the old key
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith that are still within their validity period are retained.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith This allows the zone to continue to validate with cached
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith copies of the old DNSKEY RRset. The <code class="option">-Q</code>
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith signatures from keys that are no longer active. This
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith enables ZSK rollover using the procedure described in
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith Remove signatures from keys that are no longer published.
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith This option is similar to <code class="option">-Q</code>, except it
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith keys that are no longer published. This enables ZSK rollover
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith using the procedure described in RFC 4641, section 4.2.1.2
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith ("Double Signature Zone Signing Key Rollover").
8c2f489baa38f019b839e9e6c460386af42c588dJohn Smith<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
Kexample.com.+003+17247