6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence<html>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<head>

5d3cca55ebb009e337c1093bf67cef0d52ec97eeMichael Graff<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

e1cc8e9a0828f3239009bc8c6b0adf61ca1e2ef6Michael Graff<title>dnssec-signzone</title>

e1cc8e9a0828f3239009bc8c6b0adf61ca1e2ef6Michael Graff<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews</head>

854d0238dbc2908490197984b3b9d558008a53dfMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">

854d0238dbc2908490197984b3b9d558008a53dfMark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<div class="refnamediv">

6324997211a5e2d82528dcde98e8981190a35faeMichael Graff<h2>Name</h2>

6324997211a5e2d82528dcde98e8981190a35faeMichael Graff<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>

3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff</div>

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence<div class="refsynopsisdiv">

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<h2>Synopsis</h2>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews</div>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<div class="refsect1" lang="en">

e1cc8e9a0828f3239009bc8c6b0adf61ca1e2ef6Michael Graff<a name="id2543626"></a><h2>DESCRIPTION</h2>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<p><span><strong class="command">dnssec-signzone</strong></span>

e1cc8e9a0828f3239009bc8c6b0adf61ca1e2ef6Michael Graff signs a zone. It generates

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews NSEC and RRSIG records and produces a signed version of the

34b394b43e2207e8f8f3703f0402422121455638David Lawrence zone. The security status of delegations from the signed zone

34b394b43e2207e8f8f3703f0402422121455638David Lawrence (that is, whether the child zones are secure or not) is

34b394b43e2207e8f8f3703f0402422121455638David Lawrence determined by the presence or absence of a

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews <code class="filename">keyset</code> file for each child zone.

c661868379d709416c773f6d53b5cec69c88e00fMark Andrews </p>

34b394b43e2207e8f8f3703f0402422121455638David Lawrence</div>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<div class="refsect1" lang="en">

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<a name="id2543641"></a><h2>OPTIONS</h2>

34b394b43e2207e8f8f3703f0402422121455638David Lawrence<div class="variablelist"><dl>

34b394b43e2207e8f8f3703f0402422121455638David Lawrence<dt><span class="term">-a</span></dt>

34b394b43e2207e8f8f3703f0402422121455638David Lawrence<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Verify all generated signatures.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews </p></dd>

6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Specifies the DNS class of the zone.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews </p></dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-C</span></dt>

3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff<dd><p>

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence Compatibility mode: Generate a

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews file in addition to

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>

0e8cf9a887c70f96ac448b06c069d90b830215ccMark Andrews when signing a zone, for use by older versions of

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews </p></dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd><p>

0e8cf9a887c70f96ac448b06c069d90b830215ccMark Andrews Look for <code class="filename">dsset-</code> or

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews <code class="filename">keyset-</code> files in <code class="option">directory</code>.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews </p></dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-D</span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Output only those record types automatically managed by

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,

0e8cf9a887c70f96ac448b06c069d90b830215ccMark Andrews NSEC3 and NSEC3PARAM records. If smart signing

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews (<code class="option">-S</code>) is used, DNSKEY records are also

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews included. The resulting file can be included in the original

5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson zone file with <span><strong class="command">$INCLUDE</strong></span>. This option

e1cc8e9a0828f3239009bc8c6b0adf61ca1e2ef6Michael Graff cannot be combined with <code class="option">-O raw</code> or serial

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews number updating.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews </p></dd>

3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Uses a crypto hardware (OpenSSL engine) for the crypto operations

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews it supports, for instance signing with private keys from

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews a secure key store. When compiled with PKCS#11 support

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews it defaults to pkcs11; the empty name resets it to no engine.

e1cc8e9a0828f3239009bc8c6b0adf61ca1e2ef6Michael Graff </p></dd>

e1cc8e9a0828f3239009bc8c6b0adf61ca1e2ef6Michael Graff<dt><span class="term">-g</span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Generate DS records for child zones from

94a08e09db3dc844b6ee4841c368a2d7074a9c3fAndreas Gustafsson <code class="filename">dsset-</code> or <code class="filename">keyset-</code>

1ef8965366d91e02a4672c35a187d30aa4a4c72cMark Andrews file. Existing DS records will be removed.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews </p></dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>

6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence<dd><p>

6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence Key repository: Specify a directory to search for DNSSEC keys.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews If not specified, defaults to the current directory.

419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff </p></dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>

419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Treat specified key as a key signing key ignoring any

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews key flags. This option may be specified multiple times.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews </p></dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Generate a DLV set in addition to the key (DNSKEY) and DS sets.

3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff The domain is appended to the name of the records.

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence </p></dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Specify the date and time when the generated RRSIG records

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews become valid. This can be either an absolute or relative

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews time. An absolute start time is indicated by a number

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews in YYYYMMDDHHMMSS notation; 20000530144500 denotes

94a08e09db3dc844b6ee4841c368a2d7074a9c3fAndreas Gustafsson 14:45:00 UTC on May 30th, 2000. A relative start time is

6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence indicated by +N, which is N seconds from the current time.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews If no <code class="option">start-time</code> is specified, the current

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews time minus 1 hour (to allow for clock skew) is used.

419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff </p></dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Specify the date and time when the generated RRSIG records

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews expire. As with <code class="option">start-time</code>, an absolute

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews to the start time is indicated with +N, which is N seconds from

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews the start time. A time relative to the current time is

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews indicated with now+N. If no <code class="option">end-time</code> is

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews specified, 30 days from the start time is used as a default.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews <code class="option">end-time</code> must be later than

4529cdaedaf1a0a5f8ff89aeca510b7a4475446cBob Halley <code class="option">start-time</code>.

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence </p></dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Specify the date and time when the generated RRSIG records

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews for the DNSKEY RRset will expire. This is to be used in cases

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews when the DNSKEY signatures need to persist longer than

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews signatures on other records; e.g., when the private component

d981ca645597116d227a48bf37cc5edc061c854dBob Halley of the KSK is kept offline and the KSK signature is to be

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews refreshed manually.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews </p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews As with <code class="option">start-time</code>, an absolute

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews to the start time is indicated with +N, which is N seconds from

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews the start time. A time relative to the current time is

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews indicated with now+N. If no <code class="option">extended end-time</code> is

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews specified, the value of <code class="option">end-time</code> is used as

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews the default. (<code class="option">end-time</code>, in turn, defaults to

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews 30 days from the start time.) <code class="option">extended end-time</code>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews must be later than <code class="option">start-time</code>.

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews </p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews</dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews The name of the output file containing the signed zone. The

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews default is to append <code class="filename">.signed</code> to

7c0539bea56022274da04263eb41fbb5b8835c38Mark Andrews the input filename. If <code class="option">output-file</code> is

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews set to <code class="literal">"-"</code>, then the signed zone is

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews written to the standard output, with a default output

3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff format of "full".

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence </p></dd>

373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews<dt><span class="term">-h</span></dt>

373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews<dd><p>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews Prints a short summary of the options and arguments to

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>.

373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews </p></dd>

373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>

373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews<dd>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<p>

373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews When a previously-signed zone is passed as input, records

373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews may be resigned. The <code class="option">interval</code> option

373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews specifies the cycle interval as an offset from the current

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews time (in seconds). If a RRSIG record expires after the

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews cycle interval, it is retained. Otherwise, it is considered

3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff to be expiring soon, and it will be replaced.

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence </p>

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<p>

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews The default cycle interval is one quarter of the difference

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews between the signature end and start times. So if neither

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews <code class="option">end-time</code> or <code class="option">start-time</code>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews are specified, <span><strong class="command">dnssec-signzone</strong></span>

94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews generates

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews signatures that are valid for 30 days, with a cycle

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews are due to expire in less than 7.5 days, they would be

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews replaced.

82ca33427bdd4f3bc4ed3431e86bd810fe751674Andreas Gustafsson </p>

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews</dd>

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<dd><p>

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews The format of the input zone file.

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews Possible formats are <span><strong class="command">"text"</strong></span> (default)

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews and <span><strong class="command">"raw"</strong></span>.

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews This option is primarily intended to be used for dynamic

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews signed zones so that the dumped zone file in a non-text

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews format containing updates can be signed directly.

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews The use of this option does not make much sense for

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews non-dynamic zones.

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews </p></dd>

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>

1c3191528684f3dd93ebb122298c2f8ebfc6d397Mark Andrews<dd>

94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews<p>

4529cdaedaf1a0a5f8ff89aeca510b7a4475446cBob Halley When signing a zone with a fixed signature lifetime, all

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence RRSIG records issued at the time of signing expires

94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews simultaneously. If the zone is incrementally signed, i.e.

94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews a previously-signed zone is passed as input to the signer,

94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews all expired signatures have to be regenerated at about the

94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews same time. The <code class="option">jitter</code> option specifies a

82ca33427bdd4f3bc4ed3431e86bd810fe751674Andreas Gustafsson jitter window that will be used to randomize the signature

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews expire time, thus spreading incremental signature

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews regeneration over time.

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews </p>

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<p>

9281e7aa775026dc47c01745fdcc438645146877Mark Andrews Signature lifetime jitter also to some extent benefits

94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews validators and servers by spreading out cache expiration,

d981ca645597116d227a48bf37cc5edc061c854dBob Halley i.e. if large numbers of RRSIGs don't expire at the same time

3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff from all caches there will be less congestion than if all

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence validators need to refetch at mostly the same time.

b1bc194f94c0b3cbc5999582f08e8d7a20b91e2eBob Halley </p>

b1bc194f94c0b3cbc5999582f08e8d7a20b91e2eBob Halley</dd>

b1bc194f94c0b3cbc5999582f08e8d7a20b91e2eBob Halley<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>

d981ca645597116d227a48bf37cc5edc061c854dBob Halley<dd><p>

d981ca645597116d227a48bf37cc5edc061c854dBob Halley When writing a signed zone to 'raw' format, set the "source serial"

b1bc194f94c0b3cbc5999582f08e8d7a20b91e2eBob Halley value in the header to the specified serial number. (This is

b1bc194f94c0b3cbc5999582f08e8d7a20b91e2eBob Halley expected to be used primarily for testing purposes.)

b1bc194f94c0b3cbc5999582f08e8d7a20b91e2eBob Halley </p></dd>

b1bc194f94c0b3cbc5999582f08e8d7a20b91e2eBob Halley<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>

d981ca645597116d227a48bf37cc5edc061c854dBob Halley<dd><p>

b1bc194f94c0b3cbc5999582f08e8d7a20b91e2eBob Halley Specifies the number of threads to use. By default, one

d981ca645597116d227a48bf37cc5edc061c854dBob Halley thread is started for each detected CPU.

d981ca645597116d227a48bf37cc5edc061c854dBob Halley </p></dd>

3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>

6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence<dd>

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley<p>

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley The SOA serial number format of the signed zone.

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley Possible formats are <span><strong class="command">"keep"</strong></span> (default),

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley <span><strong class="command">"increment"</strong></span> and

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley <span><strong class="command">"unixtime"</strong></span>.

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley </p>

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley<div class="variablelist"><dl>

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley<dd><p>Do not modify the SOA serial number.</p></dd>

f31f0b63cbe841720f154c570bcdede9d79e64b8Michael Graff<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley<dd><p>Increment the SOA serial number using RFC 1982

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley arithmetics.</p></dd>

64339caa4380e3df1a789ac328e616df434ed61fDavid Lawrence<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley<dd><p>Set the SOA serial number to the number of seconds

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley since epoch.</p></dd>

e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley</dl></div>

854d0238dbc2908490197984b3b9d558008a53dfMark Andrews</dd>

<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>

<dd><p>

The zone origin. If not specified, the name of the zone file

is assumed to be the origin.

</p></dd>

<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>

<dd><p>

The format of the output file containing the signed zone.

Possible formats are <span><strong class="command">"text"</strong></span> (default)

<span><strong class="command">"full"</strong></span>, which is text output in a

format suitable for processing by external scripts,

and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,

which store the zone in a binary format for rapid loading

by <span><strong class="command">named</strong></span>. <span><strong class="command">"raw=N"</strong></span>

specifies the format version of the raw zone file: if N

is 0, the raw file can be read by any version of

<span><strong class="command">named</strong></span>; if N is 1, the file can be

read by release 9.9.0 or higher. The default is 1.

</p></dd>

<dt><span class="term">-p</span></dt>

<dd><p>

Use pseudo-random data when signing the zone. This is faster,

but less secure, than using real random data. This option

may be useful when signing large zones or when the entropy

source is limited.

</p></dd>

<dt><span class="term">-P</span></dt>

<dd>

<p>

Disable post sign verification tests.

</p>

<p>

The post sign verification test ensures that for each algorithm

in use there is at least one non revoked self signed KSK key,

that all revoked KSK keys are self signed, and that all records

in the zone are signed by the algorithm.

This option skips these tests.

</p>

</dd>

<dt><span class="term">-R</span></dt>

<dd>

<p>

Remove signatures from keys that no longer exist.

</p>

<p>

Normally, when a previously-signed zone is passed as input

to the signer, and a DNSKEY record has been removed and

replaced with a new one, signatures from the old key

that are still within their validity period are retained.

This allows the zone to continue to validate with cached

copies of the old DNSKEY RRset. The <code class="option">-R</code> forces

<span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned

signatures.

</p>

</dd>

<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>

<dd><p>

Specifies the source of randomness. If the operating

system does not provide a <code class="filename">/dev/random</code>

or equivalent device, the default source of randomness

is keyboard input. <code class="filename">randomdev</code>

specifies

the name of a character device or file containing random

data to be used instead of the default. The special value

<code class="filename">keyboard</code> indicates that keyboard

input should be used.

</p></dd>

<dt><span class="term">-S</span></dt>

<dd>

<p>

Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to

search the key repository for keys that match the zone being

signed, and to include them in the zone if appropriate.

</p>

<p>

When a key is found, its timing metadata is examined to

determine how it should be used, according to the following

rules. Each successive rule takes priority over the prior

ones:

</p>

<div class="variablelist"><dl>

<dt></dt>

<dd><p>

If no timing metadata has been set for the key, the key is

published in the zone and used to sign the zone.

</p></dd>

<dt></dt>

<dd><p>

If the key's publication date is set and is in the past, the

key is published in the zone.

</p></dd>

<dt></dt>

<dd><p>

If the key's activation date is set and in the past, the

key is published (regardless of publication date) and

used to sign the zone.

</p></dd>

<dt></dt>

<dd><p>

If the key's revocation date is set and in the past, and the

key is published, then the key is revoked, and the revoked key

is used to sign the zone.

</p></dd>

<dt></dt>

<dd><p>

If either of the key's unpublication or deletion dates are set

and in the past, the key is NOT published or used to sign the

zone, regardless of any other metadata.

</p></dd>

</dl></div>

</dd>

<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>

<dd><p>

Specifies a TTL to be used for new DNSKEY records imported

into the zone from the key repository. If not

specified, the default is the TTL value from the zone's SOA

record. This option is ignored when signing without

<code class="option">-S</code>, since DNSKEY records are not imported

from the key repository in that case. It is also ignored if

there are any pre-existing DNSKEY records at the zone apex,

in which case new records' TTL values will be set to match

them, or if any of the imported DNSKEY records had a default

TTL value. In the event of a a conflict between TTL values in

imported keys, the shortest one is used.

</p></dd>

<dt><span class="term">-t</span></dt>

<dd><p>

Print statistics at completion.

</p></dd>

<dt><span class="term">-u</span></dt>

<dd><p>

Update NSEC/NSEC3 chain when re-signing a previously signed

zone. With this option, a zone signed with NSEC can be

switched to NSEC3, or a zone signed with NSEC3 can

be switch to NSEC or to NSEC3 with different parameters.

Without this option, <span><strong class="command">dnssec-signzone</strong></span> will

retain the existing chain when re-signing.

</p></dd>

<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>

<dd><p>

Sets the debugging level.

</p></dd>

<dt><span class="term">-x</span></dt>

<dd><p>

Only sign the DNSKEY RRset with key-signing keys, and omit

signatures from zone-signing keys. (This is similar to the

<span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in

<span><strong class="command">named</strong></span>.)

</p></dd>

<dt><span class="term">-z</span></dt>

<dd><p>

Ignore KSK flag on key when determining what to sign. This

causes KSK-flagged keys to sign all records, not just the

DNSKEY RRset. (This is similar to the

<span><strong class="command">update-check-ksk no;</strong></span> zone option in

<span><strong class="command">named</strong></span>.)

</p></dd>

<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>

<dd><p>

Generate an NSEC3 chain with the given hex encoded salt.

A dash (<em class="replaceable"><code>salt</code></em>) can

be used to indicate that no salt is to be used when generating the NSEC3 chain.

</p></dd>

<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>

<dd><p>

When generating an NSEC3 chain, use this many interations. The

default is 10.

</p></dd>

<dt><span class="term">-A</span></dt>

<dd>

<p>

When generating an NSEC3 chain set the OPTOUT flag on all

NSEC3 records and do not generate NSEC3 records for insecure

delegations.

</p>

<p>

Using this option twice (i.e., <code class="option">-AA</code>)

turns the OPTOUT flag off for all records. This is useful

when using the <code class="option">-u</code> option to modify an NSEC3

chain which previously had OPTOUT set.

</p>

</dd>

<dt><span class="term">zonefile</span></dt>

<dd><p>

The file containing the zone to be signed.

</p></dd>

<dt><span class="term">key</span></dt>

<dd><p>

Specify which keys should be used to sign the zone. If

no keys are specified, then the zone will be examined

for DNSKEY records at the zone apex. If these are found and

there are matching private keys, in the current directory,

then these will be used for signing.

</p></dd>

</dl></div>

</div>

<div class="refsect1" lang="en">

<a name="id2545127"></a><h2>EXAMPLE</h2>

<p>

The following command signs the <strong class="userinput"><code>example.com</code></strong>

zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>

(Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option

is not being used, the zone's keys must be in the master file

(<code class="filename">db.example.com</code>). This invocation looks

for <code class="filename">dsset</code> files, in the current directory,

so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).

</p>

<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \

Kexample.com.+003+17247

%</pre>

<p>

In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates

the file <code class="filename">db.example.com.signed</code>. This

file should be referenced in a zone statement in a

<code class="filename">named.conf</code> file.

</p>

<p>

This example re-signs a previously signed zone with default parameters.

The private keys are assumed to be in the current directory.

</p>

<pre class="programlisting">% cp db.example.com.signed db.example.com

% dnssec-signzone -o example.com db.example.com

%</pre>

</div>

<div class="refsect1" lang="en">

<a name="id2545182"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

<em class="citetitle">BIND 9 Administrator Reference Manual</em>,

<em class="citetitle">RFC 4033</em>.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2545207"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

</div></body>

</html>