dnssec-signer.8.html revision 484076c3255e0cc5b179ad736cd930900e4bb06b
<!-- Creator : groff version 1.20.1 -->
<!-- CreationDate: Tue Aug 4 21:33:41 2009 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
<html>
<head>
p { margin-top: 0; margin-bottom: 0; vertical-align: top }
pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
h1 { text-align: center }
</style>
<title>dnssec-signer</title>
</head>
<body>
<h1 align="center">dnssec-signer</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSYS">SYNOPSYS</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#OPTIONS">OPTIONS</a><br>
<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
<a href="#Zone setup and initial preparation">Zone setup and initial preparation</a><br>
<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
<a href="#FILES">FILES</a><br>
<a href="#BUGS">BUGS</a><br>
<a href="#AUTHORS">AUTHORS</a><br>
<a href="#COPYRIGHT">COPYRIGHT</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>
<hr>
<h2>NAME
<a name="NAME"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">dnssec-signer
— Secure DNS zone signing tool</p>
<h2>SYNOPSYS
<a name="SYNOPSYS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-signer</b>
[<b>−L|--logfile</b> <i>file</i>]
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
[<i>zone ...</i>] <b><br>
dnssec-signer</b> [<b>−L|--logfile</b> <i>file</i>]
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
[<b>−v</b>]] [<b>−D</b> <i>directory</i>]
[<i>zone ...</i>] <b><br>
dnssec-signer</b> [<b>−L|--logfile</b> <i>file</i>]
[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
[<b>−v</b>]] <b>−o</b> <i>origin</i>
[<i>zonefile</i>]</p>
<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">The
<i>dnssec-signer</i> command is a wrapper around
<i>dnssec-signzone(8)</i> and <i>dnssec-keygen(8)</i> to
sign a zone and manage the necessary zone keys. It is able
to increment the serial number before signing the zone and
can trigger <i>named(8)</i> to reload the signed zone file.
The command controls several secure zones and, if started in
regular intervals via <i>cron(8)</i>, can do all that stuff
automatically.</p>
<p style="margin-left:11%; margin-top: 1em">In the most
useful usage scenario the command will be called with option
<b>−N</b> to read the secure zones out of the given
with views, you have to use option -V viewname or --view
viewname to specify the name of the view. Alternatively you
could link the executable file to a second name like
<i>dnssec-signer-viewname</i> and use that command to
specify the name of the view. All master zone statements
will be scanned for filenames ending with
".signed". These zones will be checked if the
necessary zone- and key signing keys are existent and fresh
enough to be used in the signing process. If one or more
out-dated keys are found, new keying material will be
generated via the <i>dnssec-keygen(8)</i> command and the
old keys will be marked as depreciated. So the command do
anything needed for a zone key rollover as defined by
[2].</p>
<p style="margin-left:11%; margin-top: 1em">If the
resigning interval is reached or any new key must be
announced, the serial number of the zone will be incremented
and the <i>dnssec-signzone(8)</i> command will be evoked to
sign the zone. After that, if the option <b>−r</b> is
given, the <i>rndc(8)</i> command will be called to reload
the zone on the nameserver.</p>
<p style="margin-left:11%; margin-top: 1em">In the second
form of the command it is possible to specify a directory
tree with the option <b>−D</b> <i>dir</i>. Every
secure zone found in a subdirectory below <i>dir</i> will be
signed. However, it is also possible to reduce the signing
to those zones given as arguments. In directory mode the
pre-requisite is, that the directory name is exactly
(including the trailing dot) the same as the zone name.</p>
<p style="margin-left:11%; margin-top: 1em">In the last
form of the command, the functionality is more or less the
same as the <i>dnssec-signzone (8)</i> command. The
parameter specifies the zone file name and the option
<b>−o</b> takes the name of the zone.</p>
<p style="margin-left:11%; margin-top: 1em">If neither
<b>−N</b> nor <b>−D</b> nor <b>−o</b> is
given, then the default directory specified in the
be used as top level directory.</p>
<h2>OPTIONS
<a name="OPTIONS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>−L</b>
<i>file|dir</i><b>,
−−logfile=</b><i>file|dir</i></p>
<p style="margin-left:22%;">Specify the name of a log file
or a directory where logfiles are created with a name like
argument is not an absolute path name and a zone directory
is specified in the config file, this will be prepended to
the given name. This option is also settable in the
<br>
The default is no file logging, but error logging to syslog
with facility <b>USER</b> at level <b>ERROR</b> is enabled
by default. These parameters are settable via the config
file parameter <b>SyslogFacility:</b><i>,</i>
<b>SyslogLevel:</b><i>,</i> <b>LogFile:</b> and
<b>Loglevel</b><i>.</i> <br>
There is an additional parameter <b>VerboseLog:</b> which
specifies the verbosity (0|1|2) of messages that will be
logged with level <b>DEBUG</b> to file and syslog.</p>
<p style="margin-left:11%;"><b>−V</b> <i>view</i><b>,
−−view=</b><i>view</i></p>
<p style="margin-left:22%;">Try to read the default
configuration out of a file named
<i>dnssec-<view>.conf .</i> Instead of specifying the
−V or --view option every time, it is also possible to
create a hard- or softlink to the executable file with an
additional name like <i>dnssec-zkt-<view> .</i></p>
<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
−−config=</b><i>file</i></p>
<p style="margin-left:22%;">Read configuration values out
of the specified file. Otherwise the default config file is
read or build-in defaults will be used.</p>
<p style="margin-left:11%;"><b>−O</b>
<i>optstr</i><b>,
−−config-option=</b><i>optstr</i></p>
<p style="margin-left:22%;">Set any config file option via
the commandline. Several config file options can be
specified via the argument string but have to be delimited
by semicolon (or newline).</p>
<p style="margin-left:11%;"><b>−f</b>,
<b>−−force</b></p>
<p style="margin-left:22%;">Force a resigning of the zone,
regardless if the resigning interval is reached, or any new
keys must be announced.</p>
<p style="margin-left:11%;"><b>−n</b>,
<b>−−noexec</b></p>
<p style="margin-left:22%;">Don’t execute the
<i>dnssec-signzone(8)</i> command. Currently this option is
of very limited usage.</p>
<p style="margin-left:11%;"><b>−r</b>,
<b>−−reload</b></p>
<p style="margin-left:22%;">Reload the zone via
<i>rndc(8)</i> after successful signing. In a production
environment it is recommended to use this option to be sure
that a freshly signed zone will be immediately propagated.
However, that’s only feasable if named runs on the
signing machine, which is not recommended. Otherwise the
signed zonefile must be copied to the production server
before reloading the zone. If this is the case, the
must be set to a reasonable value.</p>
<p style="margin-left:11%;"><b>−v</b>,
<b>−−verbose</b></p>
<p style="margin-left:22%;">Verbose mode (recommended). A
second <b>−v</b> will be a little more verbose.</p>
<p style="margin-left:11%;"><b>−h</b>,
<b>−−help</b></p>
<p style="margin-left:22%;">Print out the online help.</p>
<h2>SAMPLE USAGE
<a name="SAMPLE USAGE"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>dnssec-signer
−v</b></p>
<p style="margin-left:22%;">Sign all secure zones found in
the named.conf file and, if necessary, trigger a reload of
the zone. Print some explanatory remarks on stdout.</p>
<p style="margin-left:11%;"><b>dnssec-signer −D
<p style="margin-left:22%;">Force the signing of the zone
reload the zone.</p>
<p style="margin-left:11%;"><b>dnssec-signer −D
<p style="margin-left:22%;">Same as above.</p>
<p style="margin-left:11%;"><b>dnssec-signer −f
<p style="margin-left:22%;">Same as above if the
<p style="margin-left:11%;"><b>dnssec-signer −f
<p style="margin-left:22%;">Same as above if we are in the
<p style="margin-left:11%;"><b>dnssec-signer
−−config-option=’ResignInterval 1d;
Sigvalidity 28h; \</b></p>
<p style="margin-left:22%;"><b>ZSK_lifetime 2d;’
Sign the example.net zone but override some config file
values with parameters given on the commandline.</p>
<h2>Zone setup and initial preparation
<a name="Zone setup and initial preparation"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Create a
separate directory for every secure zone.</p>
<p style="margin-left:22%;">This is useful because there
are many additional files needed to secure a zone. Besides
current used keys, and the <i>dsset-</i> and
<i>keyset-</i>files created by the <i>dnssec-signzone(8)</i>
command. So in summary there is a minimum of nine files used
per secure zone. For every additional key there are two
extra files and every delegated subzone creates also two or
three files.</p>
<p style="margin-left:11%;">Name the directory just like
the zone.</p>
<p style="margin-left:22%;">That’s only needed if you
want to use the dnssec-signer command in directory mode
(<b>−D</b>). Then the name of the zone will be parsed
out of the directory name.</p>
<p style="margin-left:11%;">Change the name of the zone
<p style="margin-left:22%;">Otherwise you have to set the
or you have to use the option <b>−o</b> to name the
zone and specify the zone file as argument.</p>
<p style="margin-left:11%;">Add the name of the signed
<p style="margin-left:22%;">The filename is the name of the
zone file with the extension <i>.signed</i>. Create an empty
file with the name <i>zonefile</i><b>.signed</b> in the zone
directory.</p>
<p style="margin-left:11%;">Include the keyfile in the
zone.</p>
<p style="margin-left:22%;">The name of the keyfile is
<p style="margin-left:11%;">Control the format of the
SOA-Record</p>
<p style="margin-left:22%;">For automatic incrementation of
the serial number, the SOA-Record must be formated, so that
the serial number is on a single line and left justified in
a field of at least 10 spaces! If you use BIND version 9.4
or later and use the unixtime format for the serial number
is not necessary.</p>
<p style="margin-left:11%;">Try to sign the zone</p>
<p style="margin-left:22%;">If the current working
use the command <br>
$ dnssec-signer −D .. −v −v example.net
<br>
$ dnssec-signer −o example.net. <br>
to create the initial keying material and a signed zone
file. Then try to load the file on the name server.</p>
<h2>ENVIRONMENT VARIABLES
<a name="ENVIRONMENT VARIABLES"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
<p style="margin-left:22%;">Specifies the name of the
default global configuration files.</p>
<h2>FILES
<a name="FILES"></a>
</h2>
<p style="margin-left:22%;">Built-in default global
configuration file. The name of the default global config
file is settable via the environment variable ZKT_CONFFILE.
Use <i>dnssec-zkt(8)</i> with option <b>−Z</b> to
create an initial config file.</p>
<p style="margin-left:22%;">View specific global
configuration file.</p>
<p style="margin-left:22%;">Local configuration file.</p>
<p style="margin-left:22%;">The file contains the currently
used key and zone signing keys. It will be created by
<i>dnsssec-signer(8)</i>. The name of the file is settable
via the dnssec configuration file (parameter
<i>keyfile</i>).</p>
<p style="margin-left:22%;">This is the zone file. The name
of the file is settable via the dnssec configuration file
(parameter <i>zonefile</i>).</p>
<h2>BUGS
<a name="BUGS"></a>
</h2>
parser is a bit rudimental and not very well tested.</p>
<h2>AUTHORS
<a name="AUTHORS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
Mans Nilsson</p>
<h2>COPYRIGHT
<a name="COPYRIGHT"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Copyright (c)
2005 − 2009 by Holger Zuleger. Licensed under the BSD
Licence. There is NO warranty; not even for MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.</p>
<h2>SEE ALSO
<a name="SEE ALSO"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
dnssec-signzone(8), rndc(8), named.conf(5), dnssec-zkt(8)
<br>
RFC4033, RFC4034, RFC4035 <br>
[1] DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
[2] RFC4641 "DNSSEC Operational Practices" by Miek
Gieben and Olaf Kolkman <br>
<hr>
</body>
</html>