man.dnssec-signzone.html revision 2895f101b5585a19015ac2c2c1e1812ac467fa12
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - Permission to use, copy, modify, and/or distribute this software for any
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync - purpose with or without fee is hereby granted, provided that the above
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - copyright notice and this permission notice appear in all copies.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync - PERFORMANCE OF THIS SOFTWARE.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<!-- $Id: man.dnssec-signzone.html,v 1.128 2009/09/03 01:14:42 tbox Exp $ -->
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<p><span><strong class="command">dnssec-signzone</strong></span>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync signs a zone. It generates
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync NSEC and RRSIG records and produces a signed version of the
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync zone. The security status of delegations from the signed zone
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync (that is, whether the child zones are secure or not) is
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync determined by the presence or absence of a
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync <code class="filename">keyset</code> file for each child zone.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Verify all generated signatures.
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Specifies the DNS class of the zone.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Compatibility mode: Generate a
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync file in addition to
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync when signing a zone, for use by older versions of
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <span><strong class="command">dnssec-signzone</strong></span>.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <code class="filename">keyset-</code> files in <code class="option">directory</code>.
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync Generate DS records for child zones from
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync file. Existing DS records will be removed.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync Key repository: Specify a directory to search for DNSSEC keys.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync If not specified, defaults to the current directory.
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync Treat specified key as a key signing key ignoring any
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync key flags. This option may be specified multiple times.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Generate a DLV set in addition to the key (DNSKEY) and DS sets.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The domain is appended to the name of the records.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Specify the date and time when the generated RRSIG records
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync become valid. This can be either an absolute or relative
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync time. An absolute start time is indicated by a number
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync in YYYYMMDDHHMMSS notation; 20000530144500 denotes
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync 14:45:00 UTC on May 30th, 2000. A relative start time is
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync indicated by +N, which is N seconds from the current time.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync If no <code class="option">start-time</code> is specified, the current
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync time minus 1 hour (to allow for clock skew) is used.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Specify the date and time when the generated RRSIG records
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync expire. As with <code class="option">start-time</code>, an absolute
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync time is indicated in YYYYMMDDHHMMSS notation. A time relative
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync to the start time is indicated with +N, which is N seconds from
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync the start time. A time relative to the current time is
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync indicated with now+N. If no <code class="option">end-time</code> is
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync specified, 30 days from the start time is used as a default.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <code class="option">end-time</code> must be later than
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The name of the output file containing the signed zone. The
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync default is to append <code class="filename">.signed</code> to
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync input filename.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Prints a short summary of the options and arguments to
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <span><strong class="command">dnssec-signzone</strong></span>.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync When a previously-signed zone is passed as input, records
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync may be resigned. The <code class="option">interval</code> option
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync specifies the cycle interval as an offset from the current
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync time (in seconds). If a RRSIG record expires after the
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync cycle interval, it is retained. Otherwise, it is considered
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync to be expiring soon, and it will be replaced.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The default cycle interval is one quarter of the difference
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync between the signature end and start times. So if neither
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <code class="option">end-time</code> or <code class="option">start-time</code>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync are specified, <span><strong class="command">dnssec-signzone</strong></span>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync signatures that are valid for 30 days, with a cycle
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync interval of 7.5 days. Therefore, if any existing RRSIG records
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync are due to expire in less than 7.5 days, they would be
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The format of the input zone file.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Possible formats are <span><strong class="command">"text"</strong></span> (default)
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync and <span><strong class="command">"raw"</strong></span>.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync This option is primarily intended to be used for dynamic
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync signed zones so that the dumped zone file in a non-text
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync format containing updates can be signed directly.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The use of this option does not make much sense for
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync non-dynamic zones.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync When signing a zone with a fixed signature lifetime, all
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync RRSIG records issued at the time of signing expires
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync simultaneously. If the zone is incrementally signed, i.e.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync a previously-signed zone is passed as input to the signer,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync all expired signatures have to be regenerated at about the
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync same time. The <code class="option">jitter</code> option specifies a
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync jitter window that will be used to randomize the signature
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync expire time, thus spreading incremental signature
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync regeneration over time.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Signature lifetime jitter also to some extent benefits
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync validators and servers by spreading out cache expiration,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync i.e. if large numbers of RRSIGs don't expire at the same time
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync from all caches there will be less congestion than if all
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync validators need to refetch at mostly the same time.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Specifies the number of threads to use. By default, one
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync thread is started for each detected CPU.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The SOA serial number format of the signed zone.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Possible formats are <span><strong class="command">"keep"</strong></span> (default),
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <span><strong class="command">"increment"</strong></span> and
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <span><strong class="command">"unixtime"</strong></span>.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dd><p>Do not modify the SOA serial number.</p></dd>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dd><p>Increment the SOA serial number using RFC 1982
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dd><p>Set the SOA serial number to the number of seconds
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The zone origin. If not specified, the name of the zone file
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync is assumed to be the origin.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The format of the output file containing the signed zone.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Possible formats are <span><strong class="command">"text"</strong></span> (default)
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync and <span><strong class="command">"raw"</strong></span>.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Use pseudo-random data when signing the zone. This is faster,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync but less secure, than using real random data. This option
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync may be useful when signing large zones or when the entropy
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync source is limited.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Disable post sign verification tests.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The post sign verification test ensures that for each algorithm
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync in use there is at least one non revoked self signed KSK key,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync that all revoked KSK keys are self signed, and that all records
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync in the zone are signed by the algorithm.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync This option skips these tests.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Specifies the source of randomness. If the operating
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync system does not provide a <code class="filename">/dev/random</code>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync or equivalent device, the default source of randomness
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync is keyboard input. <code class="filename">randomdev</code>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync the name of a character device or file containing random
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync data to be used instead of the default. The special value
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <code class="filename">keyboard</code> indicates that keyboard
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync input should be used.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync search the key repository for keys that match the zone being
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync signed, and to include them in the zone if appropriate.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync When a key is found, its timing metadata is examined to
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync determine how it should be used, according to the following
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync rules. Each successive rule takes priority over the prior
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync If no timing metadata has been set for the key, the key is
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync published in the zone and used to sign the zone.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync If the key's publication date is set and is in the past, the
db94bcae7159cbcf16f1c25a38ae7eb0d8679c12vboxsync key is published in the zone.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync If the key's activation date is set and in the past, the
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync key is published (regardless of publication date) and
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync used to sign the zone.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync If the key's revocation date is set and in the past, and the
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync key is published, then the key is revoked, and the revoked key
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync is used to sign the zone.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync If either of the key's unpublication or deletion dates are set
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync and in the past, the key is NOT published or used to sign the
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync zone, regardless of any other metadata.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Specifies the TTL to be used for new DNSKEY records imported
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync into the zone from the key repository. If not specified,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync the default is the minimum TTL value from the zone's SOA
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync record. This option is ignored when signing without
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <code class="option">-S</code>, since DNSKEY records are not imported
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync from the key repository in that case. It is also ignored if
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync there are any pre-existing DNSKEY records at the zone apex,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync in which case new records' TTL values will be set to match
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Print statistics at completion.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Sets the debugging level.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Ignore KSK flag on key when determining what to sign.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Generate a NSEC3 chain with the given hex encoded salt.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync A dash (<em class="replaceable"><code>salt</code></em>) can
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync be used to indicate that no salt is to be used when generating the NSEC3 chain.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync When generating a NSEC3 chain use this many interations. The
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync default is 100.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync When generating a NSEC3 chain set the OPTOUT flag on all
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync NSEC3 records and do not generate NSEC3 records for insecure
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync delegations.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The file containing the zone to be signed.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync Specify which keys should be used to sign the zone. If
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync no keys are specified, then the zone will be examined
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync for DNSKEY records at the zone apex. If these are found and
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync there are matching private keys, in the current directory,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync then these will be used for signing.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The following command signs the <strong class="userinput"><code>example.com</code></strong>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync (Kexample.com.+003+17247). The zone's keys must be in the master
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync file (<code class="filename">db.example.com</code>). This invocation looks
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync for <code class="filename">keyset</code> files, in the current directory,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync the file <code class="filename">db.example.com.signed</code>. This
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync file should be referenced in a zone statement in a
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync This example re-signs a previously signed zone with default parameters.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync The private keys are assumed to be in the current directory.
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<pre class="programlisting">% cp db.example.com.signed db.example.com
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<p><span class="corpauthor">Internet Systems Consortium</span>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<span class="application">dnssec-settime</span>�</td>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
2d6de6a9aef2180a1360e6c3f21ed0949b73a4cfvboxsync<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>