doc/arm/man.dnssec-signzone.html

	man.dnssec-signzone.html revision 2895f101b5585a19015ac2c2c1e1812ac467fa12
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<!--
523230336909d30111cb060b7eb6fc39d23ad174Tinderbox User - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User -
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - PERFORMANCE OF THIS SOFTWARE.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt-->
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<!-- $Id: man.dnssec-signzone.html,v 1.128 2009/09/03 01:14:42 tbox Exp $ -->
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<html>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<head>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<title>dnssec-signzone</title>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</head>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<div class="navheader">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<table width="100%" summary="Navigation header">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
704e6c8876907aac0bf7380effca8bca400d4acdMark Andrews<tr>
704e6c8876907aac0bf7380effca8bca400d4acdMark Andrews<td width="20%" align="left">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<th width="60%" align="center">Manual pages</th>
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
cfa2326b5c96a3a4c720262e077b2baf9fc27970Tinderbox User</td>
81f58902eb5a1c1ab22742c72bd6cf318acbc06aTinderbox User</tr>
b129f72d951663755496670606e5f7303e8f2dc2Tinderbox User</table>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews<hr>
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt</div>
523230336909d30111cb060b7eb6fc39d23ad174Tinderbox User<div class="refentry" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refnamediv">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<h2>Name</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsynopsisdiv">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<h2>Synopsis</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2612032"></a><h2>DESCRIPTION</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span><strong class="command">dnssec-signzone</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      signs a zone.  It generates
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      NSEC and RRSIG records and produces a signed version of the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      zone. The security status of delegations from the signed zone
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      (that is, whether the child zones are secure or not) is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      determined by the presence or absence of a
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley      <code class="filename">keyset</code> file for each child zone.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley    </p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsect1" lang="en">
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews<a name="id2612051"></a><h2>OPTIONS</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="variablelist"><dl>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-a</span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Verify all generated signatures.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the DNS class of the zone.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-C</span></dt>
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt<dd><p>
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt            Compatibility mode: Generate a
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews            file in addition to
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt            when signing a zone, for use by older versions of
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt            <span><strong class="command">dnssec-signzone</strong></span>.
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Look for <code class="filename">dsset-</code> or
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-g</span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Generate DS records for child zones from
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley            file.  Existing DS records will be removed.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews            Key repository: Specify a directory to search for DNSSEC keys.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley            If not specified, defaults to the current directory.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley          </p></dd>
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Treat specified key as a key signing key ignoring any
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            key flags.  This option may be specified multiple times.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            The domain is appended to the name of the records.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Specify the date and time when the generated RRSIG records
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            become valid.  This can be either an absolute or relative
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            time.  An absolute start time is indicated by a number
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            14:45:00 UTC on May 30th, 2000.  A relative start time is
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            indicated by +N, which is N seconds from the current time.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            If no <code class="option">start-time</code> is specified, the current
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            time minus 1 hour (to allow for clock skew) is used.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Specify the date and time when the generated RRSIG records
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            expire.  As with <code class="option">start-time</code>, an absolute
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            to the start time is indicated with +N, which is N seconds from
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            the start time.  A time relative to the current time is
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            indicated with now+N.  If no <code class="option">end-time</code> is
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            specified, 30 days from the start time is used as a default.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            <code class="option">end-time</code> must be later than
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            <code class="option">start-time</code>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            The name of the output file containing the signed zone.  The
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            default is to append <code class="filename">.signed</code> to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            input filename.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-h</span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Prints a short summary of the options and arguments to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            <span><strong class="command">dnssec-signzone</strong></span>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            When a previously-signed zone is passed as input, records
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            may be resigned.  The <code class="option">interval</code> option
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            specifies the cycle interval as an offset from the current
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            time (in seconds).  If a RRSIG record expires after the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            cycle interval, it is retained.  Otherwise, it is considered
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            to be expiring soon, and it will be replaced.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            The default cycle interval is one quarter of the difference
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            between the signature end and start times.  So if neither
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            <code class="option">end-time</code> or <code class="option">start-time</code>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            are specified, <span><strong class="command">dnssec-signzone</strong></span>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            generates
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            signatures that are valid for 30 days, with a cycle
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            interval of 7.5 days.  Therefore, if any existing RRSIG records
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            are due to expire in less than 7.5 days, they would be
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            replaced.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt</dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            The format of the input zone file.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        Possible formats are <span><strong class="command">"text"</strong></span> (default)
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        and <span><strong class="command">"raw"</strong></span>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        This option is primarily intended to be used for dynamic
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            signed zones so that the dumped zone file in a non-text
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt            format containing updates can be signed directly.
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt        The use of this option does not make much sense for
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt        non-dynamic zones.
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt          </p></dd>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt<dd>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt<p>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt            When signing a zone with a fixed signature lifetime, all
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt            RRSIG records issued at the time of signing expires
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt            simultaneously.  If the zone is incrementally signed, i.e.
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt            a previously-signed zone is passed as input to the signer,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            all expired signatures have to be regenerated at about the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            same time.  The <code class="option">jitter</code> option specifies a
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            jitter window that will be used to randomize the signature
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            expire time, thus spreading incremental signature
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            regeneration over time.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Signature lifetime jitter also to some extent benefits
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            validators and servers by spreading out cache expiration,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            i.e. if large numbers of RRSIGs don't expire at the same time
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            from all caches there will be less congestion than if all
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            validators need to refetch at mostly the same time.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt</dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Specifies the number of threads to use.  By default, one
2637d30fbd235fe98145f4312b10cc41a13bf7dcJeremy C. Reed            thread is started for each detected CPU.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            The SOA serial number format of the signed zone.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        Possible formats are <span><strong class="command">"keep"</strong></span> (default),
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            <span><strong class="command">"increment"</strong></span> and
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        <span><strong class="command">"unixtime"</strong></span>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<div class="variablelist"><dl>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>Do not modify the SOA serial number.</p></dd>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<dd><p>Increment the SOA serial number using RFC 1982
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley                      arithmetics.</p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<dd><p>Set the SOA serial number to the number of seconds
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            since epoch.</p></dd>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews</dl></div>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley</dd>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dd><p>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley            The zone origin.  If not specified, the name of the zone file
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt            is assumed to be the origin.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt          </p></dd>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dd><p>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt            The format of the output file containing the signed zone.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        Possible formats are <span><strong class="command">"text"</strong></span> (default)
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        and <span><strong class="command">"raw"</strong></span>.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-p</span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            Use pseudo-random data when signing the zone.  This is faster,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            but less secure, than using real random data.  This option
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            may be useful when signing large zones or when the entropy
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            source is limited.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews          </p></dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dt><span class="term">-P</span></dt>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        Disable post sign verification tests.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews        The post sign verification test ensures that for each algorithm
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews        in use there is at least one non revoked self signed KSK key,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews        that all revoked KSK keys are self signed, and that all records
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews        in the zone are signed by the algorithm.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews        This option skips these tests.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews          </p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews</dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dd><p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            Specifies the source of randomness.  If the operating
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            system does not provide a <code class="filename">/dev/random</code>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            or equivalent device, the default source of randomness
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            is keyboard input.  <code class="filename">randomdev</code>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            specifies
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            the name of a character device or file containing random
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            data to be used instead of the default.  The special value
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            <code class="filename">keyboard</code> indicates that keyboard
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            input should be used.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-S</span></dt>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            search the key repository for keys that match the zone being
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            signed, and to include them in the zone if appropriate.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            When a key is found, its timing metadata is examined to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            determine how it should be used, according to the following
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            rules.  Each successive rule takes priority over the prior
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            ones:
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<div class="variablelist"><dl>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dt></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt                  If no timing metadata has been set for the key, the key is
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt                  published in the zone and used to sign the zone.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                </p></dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dt></dt>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dd><p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                  If the key's publication date is set and is in the past, the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                  key is published in the zone.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                </p></dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dt></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt                  If the key's activation date is set and in the past, the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                  key is published (regardless of publication date) and
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                  used to sign the zone.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                </p></dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dt></dt>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dd><p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                  If the key's revocation date is set and in the past, and the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                  key is published, then the key is revoked, and the revoked key
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews                  is used to sign the zone.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt                </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt></dt>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt                  If either of the key's unpublication or deletion dates are set
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt                  and in the past, the key is NOT published or used to sign the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt                  zone, regardless of any other metadata.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt                </p></dd>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews</dl></div>
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt</dd>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews<dd><p>
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt            Specifies the TTL to be used for new DNSKEY records imported
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt            into the zone from the key repository.  If not specified,
19977879caf8579a5fafb0cf3bf1cb983063796cEvan Hunt            the default is the minimum TTL value from the zone's SOA
19977879caf8579a5fafb0cf3bf1cb983063796cEvan Hunt            record.  This option is ignored when signing without
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt            <code class="option">-S</code>, since DNSKEY records are not imported
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt            from the key repository in that case.  It is also ignored if
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt            there are any pre-existing DNSKEY records at the zone apex,
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt            in which case new records' TTL values will be set to match
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt            them.
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt          </p></dd>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews<dt><span class="term">-t</span></dt>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews<dd><p>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews            Print statistics at completion.
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
32ceffe2d832412e8f449529bcb898c00eb87b62Evan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Sets the debugging level.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dt><span class="term">-z</span></dt>
32ceffe2d832412e8f449529bcb898c00eb87b62Evan Hunt<dd><p>
32ceffe2d832412e8f449529bcb898c00eb87b62Evan Hunt            Ignore KSK flag on key when determining what to sign.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews          </p></dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt            Generate a NSEC3 chain with the given hex encoded salt.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        A dash (<em class="replaceable"><code>salt</code></em>) can
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        be used to indicate that no salt is to be used when generating          the NSEC3 chain.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        When generating a NSEC3 chain use this many interations.  The
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews        default is 100.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">-A</span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        When generating a NSEC3 chain set the OPTOUT flag on all
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        NSEC3 records and do not generate NSEC3 records for insecure
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews        delegations.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">zonefile</span></dt>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<dd><p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews            The file containing the zone to be signed.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews          </p></dd>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dt><span class="term">key</span></dt>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<dd><p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        Specify which keys should be used to sign the zone.  If
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        no keys are specified, then the zone will be examined
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt        for DNSKEY records at the zone apex.  If these are found and
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews        there are matching private keys, in the current directory,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt        then these will be used for signing.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt          </p></dd>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews</dl></div>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews</div>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<div class="refsect1" lang="en">
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<a name="id2660830"></a><h2>EXAMPLE</h2>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<p>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt      The following command signs the <strong class="userinput"><code>example.com</code></strong>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt      (Kexample.com.+003+17247).  The zone's keys must be in the master
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews      file (<code class="filename">db.example.com</code>).  This invocation looks
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt      for <code class="filename">keyset</code> files, in the current directory,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt      so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews    </p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
52aa2f94981aa570a37c659b451541171f7537a4Mark AndrewsKexample.com.+003+17247
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrewsdb.example.com.signed
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews%</pre>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<p>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt      the file <code class="filename">db.example.com.signed</code>.  This
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt      file should be referenced in a zone statement in a
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews      <code class="filename">named.conf</code> file.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt    </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<p>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt      This example re-signs a previously signed zone with default parameters.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt      The private keys are assumed to be in the current directory.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt    </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<pre class="programlisting">% cp db.example.com.signed db.example.com
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt% dnssec-signzone -o example.com db.example.com
591389c7d44e5ca20c357627dd179772cfefaaccEvan Huntdb.example.com.signed
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt%</pre>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt</div>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<div class="refsect1" lang="en">
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<a name="id2660971"></a><h2>SEE ALSO</h2>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt      <em class="citetitle">RFC 4033</em>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt    </p>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt</div>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<div class="refsect1" lang="en">
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<a name="id2660996"></a><h2>AUTHOR</h2>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<p><span class="corpauthor">Internet Systems Consortium</span>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt    </p>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt</div>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt</div>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<div class="navfooter">
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<hr>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<table width="100%" summary="Navigation footer">
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<tr>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<td width="40%" align="left">
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews</td>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews</tr>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<tr>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt<td width="40%" align="left" valign="top">
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<span class="application">dnssec-settime</span>�</td>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews</td>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews</tr>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews</table>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews</div>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt</body>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt</html>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt