2N/A - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") 2N/A - Copyright (C) 2000-2003 Internet Software Consortium. 2N/A - Permission to use, copy, modify, and distribute this software for any 2N/A - purpose with or without fee is hereby granted, provided that the above 2N/A - copyright notice and this permission notice appear in all copies. 2N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 2N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 2N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 2N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 2N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 2N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 2N/A - PERFORMANCE OF THIS SOFTWARE. 2N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2N/A<
title>dnssec-signzone</
title>
2N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2N/A<
link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2N/A<
div class="navheader">
2N/A<
table width="100%" summary="Navigation header">
2N/A<
tr><
th colspan="3" align="center"><
span class="application">dnssec-signzone</
span></
th></
tr>
2N/A<
td width="20%" align="left">
2N/A<
th width="60%" align="center">Manual pages</
th>
2N/A<
div class="refentry" lang="en">
2N/A<
div class="refnamediv">
2N/A<
p><
span class="application">dnssec-signzone</
span> — DNSSEC zone signing tool</
p>
2N/A<
div class="refsynopsisdiv">
2N/A<
div class="cmdsynopsis"><
p><
code class="command">dnssec-signzone</
code> [<
code class="option">-a</
code>] [<
code class="option">-c <
em class="replaceable"><
code>class</
code></
em></
code>] [<
code class="option">-d <
em class="replaceable"><
code>directory</
code></
em></
code>] [<
code class="option">-e <
em class="replaceable"><
code>end-time</
code></
em></
code>] [<
code class="option">-f <
em class="replaceable"><
code>output-file</
code></
em></
code>] [<
code class="option">-g</
code>] [<
code class="option">-h</
code>] [<
code class="option">-k <
em class="replaceable"><
code>key</
code></
em></
code>] [<
code class="option">-l <
em class="replaceable"><
code>domain</
code></
em></
code>] [<
code class="option">-i <
em class="replaceable"><
code>interval</
code></
em></
code>] [<
code class="option">-I <
em class="replaceable"><
code>input-format</
code></
em></
code>] [<
code class="option">-j <
em class="replaceable"><
code>jitter</
code></
em></
code>] [<
code class="option">-N <
em class="replaceable"><
code>soa-serial-format</
code></
em></
code>] [<
code class="option">-o <
em class="replaceable"><
code>origin</
code></
em></
code>] [<
code class="option">-O <
em class="replaceable"><
code>output-format</
code></
em></
code>] [<
code class="option">-p</
code>] [<
code class="option">-P</
code>] [<
code class="option">-r <
em class="replaceable"><
code>randomdev</
code></
em></
code>] [<
code class="option">-s <
em class="replaceable"><
code>start-time</
code></
em></
code>] [<
code class="option">-t</
code>] [<
code class="option">-v <
em class="replaceable"><
code>level</
code></
em></
code>] [<
code class="option">-z</
code>] [<
code class="option">-3 <
em class="replaceable"><
code>salt</
code></
em></
code>] [<
code class="option">-H <
em class="replaceable"><
code>iterations</
code></
em></
code>] [<
code class="option">-A</
code>] {zonefile} [key...]</
p></
div>
2N/A<
div class="refsect1" lang="en">
2N/A<
a name="id2608453"></
a><
h2>DESCRIPTION</
h2>
2N/A<
p><
span><
strong class="command">dnssec-signzone</
strong></
span>
2N/A signs a zone. It generates
2N/A NSEC and RRSIG records and produces a signed version of the
2N/A zone. The security status of delegations from the signed zone
2N/A (that is, whether the child zones are secure or not) is
2N/A determined by the presence or absence of a
2N/A <
code class="filename">keyset</
code> file for each child zone.
2N/A<
div class="refsect1" lang="en">
2N/A<
a name="id2608472"></
a><
h2>OPTIONS</
h2>
2N/A<
div class="variablelist"><
dl>
2N/A<
dt><
span class="term">-a</
span></
dt>
2N/A Verify all generated signatures.
2N/A<
dt><
span class="term">-c <
em class="replaceable"><
code>class</
code></
em></
span></
dt>
2N/A Specifies the DNS class of the zone.
2N/A<
dt><
span class="term">-k <
em class="replaceable"><
code>key</
code></
em></
span></
dt>
2N/A Treat specified key as a key signing key ignoring any
2N/A key flags. This option may be specified multiple times.
2N/A<
dt><
span class="term">-l <
em class="replaceable"><
code>domain</
code></
em></
span></
dt>
2N/A Generate a DLV set in addition to the key (DNSKEY) and DS sets.
2N/A The domain is appended to the name of the records.
2N/A<
dt><
span class="term">-d <
em class="replaceable"><
code>directory</
code></
em></
span></
dt>
2N/A Look for <
code class="filename">keyset</
code> files in
2N/A <
code class="option">directory</
code> as the directory
2N/A<
dt><
span class="term">-g</
span></
dt>
2N/A Generate DS records for child zones from keyset files.
2N/A Existing DS records will be removed.
2N/A<
dt><
span class="term">-s <
em class="replaceable"><
code>start-time</
code></
em></
span></
dt>
2N/A Specify the date and time when the generated RRSIG records
2N/A become valid. This can be either an absolute or relative
2N/A time. An absolute start time is indicated by a number
2N/A in YYYYMMDDHHMMSS notation; 20000530144500 denotes
2N/A 14:45:00 UTC on May 30th, 2000. A relative start time is
2N/A indicated by +N, which is N seconds from the current time.
2N/A If no <
code class="option">start-time</
code> is specified, the current
2N/A time minus 1 hour (to allow for clock skew) is used.
2N/A<
dt><
span class="term">-e <
em class="replaceable"><
code>end-time</
code></
em></
span></
dt>
2N/A Specify the date and time when the generated RRSIG records
2N/A expire. As with <
code class="option">start-time</
code>, an absolute
2N/A time is indicated in YYYYMMDDHHMMSS notation. A time relative
2N/A to the start time is indicated with +N, which is N seconds from
2N/A the start time. A time relative to the current time is
2N/A indicated with now+N. If no <
code class="option">end-time</
code> is
2N/A specified, 30 days from the start time is used as a default.
2N/A<
dt><
span class="term">-f <
em class="replaceable"><
code>output-file</
code></
em></
span></
dt>
2N/A The name of the output file containing the signed zone. The
2N/A default is to append <
code class="filename">.signed</
code> to
2N/A<
dt><
span class="term">-h</
span></
dt>
2N/A Prints a short summary of the options and arguments to
2N/A <
span><
strong class="command">dnssec-signzone</
strong></
span>.
2N/A<
dt><
span class="term">-i <
em class="replaceable"><
code>interval</
code></
em></
span></
dt>
2N/A When a previously-signed zone is passed as input, records
2N/A may be resigned. The <
code class="option">interval</
code> option
2N/A specifies the cycle interval as an offset from the current
2N/A time (in seconds). If a RRSIG record expires after the
2N/A cycle interval, it is retained. Otherwise, it is considered
2N/A to be expiring soon, and it will be replaced.
2N/A The default cycle interval is one quarter of the difference
2N/A between the signature end and start times. So if neither
2N/A <
code class="option">end-time</
code> or <
code class="option">start-time</
code>
2N/A are specified, <
span><
strong class="command">dnssec-signzone</
strong></
span>
2N/A signatures that are valid for 30 days, with a cycle
2N/A interval of 7.5 days. Therefore, if any existing RRSIG records
2N/A are due to expire in less than 7.5 days, they would be
2N/A<
dt><
span class="term">-I <
em class="replaceable"><
code>input-format</
code></
em></
span></
dt>
2N/A The format of the input zone file.
2N/A Possible formats are <
span><
strong class="command">"text"</
strong></
span> (default)
2N/A and <
span><
strong class="command">"raw"</
strong></
span>.
2N/A This option is primarily intended to be used for dynamic
2N/A signed zones so that the dumped zone file in a non-text
2N/A format containing updates can be signed directly.
2N/A The use of this option does not make much sense for
2N/A<
dt><
span class="term">-j <
em class="replaceable"><
code>jitter</
code></
em></
span></
dt>
2N/A When signing a zone with a fixed signature lifetime, all
2N/A RRSIG records issued at the time of signing expires
2N/A simultaneously. If the zone is incrementally signed,
i.e. 2N/A a previously-signed zone is passed as input to the signer,
2N/A all expired signatures have to be regenerated at about the
2N/A same time. The <
code class="option">jitter</
code> option specifies a
2N/A jitter window that will be used to randomize the signature
2N/A expire time, thus spreading incremental signature
2N/A regeneration over time.
2N/A Signature lifetime jitter also to some extent benefits
2N/A validators and servers by spreading out cache expiration,
2N/A i.e. if large numbers of RRSIGs don't expire at the same time
2N/A from all caches there will be less congestion than if all
2N/A validators need to refetch at mostly the same time.
2N/A<
dt><
span class="term">-n <
em class="replaceable"><
code>ncpus</
code></
em></
span></
dt>
2N/A Specifies the number of threads to use. By default, one
2N/A thread is started for each detected CPU.
2N/A<
dt><
span class="term">-N <
em class="replaceable"><
code>soa-serial-format</
code></
em></
span></
dt>
2N/A The SOA serial number format of the signed zone.
2N/A Possible formats are <
span><
strong class="command">"keep"</
strong></
span> (default),
2N/A <
span><
strong class="command">"increment"</
strong></
span> and
2N/A <
span><
strong class="command">"unixtime"</
strong></
span>.
2N/A<
div class="variablelist"><
dl>
2N/A<
dt><
span class="term"><
span><
strong class="command">"keep"</
strong></
span></
span></
dt>
2N/A<
dd><
p>Do not modify the SOA serial number.</
p></
dd>
2N/A<
dt><
span class="term"><
span><
strong class="command">"increment"</
strong></
span></
span></
dt>
2N/A<
dd><
p>Increment the SOA serial number using RFC 1982
2N/A arithmetics.</
p></
dd>
2N/A<
dt><
span class="term"><
span><
strong class="command">"unixtime"</
strong></
span></
span></
dt>
2N/A<
dd><
p>Set the SOA serial number to the number of seconds
2N/A since epoch.</
p></
dd>
2N/A<
dt><
span class="term">-o <
em class="replaceable"><
code>origin</
code></
em></
span></
dt>
2N/A The zone origin. If not specified, the name of the zone file
2N/A is assumed to be the origin.
2N/A<
dt><
span class="term">-O <
em class="replaceable"><
code>output-format</
code></
em></
span></
dt>
2N/A The format of the output file containing the signed zone.
2N/A Possible formats are <
span><
strong class="command">"text"</
strong></
span> (default)
2N/A and <
span><
strong class="command">"raw"</
strong></
span>.
2N/A<
dt><
span class="term">-p</
span></
dt>
2N/A Use pseudo-random data when signing the zone. This is faster,
2N/A but less secure, than using real random data. This option
2N/A may be useful when signing large zones or when the entropy
2N/A<
dt><
span class="term">-P</
span></
dt>
2N/A Disable post sign verification tests.
2N/A The post sign verification test ensures that for each algorithm
2N/A in use there is at least one non revoked self signed KSK key,
2N/A that all revoked KSK keys are self signed, and that all records
2N/A in the zone are signed by the algorithm.
2N/A This option skips these tests.
2N/A<
dt><
span class="term">-r <
em class="replaceable"><
code>randomdev</
code></
em></
span></
dt>
2N/A Specifies the source of randomness. If the operating
2N/A system does not provide a <
code class="filename">/
dev/
random</
code>
2N/A or equivalent device, the default source of randomness
2N/A is keyboard input. <
code class="filename">randomdev</
code>
2N/A the name of a character device or file containing random
2N/A data to be used instead of the default. The special value
2N/A <
code class="filename">keyboard</
code> indicates that keyboard
2N/A input should be used.
2N/A<
dt><
span class="term">-t</
span></
dt>
2N/A Print statistics at completion.
2N/A<
dt><
span class="term">-v <
em class="replaceable"><
code>level</
code></
em></
span></
dt>
2N/A Sets the debugging level.
2N/A<
dt><
span class="term">-z</
span></
dt>
2N/A Ignore KSK flag on key when determining what to sign.
2N/A<
dt><
span class="term">-3 <
em class="replaceable"><
code>salt</
code></
em></
span></
dt>
2N/A Generate a NSEC3 chain with the given hex encoded salt.
2N/A A dash (<
em class="replaceable"><
code>salt</
code></
em>) can
2N/A be used to indicate that no salt is to be used when generating the NSEC3 chain.
2N/A<
dt><
span class="term">-H <
em class="replaceable"><
code>iterations</
code></
em></
span></
dt>
2N/A When generating a NSEC3 chain use this many interations. The
2N/A<
dt><
span class="term">-A</
span></
dt>
2N/A When generating a NSEC3 chain set the OPTOUT flag on all
2N/A NSEC3 records and do not generate NSEC3 records for insecure
2N/A<
dt><
span class="term">zonefile</
span></
dt>
2N/A The file containing the zone to be signed.
2N/A<
dt><
span class="term">key</
span></
dt>
2N/A Specify which keys should be used to sign the zone. If
2N/A no keys are specified, then the zone will be examined
2N/A for DNSKEY records at the zone apex. If these are found and
2N/A there are matching private keys, in the current directory,
2N/A then these will be used for signing.
2N/A<
div class="refsect1" lang="en">
2N/A<
a name="id2662544"></
a><
h2>EXAMPLE</
h2>
2N/A The following command signs the <
strong class="userinput"><
code>
example.com</
code></
strong>
2N/A zone with the DSA key generated by <
span><
strong class="command">dnssec-keygen</
strong></
span>
2N/A for <
code class="filename">keyset</
code> files, in the current directory,
2N/A so that DS records can be generated from them (<
span><
strong class="command">-g</
strong></
span>).
2N/A In the above example, <
span><
strong class="command">dnssec-signzone</
strong></
span> creates
2N/A file should be referenced in a zone statement in a
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
<
div class="refsect1" lang="en">
<
a name="id2662616"></
a><
h2>SEE ALSO</
h2>
<
p><
span class="citerefentry"><
span class="refentrytitle">dnssec-keygen</
span>(8)</
span>,
<
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
<
em class="citetitle">RFC 4033</
em>.
<
div class="refsect1" lang="en">
<
a name="id2662641"></
a><
h2>AUTHOR</
h2>
<
p><
span class="corpauthor">Internet Systems Consortium</
span>
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center"><
a accesskey="u" href="Bv9ARM.ch10.html">Up</
a></
td>
<
td width="40%" align="left" valign="top">
<
span class="application">dnssec-revoke</
span>�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�<
span class="application">named-checkconf</
span>