man.dnssec-signzone.html revision 4abdfc917e6635a7c81d1f931a0c79227e72d025
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<!--
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - Copyright (C) 2000-2003 Internet Software Consortium.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser -
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - Permission to use, copy, modify, and distribute this software for any
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - purpose with or without fee is hereby granted, provided that the above
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - copyright notice and this permission notice appear in all copies.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser -
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser - PERFORMANCE OF THIS SOFTWARE.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser-->
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<!-- $Id: man.dnssec-signzone.html,v 1.37 2007/01/26 23:29:04 marka Exp $ -->
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<html>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<head>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<title>dnssec-signzone</title>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser</head>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<div class="navheader">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<table width="100%" summary="Navigation header">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<tr>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<td width="20%" align="left">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<th width="60%" align="center">Manual pages</th>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser</td>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser</tr>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser</table>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<hr>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser</div>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<div class="refentry" lang="en">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<div class="refnamediv">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<h2>Name</h2>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser</div>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<div class="refsynopsisdiv">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<h2>Synopsis</h2>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser</div>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<div class="refsect1" lang="en">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<a name="id2598727"></a><h2>DESCRIPTION</h2>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<p><span><strong class="command">dnssec-signzone</strong></span>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser signs a zone. It generates
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser NSEC and RRSIG records and produces a signed version of the
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser zone. The security status of delegations from the signed zone
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser (that is, whether the child zones are secure or not) is
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser determined by the presence or absence of a
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser <code class="filename">keyset</code> file for each child zone.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser</div>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<div class="refsect1" lang="en">
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<a name="id2598746"></a><h2>OPTIONS</h2>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<div class="variablelist"><dl>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-a</span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Verify all generated signatures.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Specifies the DNS class of the zone.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Treat specified key as a key signing key ignoring any
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser key flags. This option may be specified multiple times.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Generate a DLV set in addition to the key (DNSKEY) and DS sets.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser The domain is appended to the name of the records.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Look for <code class="filename">keyset</code> files in
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser <code class="option">directory</code> as the directory
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-g</span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Generate DS records for child zones from keyset files.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Existing DS records will be removed.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Specify the date and time when the generated RRSIG records
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser become valid. This can be either an absolute or relative
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser time. An absolute start time is indicated by a number
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser in YYYYMMDDHHMMSS notation; 20000530144500 denotes
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser 14:45:00 UTC on May 30th, 2000. A relative start time is
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser indicated by +N, which is N seconds from the current time.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser If no <code class="option">start-time</code> is specified, the current
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser time minus 1 hour (to allow for clock skew) is used.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Specify the date and time when the generated RRSIG records
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser expire. As with <code class="option">start-time</code>, an absolute
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser time is indicated in YYYYMMDDHHMMSS notation. A time relative
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser to the start time is indicated with +N, which is N seconds from
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser the start time. A time relative to the current time is
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser indicated with now+N. If no <code class="option">end-time</code> is
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser specified, 30 days from the start time is used as a default.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser The name of the output file containing the signed zone. The
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser default is to append <code class="filename">.signed</code> to
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser the
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser input file.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-h</span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Prints a short summary of the options and arguments to
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser <span><strong class="command">dnssec-signzone</strong></span>.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser When a previously signed zone is passed as input, records
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser may be resigned. The <code class="option">interval</code> option
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser specifies the cycle interval as an offset from the current
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser time (in seconds). If a RRSIG record expires after the
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser cycle interval, it is retained. Otherwise, it is considered
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser to be expiring soon, and it will be replaced.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser The default cycle interval is one quarter of the difference
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser between the signature end and start times. So if neither
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser <code class="option">end-time</code> or <code class="option">start-time</code>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser are specified, <span><strong class="command">dnssec-signzone</strong></span>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser generates
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser signatures that are valid for 30 days, with a cycle
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser interval of 7.5 days. Therefore, if any existing RRSIG records
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser are due to expire in less than 7.5 days, they would be
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser replaced.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser</dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd><p>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser The format of the input zone file.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser Possible formats are <span><strong class="command">"text"</strong></span> (default)
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser and <span><strong class="command">"raw"</strong></span>.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser This option is primarily intended to be used for dynamic
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser signed zones so that the dumped zone file in a non-text
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser format containing updates can be signed directly.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser The use of this option does not make much sense for
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser non-dynamic zones.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser </p></dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<dd>
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser<p>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
same time. The <code class="option">jitter</code> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</p>
<p>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
<dd><p>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</p></dd>
<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
<dd>
<p>
The SOA serial number format of the signed zone.
Possible formats are <span><strong class="command">"keep"</strong></span> (default),
<span><strong class="command">"increment"</strong></span> and
<span><strong class="command">"unixtime"</strong></span>.
</p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
<dd><p>Do not modify the SOA serial number.</p></dd>
<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
<dd><p>Increment the SOA serial number using RFC 1982
arithmetics.</p></dd>
<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
<dd><p>Set the SOA serial number to the number of seconds
since epoch.</p></dd>
</dl></div>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
<dd><p>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</p></dd>
<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
<dd><p>
The format of the output file containing the signed zone.
Possible formats are <span><strong class="command">"text"</strong></span> (default)
and <span><strong class="command">"raw"</strong></span>.
</p></dd>
<dt><span class="term">-p</span></dt>
<dd><p>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-t</span></dt>
<dd><p>
Print statistics at completion.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
Ignore KSK flag on key when determining what to sign.
</p></dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
The file containing the zone to be signed.
</p></dd>
<dt><span class="term">key</span></dt>
<dd><p>
The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
current directory.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2604552"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
man page. The zone's keys must be in the zone. If there are
<code class="filename">keyset</code> files associated with child
zones,
they must be in the current directory.
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
Kexample.com.+003+26160</code></strong>
</p>
<p>
The command would print a string of the form:
</p>
<p>
In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
the file <code class="filename">db.example.com.signed</code>. This
file
should be referenced in a zone statement in a
<code class="filename">named.conf</code> file.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2604685"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2535</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2604710"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-keygen</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
</td>
</tr>
</table>
</div>
</body>
</html>