457N/A - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") 457N/A - Copyright (C) 2000-2003 Internet Software Consortium. 457N/A - Permission to use, copy, modify, and distribute this software for any 457N/A - purpose with or without fee is hereby granted, provided that the above 457N/A - copyright notice and this permission notice appear in all copies. 457N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 457N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 457N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 457N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 457N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 457N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 457N/A - PERFORMANCE OF THIS SOFTWARE. 457N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
457N/A<
title>dnssec-signzone</
title>
457N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5636N/A<
link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
457N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
618N/A<
table width="100%" summary="Navigation header">
844N/A<
tr><
th colspan="3" align="center"><
span class="application">dnssec-signzone</
span></
th></
tr>
618N/A<
td width="20%" align="left">
2899N/A<
th width="60%" align="center">Manual pages</
th>
5680N/A<
div class="refentry" lang="en">
5759N/A<
p><
span class="application">dnssec-signzone</
span> — DNSSEC zone signing tool</
p>
5759N/A<
div class="refsynopsisdiv">
5759N/A<
div class="cmdsynopsis"><
p><
code class="command">dnssec-signzone</
code> [<
code class="option">-a</
code>] [<
code class="option">-c <
em class="replaceable"><
code>class</
code></
em></
code>] [<
code class="option">-d <
em class="replaceable"><
code>directory</
code></
em></
code>] [<
code class="option">-e <
em class="replaceable"><
code>end-time</
code></
em></
code>] [<
code class="option">-f <
em class="replaceable"><
code>output-file</
code></
em></
code>] [<
code class="option">-g</
code>] [<
code class="option">-h</
code>] [<
code class="option">-k <
em class="replaceable"><
code>key</
code></
em></
code>] [<
code class="option">-l <
em class="replaceable"><
code>domain</
code></
em></
code>] [<
code class="option">-i <
em class="replaceable"><
code>interval</
code></
em></
code>] [<
code class="option">-I <
em class="replaceable"><
code>input-format</
code></
em></
code>] [<
code class="option">-j <
em class="replaceable"><
code>jitter</
code></
em></
code>] [<
code class="option">-N <
em class="replaceable"><
code>soa-serial-format</
code></
em></
code>] [<
code class="option">-o <
em class="replaceable"><
code>origin</
code></
em></
code>] [<
code class="option">-O <
em class="replaceable"><
code>output-format</
code></
em></
code>] [<
code class="option">-p</
code>] [<
code class="option">-r <
em class="replaceable"><
code>randomdev</
code></
em></
code>] [<
code class="option">-s <
em class="replaceable"><
code>start-time</
code></
em></
code>] [<
code class="option">-t</
code>] [<
code class="option">-v <
em class="replaceable"><
code>level</
code></
em></
code>] [<
code class="option">-z</
code>] {zonefile} [key...]</
p></
div>
6691N/A<
div class="refsect1" lang="en">
6691N/A<
a name="id2598727"></
a><
h2>DESCRIPTION</
h2>
6691N/A<
p><
span><
strong class="command">dnssec-signzone</
strong></
span>
5680N/A NSEC and RRSIG records and produces a signed version of the
457N/A zone. The security status of delegations from the signed zone
4947N/A (that is, whether the child zones are secure or not) is
457N/A determined by the presence or absence of a
457N/A <
code class="filename">keyset</
code> file for each child zone.
457N/A<
div class="refsect1" lang="en">
1030N/A<
a name="id2598746"></
a><
h2>OPTIONS</
h2>
457N/A<
div class="variablelist"><
dl>
457N/A<
dt><
span class="term">-a</
span></
dt>
457N/A Verify all generated signatures.
3014N/A<
dt><
span class="term">-c <
em class="replaceable"><
code>class</
code></
em></
span></
dt>
457N/A Specifies the DNS class of the zone.
634N/A<
dt><
span class="term">-k <
em class="replaceable"><
code>key</
code></
em></
span></
dt>
5680N/A Treat specified key as a key signing key ignoring any
457N/A key flags. This option may be specified multiple times.
4947N/A<
dt><
span class="term">-l <
em class="replaceable"><
code>domain</
code></
em></
span></
dt>
3014N/A Generate a DLV set in addition to the key (DNSKEY) and DS sets.
4947N/A The domain is appended to the name of the records.
5175N/A<
dt><
span class="term">-d <
em class="replaceable"><
code>directory</
code></
em></
span></
dt>
3014N/A Look for <
code class="filename">keyset</
code> files in
3014N/A <
code class="option">directory</
code> as the directory
3014N/A<
dt><
span class="term">-g</
span></
dt>
5680N/A Generate DS records for child zones from keyset files.
3014N/A Existing DS records will be removed.
5680N/A<
dt><
span class="term">-s <
em class="replaceable"><
code>start-time</
code></
em></
span></
dt>
3014N/A Specify the date and time when the generated RRSIG records
6691N/A become valid. This can be either an absolute or relative
457N/A time. An absolute start time is indicated by a number
5759N/A in YYYYMMDDHHMMSS notation; 20000530144500 denotes
5759N/A 14:45:00 UTC on May 30th, 2000. A relative start time is
5759N/A indicated by +N, which is N seconds from the current time.
5759N/A If no <
code class="option">start-time</
code> is specified, the current
5759N/A time minus 1 hour (to allow for clock skew) is used.
5759N/A<
dt><
span class="term">-e <
em class="replaceable"><
code>end-time</
code></
em></
span></
dt>
5759N/A Specify the date and time when the generated RRSIG records
5759N/A expire. As with <
code class="option">start-time</
code>, an absolute
5759N/A time is indicated in YYYYMMDDHHMMSS notation. A time relative
5759N/A to the start time is indicated with +N, which is N seconds from
5759N/A the start time. A time relative to the current time is
5759N/A indicated with now+N. If no <
code class="option">end-time</
code> is
457N/A specified, 30 days from the start time is used as a default.
5795N/A<
dt><
span class="term">-f <
em class="replaceable"><
code>output-file</
code></
em></
span></
dt>
457N/A The name of the output file containing the signed zone. The
457N/A default is to append <
code class="filename">.signed</
code> to
3817N/A<
dt><
span class="term">-h</
span></
dt>
3817N/A Prints a short summary of the options and arguments to
3817N/A <
span><
strong class="command">dnssec-signzone</
strong></
span>.
3817N/A<
dt><
span class="term">-i <
em class="replaceable"><
code>interval</
code></
em></
span></
dt>
3817N/A When a previously signed zone is passed as input, records
3817N/A may be resigned. The <
code class="option">interval</
code> option
3817N/A specifies the cycle interval as an offset from the current
3817N/A time (in seconds). If a RRSIG record expires after the
3817N/A cycle interval, it is retained. Otherwise, it is considered
3817N/A to be expiring soon, and it will be replaced.
5636N/A The default cycle interval is one quarter of the difference
5175N/A between the signature end and start times. So if neither
3817N/A <
code class="option">end-time</
code> or <
code class="option">start-time</
code>
3817N/A are specified, <
span><
strong class="command">dnssec-signzone</
strong></
span>
3817N/A signatures that are valid for 30 days, with a cycle
3817N/A interval of 7.5 days. Therefore, if any existing RRSIG records
3817N/A are due to expire in less than 7.5 days, they would be
3817N/A<
dt><
span class="term">-I <
em class="replaceable"><
code>input-format</
code></
em></
span></
dt>
3817N/A The format of the input zone file.
3817N/A Possible formats are <
span><
strong class="command">"text"</
strong></
span> (default)
and <
span><
strong class="command">"raw"</
strong></
span>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be signed directly.
The use of this option does not make much sense for
<
dt><
span class="term">-j <
em class="replaceable"><
code>jitter</
code></
em></
span></
dt>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed,
i.e. a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
same time. The <
code class="option">jitter</
code> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
<
dt><
span class="term">-n <
em class="replaceable"><
code>ncpus</
code></
em></
span></
dt>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
<
dt><
span class="term">-N <
em class="replaceable"><
code>soa-serial-format</
code></
em></
span></
dt>
The SOA serial number format of the signed zone.
Possible formats are <
span><
strong class="command">"keep"</
strong></
span> (default),
<
span><
strong class="command">"increment"</
strong></
span> and
<
span><
strong class="command">"unixtime"</
strong></
span>.
<
div class="variablelist"><
dl>
<
dt><
span class="term"><
span><
strong class="command">"keep"</
strong></
span></
span></
dt>
<
dd><
p>Do not modify the SOA serial number.</
p></
dd>
<
dt><
span class="term"><
span><
strong class="command">"increment"</
strong></
span></
span></
dt>
<
dd><
p>Increment the SOA serial number using RFC 1982
<
dt><
span class="term"><
span><
strong class="command">"unixtime"</
strong></
span></
span></
dt>
<
dd><
p>Set the SOA serial number to the number of seconds
<
dt><
span class="term">-o <
em class="replaceable"><
code>origin</
code></
em></
span></
dt>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
<
dt><
span class="term">-O <
em class="replaceable"><
code>output-format</
code></
em></
span></
dt>
The format of the output file containing the signed zone.
Possible formats are <
span><
strong class="command">"text"</
strong></
span> (default)
and <
span><
strong class="command">"raw"</
strong></
span>.
<
dt><
span class="term">-p</
span></
dt>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
<
dt><
span class="term">-r <
em class="replaceable"><
code>randomdev</
code></
em></
span></
dt>
Specifies the source of randomness. If the operating
system does not provide a <
code class="filename">/
dev/
random</
code>
or equivalent device, the default source of randomness
is keyboard input. <
code class="filename">randomdev</
code>
the name of a character device or file containing random
data to be used instead of the default. The special value
<
code class="filename">keyboard</
code> indicates that keyboard
<
dt><
span class="term">-t</
span></
dt>
Print statistics at completion.
<
dt><
span class="term">-v <
em class="replaceable"><
code>level</
code></
em></
span></
dt>
Sets the debugging level.
<
dt><
span class="term">-z</
span></
dt>
Ignore KSK flag on key when determining what to sign.
<
dt><
span class="term">zonefile</
span></
dt>
The file containing the zone to be signed.
<
dt><
span class="term">key</
span></
dt>
The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
<
div class="refsect1" lang="en">
<
a name="id2604552"></
a><
h2>EXAMPLE</
h2>
The following command signs the <
strong class="userinput"><
code>
example.com</
code></
strong>
zone with the DSA key generated in the <
span><
strong class="command">dnssec-keygen</
strong></
span>
man page. The zone's keys must be in the zone. If there are
<
code class="filename">keyset</
code> files associated with child
they must be in the current directory.
<
strong class="userinput"><
code>
example.com</
code></
strong>, the following command would be
The command would print a string of the form:
In this example, <
span><
strong class="command">dnssec-signzone</
strong></
span> creates
should be referenced in a zone statement in a
<
div class="refsect1" lang="en">
<
a name="id2604685"></
a><
h2>SEE ALSO</
h2>
<
p><
span class="citerefentry"><
span class="refentrytitle">dnssec-keygen</
span>(8)</
span>,
<
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
<
em class="citetitle">RFC 2535</
em>.
<
div class="refsect1" lang="en">
<
a name="id2604710"></
a><
h2>AUTHOR</
h2>
<
p><
span class="corpauthor">Internet Systems Consortium</
span>
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center"><
a accesskey="u" href="Bv9ARM.ch10.html">Up</
a></
td>
<
td width="40%" align="left" valign="top">
<
span class="application">dnssec-keygen</
span>�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�<
span class="application">named-checkconf</
span>