doc/arm/man.dnssec-signzone.html

	man.dnssec-signzone.html revision 64affc54f96a2c71cbd10ed71e246ce0746259aa
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<!--
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
eae67738cba5ca069e9d1d4e7b836a2f7b00a374Mark Andrews -
eae67738cba5ca069e9d1d4e7b836a2f7b00a374Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
2a40fdc2d34adb8a5c72a748449699666032d461Mark Andrews - purpose with or without fee is hereby granted, provided that the above
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews - copyright notice and this permission notice appear in all copies.
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews -
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d56e188030368b835122d759ebbf8d9613c166f4Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews - PERFORMANCE OF THIS SOFTWARE.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews-->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id: man.dnssec-signzone.html,v 1.144 2009/11/03 21:58:30 tbox Exp $ -->
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<html>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<head>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<title>dnssec-signzone</title>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews</head>
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="navheader">
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews<table width="100%" summary="Navigation header">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews<tr>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<td width="20%" align="left">
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<th width="60%" align="center">Manual pages</th>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews</td>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews</tr>
c069a20053d41ae299eb9457e50ea44ae9f73ed2Mark Andrews</table>
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews<hr>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews</div>
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews<div class="refentry" lang="en">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
3f6174bffe227be44e241a29d186add00c032ff6Mark Andrews<div class="refnamediv">
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews<h2>Name</h2>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews</div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="refsynopsisdiv">
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<h2>Synopsis</h2>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson</div>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<div class="refsect1" lang="en">
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<a name="id2611914"></a><h2>DESCRIPTION</h2>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<p><span><strong class="command">dnssec-signzone</strong></span>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews      signs a zone.  It generates
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      NSEC and RRSIG records and produces a signed version of the
26a77b80bb7ee886c6fa704348d5e80a011d8811Mark Andrews      zone. The security status of delegations from the signed zone
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews      (that is, whether the child zones are secure or not) is
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews      determined by the presence or absence of a
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews      <code class="filename">keyset</code> file for each child zone.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews    </p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews</div>
62ee2c9f460d2e2e45dcf1abc8b4b4a4a43f5618Mark Andrews<div class="refsect1" lang="en">
e086341ea57e618a60c9f166b95daee1fab71b3bMark Andrews<a name="id2611933"></a><h2>OPTIONS</h2>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="variablelist"><dl>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-a</span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dd><p>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews            Verify all generated signatures.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          </p></dd>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dd><p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            Specifies the DNS class of the zone.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews          </p></dd>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="term">-C</span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Compatibility mode: Generate a
c25080dc50542213058c240226c9f342186e6285Mark Andrews            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            file in addition to
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            when signing a zone, for use by older versions of
dd9ad704c3800e3ab07ede8595871eac79984871Mark Andrews            <span><strong class="command">dnssec-signzone</strong></span>.
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
ab81f57ca0c3addfec3df3babdcea9644757cf23Mark Andrews<dd><p>
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews            Look for <code class="filename">dsset-</code> or
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews          </p></dd>
413988c8166976498250c0ebb2e3a645d0366bd3Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            Uses a crypto hardware (OpenSSL engine) for the crypto operations
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            it supports, for instance signing with private keys from
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            a secure key store. When compiled with PKCS#11 support
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            it defaults to pkcs11; the empty name resets it to no engine.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-g</span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            Generate DS records for child zones from
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            file.  Existing DS records will be removed.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews          </p></dd>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dd><p>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            Key repository: Specify a directory to search for DNSSEC keys.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            If not specified, defaults to the current directory.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dd><p>
d3a3e690ab1f87fa02b3fa77be5ddea5c1fe0cd4Mark Andrews            Treat specified key as a key signing key ignoring any
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            key flags.  This option may be specified multiple times.
d56e188030368b835122d759ebbf8d9613c166f4Mark Andrews          </p></dd>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            The domain is appended to the name of the records.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd><p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            Specify the date and time when the generated RRSIG records
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            become valid.  This can be either an absolute or relative
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            time.  An absolute start time is indicated by a number
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            14:45:00 UTC on May 30th, 2000.  A relative start time is
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            indicated by +N, which is N seconds from the current time.
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            If no <code class="option">start-time</code> is specified, the current
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            time minus 1 hour (to allow for clock skew) is used.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          </p></dd>
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dd><p>
dd9ad704c3800e3ab07ede8595871eac79984871Mark Andrews            Specify the date and time when the generated RRSIG records
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            expire.  As with <code class="option">start-time</code>, an absolute
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            to the start time is indicated with +N, which is N seconds from
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews            the start time.  A time relative to the current time is
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            indicated with now+N.  If no <code class="option">end-time</code> is
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            specified, 30 days from the start time is used as a default.
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews            <code class="option">end-time</code> must be later than
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <code class="option">start-time</code>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
62ee2c9f460d2e2e45dcf1abc8b4b4a4a43f5618Mark Andrews<dd><p>
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews            The name of the output file containing the signed zone.  The
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            default is to append <code class="filename">.signed</code> to
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews            the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews            input filename.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          </p></dd>
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<dt><span class="term">-h</span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dd><p>
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews            Prints a short summary of the options and arguments to
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews            <span><strong class="command">dnssec-signzone</strong></span>.
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<dd>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews            When a previously-signed zone is passed as input, records
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews            may be resigned.  The <code class="option">interval</code> option
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            specifies the cycle interval as an offset from the current
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews            time (in seconds).  If a RRSIG record expires after the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            cycle interval, it is retained.  Otherwise, it is considered
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews            to be expiring soon, and it will be replaced.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            The default cycle interval is one quarter of the difference
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            between the signature end and start times.  So if neither
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            <code class="option">end-time</code> or <code class="option">start-time</code>
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews            are specified, <span><strong class="command">dnssec-signzone</strong></span>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            generates
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            signatures that are valid for 30 days, with a cycle
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews            interval of 7.5 days.  Therefore, if any existing RRSIG records
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            are due to expire in less than 7.5 days, they would be
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            replaced.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          </p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews</dd>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dd><p>
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson            The format of the input zone file.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews        Possible formats are <span><strong class="command">"text"</strong></span> (default)
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews        and <span><strong class="command">"raw"</strong></span>.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews        This option is primarily intended to be used for dynamic
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            signed zones so that the dumped zone file in a non-text
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews            format containing updates can be signed directly.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson        The use of this option does not make much sense for
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews        non-dynamic zones.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p></dd>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dd>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            When signing a zone with a fixed signature lifetime, all
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            RRSIG records issued at the time of signing expires
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            simultaneously.  If the zone is incrementally signed, i.e.
282e38d96feb488fddbbc0b0409491094786977fMark Andrews            a previously-signed zone is passed as input to the signer,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            all expired signatures have to be regenerated at about the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            same time.  The <code class="option">jitter</code> option specifies a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            jitter window that will be used to randomize the signature
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            expire time, thus spreading incremental signature
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            regeneration over time.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews          </p>
abf32d940f8f674b3971ef41b306a01b3da8d2cfMark Andrews<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Signature lifetime jitter also to some extent benefits
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews            validators and servers by spreading out cache expiration,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            i.e. if large numbers of RRSIGs don't expire at the same time
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            from all caches there will be less congestion than if all
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            validators need to refetch at mostly the same time.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Specifies the number of threads to use.  By default, one
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            thread is started for each detected CPU.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            The SOA serial number format of the signed zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        Possible formats are <span><strong class="command">"keep"</strong></span> (default),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <span><strong class="command">"increment"</strong></span> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        <span><strong class="command">"unixtime"</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="variablelist"><dl>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>Do not modify the SOA serial number.</p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>Increment the SOA serial number using RFC 1982
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                      arithmetics.</p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>Set the SOA serial number to the number of seconds
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            since epoch.</p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dl></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            The zone origin.  If not specified, the name of the zone file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            is assumed to be the origin.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            The format of the output file containing the signed zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        Possible formats are <span><strong class="command">"text"</strong></span> (default)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        and <span><strong class="command">"raw"</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-p</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Use pseudo-random data when signing the zone.  This is faster,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            but less secure, than using real random data.  This option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            may be useful when signing large zones or when the entropy
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            source is limited.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-P</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews        Disable post sign verification tests.
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington        The post sign verification test ensures that for each algorithm
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington        in use there is at least one non revoked self signed KSK key,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington        that all revoked KSK keys are self signed, and that all records
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington        in the zone are signed by the algorithm.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington        This option skips these tests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dd>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<dd><p>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington            Specifies the source of randomness.  If the operating
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews            system does not provide a <code class="filename">/dev/random</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            or equivalent device, the default source of randomness
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews            is keyboard input.  <code class="filename">randomdev</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            specifies
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            the name of a character device or file containing random
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            data to be used instead of the default.  The special value
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <code class="filename">keyboard</code> indicates that keyboard
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews            input should be used.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-S</span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            search the key repository for keys that match the zone being
68baa2d193672c482b7ea07ece349e7b1ceb96e6Mark Andrews            signed, and to include them in the zone if appropriate.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p>
67a0e14fa9c3c160116f0671f4ac5874306b1150Mark Andrews            When a key is found, its timing metadata is examined to
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            determine how it should be used, according to the following
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            rules.  Each successive rule takes priority over the prior
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews            ones:
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews<div class="variablelist"><dl>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews                  If no timing metadata has been set for the key, the key is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  published in the zone and used to sign the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  If the key's publication date is set and is in the past, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  key is published in the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  If the key's activation date is set and in the past, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  key is published (regardless of publication date) and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  used to sign the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  If the key's revocation date is set and in the past, and the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  key is published, then the key is revoked, and the revoked key
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  is used to sign the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                  If either of the key's unpublication or deletion dates are set
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews                  and in the past, the key is NOT published or used to sign the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews                  zone, regardless of any other metadata.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington                </p></dd>
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews</dl></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews</dd>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews<dd><p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            Specifies the TTL to be used for new DNSKEY records imported
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            into the zone from the key repository.  If not specified,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews            the default is the minimum TTL value from the zone's SOA
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            record.  This option is ignored when signing without
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <code class="option">-S</code>, since DNSKEY records are not imported
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            from the key repository in that case.  It is also ignored if
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            there are any pre-existing DNSKEY records at the zone apex,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            in which case new records' TTL values will be set to match
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            them.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-t</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Print statistics at completion.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-u</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Update NSEC/NSEC3 chain when re-signing a previously signed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            zone.  With this option, a zone signed with NSEC can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            switched to NSEC3, or a zone signed with NSEC3 can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            be switch to NSEC or to NSEC3 with different parameters.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            retain the existing chain when re-signing.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Sets the debugging level.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="term">-x</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Only sign the DNSKEY RRset with key-signing keys, and omit
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            signatures from zone-signing keys.  (This is similar to the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <span><strong class="command">dnskey-ksk-only yes;</strong></span> zone option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <span><strong class="command">named</strong></span>.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-z</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            Ignore KSK flag on key when determining what to sign.  This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            causes KSK-flagged keys to sign all records, not just the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            DNSKEY RRset.  (This is similar to the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            <span><strong class="command">update-check-ksk no;</strong></span> zone option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            <span><strong class="command">named</strong></span>.)
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews          </p></dd>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dd><p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews            Generate an NSEC3 chain with the given hex encoded salt.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews        A dash (<em class="replaceable"><code>salt</code></em>) can
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews        be used to indicate that no salt is to be used when generating          the NSEC3 chain.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p></dd>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dd><p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews        When generating an NSEC3 chain, use this many interations.  The
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        default is 10.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-A</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        When generating an NSEC3 chain set the OPTOUT flag on all
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        NSEC3 records and do not generate NSEC3 records for insecure
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        delegations.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        Using this option twice (i.e., <code class="option">-AA</code>)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        turns the OPTOUT flag off for all records.  This is useful
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        when using the <code class="option">-u</code> option to modify an NSEC3
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        chain which previously had OPTOUT set.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">zonefile</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington            The file containing the zone to be signed.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">key</span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        Specify which keys should be used to sign the zone.  If
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        no keys are specified, then the zone will be examined
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews        for DNSKEY records at the zone apex.  If these are found and
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews        there are matching private keys, in the current directory,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        then these will be used for signing.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews          </p></dd>
abf32d940f8f674b3971ef41b306a01b3da8d2cfMark Andrews</dl></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews</div>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews<div class="refsect1" lang="en">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2663865"></a><h2>EXAMPLE</h2>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<p>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews      The following command signs the <strong class="userinput"><code>example.com</code></strong>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      (Kexample.com.+003+17247).  Because the <span><strong class="command">-S</strong></span> option
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews      is not being used, the zone's keys must be in the master file
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews      (<code class="filename">db.example.com</code>).  This invocation looks
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews      for <code class="filename">dsset</code> files, in the current directory,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews    </p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
068a66979695c77359e7a9181bb3f831c965b21cMark AndrewsKexample.com.+003+17247
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellingtondb.example.com.signed
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington%</pre>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
83a810eba60ae87341a2d177ff60d834e26d7a90Mark Andrews      the file <code class="filename">db.example.com.signed</code>.  This
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington      file should be referenced in a zone statement in a
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews      <code class="filename">named.conf</code> file.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews    </p>
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews<p>
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews      This example re-signs a previously signed zone with default parameters.
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews      The private keys are assumed to be in the current directory.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews    </p>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<pre class="programlisting">% cp db.example.com.signed db.example.com
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews% dnssec-signzone -o example.com db.example.com
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsdb.example.com.signed
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews%</pre>
83a810eba60ae87341a2d177ff60d834e26d7a90Mark Andrews</div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="refsect1" lang="en">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="id2663944"></a><h2>SEE ALSO</h2>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews      <em class="citetitle">RFC 4033</em>.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews    </p>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews</div>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<div class="refsect1" lang="en">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="id2663969"></a><h2>AUTHOR</h2>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews    </p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews</div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews</div>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<div class="navfooter">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<hr>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<table width="100%" summary="Navigation footer">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<tr>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<td width="40%" align="left">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</td>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews</tr>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<tr>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<td width="40%" align="left" valign="top">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<span class="application">dnssec-settime</span>�</td>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews</td>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews</tr>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews</table>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews</div>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews</body>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews</html>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews