man.dnssec-signzone.html revision 7717ec7a6a898cdd3c35cbfba66010b7304ffd9b
dcfda24abf565c442d058cbf81b2180d847a1b3eAutomatic Updater - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - purpose with or without fee is hereby granted, provided that the above
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - copyright notice and this permission notice appear in all copies.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
97e74139b19368e385a3564746d42db70879195eAutomatic Updater<!-- $Id: man.dnssec-signzone.html,v 1.185 2011/03/22 01:14:27 tbox Exp $ -->
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation header">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<th width="60%" align="center">Manual pages</th>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
97e74139b19368e385a3564746d42db70879195eAutomatic Updater<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
97e74139b19368e385a3564746d42db70879195eAutomatic Updater<a name="id2617966"></a><h2>DESCRIPTION</h2>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span><strong class="command">dnssec-signzone</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signs a zone. It generates
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews NSEC and RRSIG records and produces a signed version of the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone. The security status of delegations from the signed zone
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews (that is, whether the child zones are secure or not) is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews determined by the presence or absence of a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">keyset</code> file for each child zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Verify all generated signatures.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the DNS class of the zone.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Compatibility mode: Generate a
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater file in addition to
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater when signing a zone, for use by older versions of
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <span><strong class="command">dnssec-signzone</strong></span>.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Look for <code class="filename">dsset-</code> or
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="filename">keyset-</code> files in <code class="option">directory</code>.
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater Output only those record types automatically managed by
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater NSEC3 and NSEC3PARAM records. If smart signing
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater (<code class="option">-S</code>) is used, DNSKEY records are also
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater included. The resulting file can be included in the original
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater cannot be combined with <code class="option">-O raw</code> or serial
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater number updating.
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater Uses a crypto hardware (OpenSSL engine) for the crypto operations
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater it supports, for instance signing with private keys from
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater a secure key store. When compiled with PKCS#11 support
64affc54f96a2c71cbd10ed71e246ce0746259aaAutomatic Updater it defaults to pkcs11; the empty name resets it to no engine.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Generate DS records for child zones from
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater file. Existing DS records will be removed.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Key repository: Specify a directory to search for DNSSEC keys.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If not specified, defaults to the current directory.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Treat specified key as a key signing key ignoring any
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key flags. This option may be specified multiple times.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate a DLV set in addition to the key (DNSKEY) and DS sets.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The domain is appended to the name of the records.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specify the date and time when the generated RRSIG records
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews become valid. This can be either an absolute or relative
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews time. An absolute start time is indicated by a number
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in YYYYMMDDHHMMSS notation; 20000530144500 denotes
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews 14:45:00 UTC on May 30th, 2000. A relative start time is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews indicated by +N, which is N seconds from the current time.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If no <code class="option">start-time</code> is specified, the current
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews time minus 1 hour (to allow for clock skew) is used.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specify the date and time when the generated RRSIG records
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews expire. As with <code class="option">start-time</code>, an absolute
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to the start time is indicated with +N, which is N seconds from
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the start time. A time relative to the current time is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews indicated with now+N. If no <code class="option">end-time</code> is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews specified, 30 days from the start time is used as a default.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">end-time</code> must be later than
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater Specify the date and time when the generated RRSIG records
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater for the DNSKEY RRset will expire. This is to be used in cases
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater when the DNSKEY signatures need to persist longer than
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater signatures on other records; e.g., when the private component
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater of the KSK is kept offline and the KSK signature is to be
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater refreshed manually.
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater As with <code class="option">start-time</code>, an absolute
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater time is indicated in YYYYMMDDHHMMSS notation. A time relative
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater to the start time is indicated with +N, which is N seconds from
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater the start time. A time relative to the current time is
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater indicated with now+N. If no <code class="option">extended end-time</code> is
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater specified, the value of <code class="option">end-time</code> is used as
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater the default. (<code class="option">end-time</code>, in turn, defaults to
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater 30 days from the start time.) <code class="option">extended end-time</code>
60a900e83bab52c3f023be66654f3ab023172778Automatic Updater must be later than <code class="option">start-time</code>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The name of the output file containing the signed zone. The
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews default is to append <code class="filename">.signed</code> to
2628293c6edaa41ed1407c42bb196083901e087bAutomatic Updater input filename.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints a short summary of the options and arguments to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When a previously-signed zone is passed as input, records
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may be resigned. The <code class="option">interval</code> option
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews specifies the cycle interval as an offset from the current
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews time (in seconds). If a RRSIG record expires after the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews cycle interval, it is retained. Otherwise, it is considered
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to be expiring soon, and it will be replaced.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The default cycle interval is one quarter of the difference
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews between the signature end and start times. So if neither
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">end-time</code> or <code class="option">start-time</code>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews are specified, <span><strong class="command">dnssec-signzone</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signatures that are valid for 30 days, with a cycle
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews are due to expire in less than 7.5 days, they would be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The format of the input zone file.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Possible formats are <span><strong class="command">"text"</strong></span> (default)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews and <span><strong class="command">"raw"</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This option is primarily intended to be used for dynamic
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signed zones so that the dumped zone file in a non-text
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews format containing updates can be signed directly.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The use of this option does not make much sense for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews non-dynamic zones.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When signing a zone with a fixed signature lifetime, all
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews RRSIG records issued at the time of signing expires
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews simultaneously. If the zone is incrementally signed, i.e.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a previously-signed zone is passed as input to the signer,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews all expired signatures have to be regenerated at about the
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews same time. The <code class="option">jitter</code> option specifies a
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews jitter window that will be used to randomize the signature
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews expire time, thus spreading incremental signature
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews regeneration over time.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Signature lifetime jitter also to some extent benefits
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews validators and servers by spreading out cache expiration,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews i.e. if large numbers of RRSIGs don't expire at the same time
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews from all caches there will be less congestion than if all
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews validators need to refetch at mostly the same time.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
97e74139b19368e385a3564746d42db70879195eAutomatic Updater Specifies the number of threads to use. By default, one
97e74139b19368e385a3564746d42db70879195eAutomatic Updater thread is started for each detected CPU.
97e74139b19368e385a3564746d42db70879195eAutomatic Updater<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The SOA serial number format of the signed zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Possible formats are <span><strong class="command">"keep"</strong></span> (default),
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">"increment"</strong></span> and
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">"unixtime"</strong></span>.
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dd><p>Do not modify the SOA serial number.</p></dd>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dd><p>Increment the SOA serial number using RFC 1982
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dd><p>Set the SOA serial number to the number of seconds
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews The zone origin. If not specified, the name of the zone file
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews is assumed to be the origin.
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
52ece689e0265f9a3e518de5b2539e749f6d35acMark Andrews The format of the output file containing the signed zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Possible formats are <span><strong class="command">"text"</strong></span> (default)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews and <span><strong class="command">"raw"</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Use pseudo-random data when signing the zone. This is faster,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews but less secure, than using real random data. This option
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may be useful when signing large zones or when the entropy
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews source is limited.
72938578c985138165e7a4b0a38f16daacbad95eAutomatic Updater Disable post sign verification tests.
72938578c985138165e7a4b0a38f16daacbad95eAutomatic Updater The post sign verification test ensures that for each algorithm
72938578c985138165e7a4b0a38f16daacbad95eAutomatic Updater in use there is at least one non revoked self signed KSK key,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews that all revoked KSK keys are self signed, and that all records
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in the zone are signed by the algorithm.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This option skips these tests.
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater Remove signatures from keys that no longer exist.
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater Normally, when a previously-signed zone is passed as input
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater to the signer, and a DNSKEY record has been removed and
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater replaced with a new one, signatures from the old key
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater that are still within their validity period are retained.
1c51f79aba598e5e20bde66aea0237e347f6d5ceAutomatic Updater This allows the zone to continue to validate with cached
1c51f79aba598e5e20bde66aea0237e347f6d5ceAutomatic Updater copies of the old DNSKEY RRset. The <code class="option">-R</code> forces
6283056805887de88040698685b8e1936a1f7a2dAutomatic Updater <span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater Specifies the source of randomness. If the operating
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater system does not provide a <code class="filename">/dev/random</code>
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater or equivalent device, the default source of randomness
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater is keyboard input. <code class="filename">randomdev</code>
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater the name of a character device or file containing random
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater data to be used instead of the default. The special value
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater <code class="filename">keyboard</code> indicates that keyboard
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater input should be used.
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews search the key repository for keys that match the zone being
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews signed, and to include them in the zone if appropriate.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When a key is found, its timing metadata is examined to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews determine how it should be used, according to the following
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews rules. Each successive rule takes priority over the prior
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If no timing metadata has been set for the key, the key is
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater published in the zone and used to sign the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If the key's publication date is set and is in the past, the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater key is published in the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If the key's activation date is set and in the past, the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater key is published (regardless of publication date) and
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater used to sign the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If the key's revocation date is set and in the past, and the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater key is published, then the key is revoked, and the revoked key
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater is used to sign the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If either of the key's unpublication or deletion dates are set
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater and in the past, the key is NOT published or used to sign the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater zone, regardless of any other metadata.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Specifies a TTL to be used for new DNSKEY records imported
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater into the zone from the key repository. If not
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater specified, the default is the TTL value from the zone's SOA
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater record. This option is ignored when signing without
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="option">-S</code>, since DNSKEY records are not imported
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater from the key repository in that case. It is also ignored if
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater there are any pre-existing DNSKEY records at the zone apex,
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater in which case new records' TTL values will be set to match
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater them, or if any of the imported DNSKEY records had a default
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater TTL value. In the event of a a conflict between TTL values in
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater imported keys, the shortest one is used.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Print statistics at completion.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Update NSEC/NSEC3 chain when re-signing a previously signed
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater zone. With this option, a zone signed with NSEC can be
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater switched to NSEC3, or a zone signed with NSEC3 can
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater be switch to NSEC or to NSEC3 with different parameters.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater retain the existing chain when re-signing.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Sets the debugging level.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Only sign the DNSKEY RRset with key-signing keys, and omit
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater signatures from zone-signing keys. (This is similar to the
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater <span><strong class="command">named</strong></span>.)
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater Ignore KSK flag on key when determining what to sign. This
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater causes KSK-flagged keys to sign all records, not just the
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater DNSKEY RRset. (This is similar to the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">update-check-ksk no;</strong></span> zone option in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">named</strong></span>.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
8de0d8a6905e397ed0a26054815420685f9b435eAutomatic Updater Generate an NSEC3 chain with the given hex encoded salt.
8de0d8a6905e397ed0a26054815420685f9b435eAutomatic Updater A dash (<em class="replaceable"><code>salt</code></em>) can
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater be used to indicate that no salt is to be used when generating the NSEC3 chain.
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When generating an NSEC3 chain, use this many interations. The
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews default is 10.
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater When generating an NSEC3 chain set the OPTOUT flag on all
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews NSEC3 records and do not generate NSEC3 records for insecure
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater Using this option twice (i.e., <code class="option">-AA</code>)
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater turns the OPTOUT flag off for all records. This is useful
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater when using the <code class="option">-u</code> option to modify an NSEC3
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater chain which previously had OPTOUT set.
66fec05962ae85e63c4aa568d44a962db5bbc902Automatic Updater<dt><span class="term">zonefile</span></dt>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater The file containing the zone to be signed.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater Specify which keys should be used to sign the zone. If
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater no keys are specified, then the zone will be examined
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater for DNSKEY records at the zone apex. If these are found and
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater there are matching private keys, in the current directory,
f3d1a0ba5228251d902a6acf3c8b05cb6842f992Automatic Updater then these will be used for signing.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The following command signs the <strong class="userinput"><code>example.com</code></strong>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is not being used, the zone's keys must be in the master file
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews (<code class="filename">db.example.com</code>). This invocation looks
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews for <code class="filename">dsset</code> files, in the current directory,
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
97e74139b19368e385a3564746d42db70879195eAutomatic Updater the file <code class="filename">db.example.com.signed</code>. This
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews file should be referenced in a zone statement in a
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater This example re-signs a previously signed zone with default parameters.
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater The private keys are assumed to be in the current directory.
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater<pre class="programlisting">% cp db.example.com.signed db.example.com
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation footer">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
c6c78f699b55b3344fb6b17ddc854cbae4610468Automatic Updater<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<span class="application">dnssec-settime</span>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>