10139N/A - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") 10139N/A - Copyright (C) 2000-2003 Internet Software Consortium. 10139N/A - Permission to use, copy, modify, and/or distribute this software for any 10139N/A - purpose with or without fee is hereby granted, provided that the above 10139N/A - copyright notice and this permission notice appear in all copies. 10139N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10139N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10139N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 10139N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 10139N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 10139N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 10139N/A - PERFORMANCE OF THIS SOFTWARE. 10139N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
10139N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
10139N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
10139N/A<
table width="100%" summary="Navigation header">
10139N/A<
tr><
th colspan="3" align="center"><
span class="application">dnssec-signzone</
span></
th></
tr>
10139N/A<
th width="60%" align="center">Manual pages</
th>
10139N/A<
div class="refentry" lang="en">
10139N/A<
p><
span class="application">dnssec-signzone</
span> — DNSSEC zone signing tool</
p>
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">dnssec-signzone</
code> [<
code class="option">-a</
code>] [<
code class="option">-c <
em class="replaceable"><
code>class</
code></
em></
code>] [<
code class="option">-d <
em class="replaceable"><
code>directory</
code></
em></
code>] [<
code class="option">-D</
code>] [<
code class="option">-E <
em class="replaceable"><
code>engine</
code></
em></
code>] [<
code class="option">-e <
em class="replaceable"><
code>end-time</
code></
em></
code>] [<
code class="option">-f <
em class="replaceable"><
code>output-file</
code></
em></
code>] [<
code class="option">-g</
code>] [<
code class="option">-h</
code>] [<
code class="option">-K <
em class="replaceable"><
code>directory</
code></
em></
code>] [<
code class="option">-k <
em class="replaceable"><
code>key</
code></
em></
code>] [<
code class="option">-L <
em class="replaceable"><
code>serial</
code></
em></
code>] [<
code class="option">-l <
em class="replaceable"><
code>domain</
code></
em></
code>] [<
code class="option">-i <
em class="replaceable"><
code>interval</
code></
em></
code>] [<
code class="option">-I <
em class="replaceable"><
code>input-format</
code></
em></
code>] [<
code class="option">-j <
em class="replaceable"><
code>jitter</
code></
em></
code>] [<
code class="option">-N <
em class="replaceable"><
code>soa-serial-format</
code></
em></
code>] [<
code class="option">-o <
em class="replaceable"><
code>origin</
code></
em></
code>] [<
code class="option">-O <
em class="replaceable"><
code>output-format</
code></
em></
code>] [<
code class="option">-P</
code>] [<
code class="option">-p</
code>] [<
code class="option">-R</
code>] [<
code class="option">-r <
em class="replaceable"><
code>randomdev</
code></
em></
code>] [<
code class="option">-S</
code>] [<
code class="option">-s <
em class="replaceable"><
code>start-time</
code></
em></
code>] [<
code class="option">-T <
em class="replaceable"><
code>ttl</
code></
em></
code>] [<
code class="option">-t</
code>] [<
code class="option">-u</
code>] [<
code class="option">-v <
em class="replaceable"><
code>level</
code></
em></
code>] [<
code class="option">-X <
em class="replaceable"><
code>extended end-time</
code></
em></
code>] [<
code class="option">-x</
code>] [<
code class="option">-z</
code>] [<
code class="option">-3 <
em class="replaceable"><
code>salt</
code></
em></
code>] [<
code class="option">-H <
em class="replaceable"><
code>iterations</
code></
em></
code>] [<
code class="option">-A</
code>] {zonefile} [key...]</
p></
div>
10139N/A<
div class="refsect1" lang="en">
10139N/A<
a name="id2623139"></
a><
h2>DESCRIPTION</
h2>
10139N/A<
p><
span><
strong class="command">dnssec-signzone</
strong></
span>
10139N/A NSEC and RRSIG records and produces a signed version of the
10139N/A zone. The security status of delegations from the signed zone
10139N/A (that is, whether the child zones are secure or not) is
10139N/A determined by the presence or absence of a
10139N/A <
code class="filename">keyset</
code> file for each child zone.
10139N/A<
div class="refsect1" lang="en">
10139N/A<
a name="id2669374"></
a><
h2>OPTIONS</
h2>
10139N/A<
dt><
span class="term">-a</
span></
dt>
10139N/A Verify all generated signatures.
10139N/A<
dt><
span class="term">-c <
em class="replaceable"><
code>class</
code></
em></
span></
dt>
10139N/A Specifies the DNS class of the zone.
10139N/A<
dt><
span class="term">-C</
span></
dt>
10139N/A <
code class="filename">keyset-<
em class="replaceable"><
code>zonename</
code></
em></
code>
10139N/A <
code class="filename">dsset-<
em class="replaceable"><
code>zonename</
code></
em></
code>
10139N/A when signing a zone, for use by older versions of
10139N/A <
span><
strong class="command">dnssec-signzone</
strong></
span>.
10139N/A<
dt><
span class="term">-d <
em class="replaceable"><
code>directory</
code></
em></
span></
dt>
10139N/A Look for <
code class="filename">dsset-</
code> or
10139N/A <
code class="filename">keyset-</
code> files in <
code class="option">directory</
code>.
10139N/A<
dt><
span class="term">-D</
span></
dt>
10139N/A Output only those record types automatically managed by
10139N/A <
span><
strong class="command">dnssec-signzone</
strong></
span>,
i.e. RRSIG, NSEC,
10139N/A NSEC3 and NSEC3PARAM records. If smart signing
10139N/A (<
code class="option">-S</
code>) is used, DNSKEY records are also
10139N/A included. The resulting file can be included in the original
10139N/A zone file with <
span><
strong class="command">$INCLUDE</
strong></
span>. This option
10139N/A cannot be combined with <
code class="option">-O raw</
code>,
10139N/A <
code class="option">-O map</
code>, or serial number updating.
10139N/A<
dt><
span class="term">-E <
em class="replaceable"><
code>engine</
code></
em></
span></
dt>
11232N/A Uses a crypto hardware (OpenSSL engine) for the crypto operations
10139N/A it supports, for instance signing with private keys from
10139N/A a secure key store. When compiled with PKCS#11 support
10139N/A it defaults to pkcs11; the empty name resets it to no engine.
10139N/A<
dt><
span class="term">-g</
span></
dt>
10139N/A Generate DS records for child zones from
10139N/A <
code class="filename">dsset-</
code> or <
code class="filename">keyset-</
code>
10139N/A file. Existing DS records will be removed.
10139N/A<
dt><
span class="term">-K <
em class="replaceable"><
code>directory</
code></
em></
span></
dt>
10139N/A Key repository: Specify a directory to search for DNSSEC keys.
10139N/A If not specified, defaults to the current directory.
10139N/A<
dt><
span class="term">-k <
em class="replaceable"><
code>key</
code></
em></
span></
dt>
10139N/A Treat specified key as a key signing key ignoring any
10139N/A key flags. This option may be specified multiple times.
10139N/A<
dt><
span class="term">-l <
em class="replaceable"><
code>domain</
code></
em></
span></
dt>
10139N/A Generate a DLV set in addition to the key (DNSKEY) and DS sets.
10139N/A The domain is appended to the name of the records.
10139N/A<
dt><
span class="term">-s <
em class="replaceable"><
code>start-time</
code></
em></
span></
dt>
10139N/A Specify the date and time when the generated RRSIG records
10697N/A become valid. This can be either an absolute or relative
10915N/A time. An absolute start time is indicated by a number
11161N/A in YYYYMMDDHHMMSS notation; 20000530144500 denotes
11161N/A 14:45:00 UTC on May 30th, 2000. A relative start time is
10139N/A indicated by +N, which is N seconds from the current time.
10139N/A If no <
code class="option">start-time</
code> is specified, the current
10139N/A time minus 1 hour (to allow for clock skew) is used.
10139N/A<
dt><
span class="term">-e <
em class="replaceable"><
code>end-time</
code></
em></
span></
dt>
10139N/A Specify the date and time when the generated RRSIG records
10139N/A expire. As with <
code class="option">start-time</
code>, an absolute
10139N/A time is indicated in YYYYMMDDHHMMSS notation. A time relative
10139N/A to the start time is indicated with +N, which is N seconds from
10139N/A the start time. A time relative to the current time is
10139N/A indicated with now+N. If no <
code class="option">end-time</
code> is
10139N/A specified, 30 days from the start time is used as a default.
10139N/A <
code class="option">end-time</
code> must be later than
10139N/A <
code class="option">start-time</
code>.
10139N/A<
dt><
span class="term">-X <
em class="replaceable"><
code>extended end-time</
code></
em></
span></
dt>
10139N/A Specify the date and time when the generated RRSIG records
10139N/A for the DNSKEY RRset will expire. This is to be used in cases
10139N/A when the DNSKEY signatures need to persist longer than
10139N/A signatures on other records;
e.g., when the private component
10139N/A of the KSK is kept offline and the KSK signature is to be
10139N/A As with <
code class="option">start-time</
code>, an absolute
10139N/A time is indicated in YYYYMMDDHHMMSS notation. A time relative
10139N/A to the start time is indicated with +N, which is N seconds from
10139N/A the start time. A time relative to the current time is
10139N/A indicated with now+N. If no <
code class="option">extended end-time</
code> is
10139N/A specified, the value of <
code class="option">end-time</
code> is used as
10139N/A the default. (<
code class="option">end-time</
code>, in turn, defaults to
10139N/A 30 days from the start time.) <
code class="option">extended end-time</
code>
10139N/A must be later than <
code class="option">start-time</
code>.
10139N/A<
dt><
span class="term">-f <
em class="replaceable"><
code>output-file</
code></
em></
span></
dt>
10139N/A The name of the output file containing the signed zone. The
10139N/A default is to append <
code class="filename">.signed</
code> to
10139N/A the input filename. If <
code class="option">output-file</
code> is
10139N/A set to <
code class="literal">"-"</
code>, then the signed zone is
10139N/A written to the standard output, with a default output
10139N/A<
dt><
span class="term">-h</
span></
dt>
10139N/A Prints a short summary of the options and arguments to
10139N/A <
span><
strong class="command">dnssec-signzone</
strong></
span>.
10139N/A<
dt><
span class="term">-i <
em class="replaceable"><
code>interval</
code></
em></
span></
dt>
10139N/A When a previously-signed zone is passed as input, records
10139N/A may be resigned. The <
code class="option">interval</
code> option
10139N/A specifies the cycle interval as an offset from the current
10139N/A time (in seconds). If a RRSIG record expires after the
10139N/A cycle interval, it is retained. Otherwise, it is considered
10139N/A to be expiring soon, and it will be replaced.
10139N/A The default cycle interval is one quarter of the difference
10139N/A between the signature end and start times. So if neither
10139N/A <
code class="option">end-time</
code> or <
code class="option">start-time</
code>
10139N/A are specified, <
span><
strong class="command">dnssec-signzone</
strong></
span>
10139N/A signatures that are valid for 30 days, with a cycle
10139N/A interval of 7.5 days. Therefore, if any existing RRSIG records
10139N/A are due to expire in less than 7.5 days, they would be
10139N/A<
dt><
span class="term">-I <
em class="replaceable"><
code>input-format</
code></
em></
span></
dt>
10139N/A The format of the input zone file.
10139N/A Possible formats are <
span><
strong class="command">"text"</
strong></
span> (default),
10139N/A <
span><
strong class="command">"raw"</
strong></
span>, and <
span><
strong class="command">"map"</
strong></
span>.
10139N/A This option is primarily intended to be used for dynamic
10139N/A signed zones so that the dumped zone file in a non-text
10139N/A format containing updates can be signed directly.
10139N/A The use of this option does not make much sense for
10139N/A<
dt><
span class="term">-j <
em class="replaceable"><
code>jitter</
code></
em></
span></
dt>
10139N/A When signing a zone with a fixed signature lifetime, all
10139N/A RRSIG records issued at the time of signing expires
10139N/A simultaneously. If the zone is incrementally signed,
i.e. 10139N/A a previously-signed zone is passed as input to the signer,
10139N/A all expired signatures have to be regenerated at about the
10139N/A same time. The <
code class="option">jitter</
code> option specifies a
10139N/A jitter window that will be used to randomize the signature
10139N/A expire time, thus spreading incremental signature
10139N/A Signature lifetime jitter also to some extent benefits
10139N/A validators and servers by spreading out cache expiration,
10139N/A i.e. if large numbers of RRSIGs don't expire at the same time
10139N/A from all caches there will be less congestion than if all
10139N/A validators need to refetch at mostly the same time.
10139N/A<
dt><
span class="term">-L <
em class="replaceable"><
code>serial</
code></
em></
span></
dt>
10139N/A When writing a signed zone to "raw" or "map" format, set the
10139N/A "source serial" value in the header to the specified serial
10139N/A number. (This is expected to be used primarily for testing
10139N/A<
dt><
span class="term">-n <
em class="replaceable"><
code>ncpus</
code></
em></
span></
dt>
10139N/A Specifies the number of threads to use. By default, one
10139N/A thread is started for each detected CPU.
10139N/A<
dt><
span class="term">-N <
em class="replaceable"><
code>soa-serial-format</
code></
em></
span></
dt>
10139N/A The SOA serial number format of the signed zone.
10139N/A Possible formats are <
span><
strong class="command">"keep"</
strong></
span> (default),
10139N/A <
span><
strong class="command">"increment"</
strong></
span> and
10139N/A <
span><
strong class="command">"unixtime"</
strong></
span>.
10139N/A<
dt><
span class="term"><
span><
strong class="command">"keep"</
strong></
span></
span></
dt>
10139N/A<
dd><
p>Do not modify the SOA serial number.</
p></
dd>
10139N/A<
dt><
span class="term"><
span><
strong class="command">"increment"</
strong></
span></
span></
dt>
10139N/A<
dd><
p>Increment the SOA serial number using RFC 1982
10139N/A<
dt><
span class="term"><
span><
strong class="command">"unixtime"</
strong></
span></
span></
dt>
10139N/A<
dd><
p>Set the SOA serial number to the number of seconds
10139N/A<
dt><
span class="term">-o <
em class="replaceable"><
code>origin</
code></
em></
span></
dt>
10139N/A The zone origin. If not specified, the name of the zone file
10139N/A<
dt><
span class="term">-O <
em class="replaceable"><
code>output-format</
code></
em></
span></
dt>
10139N/A The format of the output file containing the signed zone.
10139N/A Possible formats are <
span><
strong class="command">"text"</
strong></
span> (default),
10139N/A which is the standard textual representation of the zone;
10139N/A <
span><
strong class="command">"full"</
strong></
span>, which is text output in a
10139N/A format suitable for processing by external scripts;
10139N/A and <
span><
strong class="command">"map"</
strong></
span>, <
span><
strong class="command">"raw"</
strong></
span>,
11161N/A and <
span><
strong class="command">"raw=N"</
strong></
span>, which store the zone in
11161N/A binary formats for rapid loading by <
span><
strong class="command">named</
strong></
span>.
11161N/A <
span><
strong class="command">"raw=N"</
strong></
span> specifies the format version of
11161N/A the raw zone file: if N is 0, the raw file can be read by
11161N/A any version of <
span><
strong class="command">named</
strong></
span>; if N is 1, the file
10139N/A can be read by release 9.9.0 or higher; the default is 1.
10139N/A<
dt><
span class="term">-p</
span></
dt>
10139N/A Use pseudo-random data when signing the zone. This is faster,
11161N/A but less secure, than using real random data. This option
10139N/A may be useful when signing large zones or when the entropy
10139N/A<
dt><
span class="term">-P</
span></
dt>
10139N/A Disable post sign verification tests.
10139N/A The post sign verification test ensures that for each algorithm
10139N/A in use there is at least one non revoked self signed KSK key,
10139N/A that all revoked KSK keys are self signed, and that all records
10139N/A in the zone are signed by the algorithm.
10139N/A<
dt><
span class="term">-R</
span></
dt>
10139N/A Remove signatures from keys that no longer exist.
10139N/A Normally, when a previously-signed zone is passed as input
10139N/A to the signer, and a DNSKEY record has been removed and
10139N/A replaced with a new one, signatures from the old key
10139N/A that are still within their validity period are retained.
10139N/A This allows the zone to continue to validate with cached
10139N/A copies of the old DNSKEY RRset. The <
code class="option">-R</
code> forces
11160N/A <
span><
strong class="command">dnssec-signzone</
strong></
span> to remove all orphaned
10139N/A<
dt><
span class="term">-r <
em class="replaceable"><
code>randomdev</
code></
em></
span></
dt>
10139N/A Specifies the source of randomness. If the operating
10139N/A or equivalent device, the default source of randomness
10139N/A is keyboard input. <
code class="filename">randomdev</
code>
10139N/A the name of a character device or file containing random
10139N/A data to be used instead of the default. The special value
10139N/A <
code class="filename">keyboard</
code> indicates that keyboard
10139N/A<
dt><
span class="term">-S</
span></
dt>
10139N/A Smart signing: Instructs <
span><
strong class="command">dnssec-signzone</
strong></
span> to
10139N/A search the key repository for keys that match the zone being
10139N/A signed, and to include them in the zone if appropriate.
10139N/A When a key is found, its timing metadata is examined to
10139N/A determine how it should be used, according to the following
10139N/A rules. Each successive rule takes priority over the prior
10139N/A If no timing metadata has been set for the key, the key is
10139N/A published in the zone and used to sign the zone.
10139N/A If the key's publication date is set and is in the past, the
10139N/A If the key's activation date is set and in the past, the
10139N/A key is published (regardless of publication date) and
10139N/A If the key's revocation date is set and in the past, and the
10139N/A key is published, then the key is revoked, and the revoked key
10139N/A If either of the key's unpublication or deletion dates are set
10139N/A and in the past, the key is NOT published or used to sign the
10139N/A zone, regardless of any other metadata.
10139N/A<
dt><
span class="term">-T <
em class="replaceable"><
code>ttl</
code></
em></
span></
dt>
10139N/A Specifies a TTL to be used for new DNSKEY records imported
10139N/A into the zone from the key repository. If not
10139N/A specified, the default is the TTL value from the zone's SOA
10139N/A record. This option is ignored when signing without
10139N/A <
code class="option">-S</
code>, since DNSKEY records are not imported
10139N/A from the key repository in that case. It is also ignored if
10139N/A there are any pre-existing DNSKEY records at the zone apex,
10139N/A in which case new records' TTL values will be set to match
10139N/A them, or if any of the imported DNSKEY records had a default
10139N/A TTL value. In the event of a a conflict between TTL values in
10139N/A imported keys, the shortest one is used.
10139N/A<
dt><
span class="term">-t</
span></
dt>
10139N/A Print statistics at completion.
10139N/A<
dt><
span class="term">-u</
span></
dt>
10139N/A zone. With this option, a zone signed with NSEC can be
10139N/A switched to NSEC3, or a zone signed with NSEC3 can
10139N/A be switch to NSEC or to NSEC3 with different parameters.
10139N/A Without this option, <
span><
strong class="command">dnssec-signzone</
strong></
span> will
10139N/A retain the existing chain when re-signing.
10139N/A<
dt><
span class="term">-v <
em class="replaceable"><
code>level</
code></
em></
span></
dt>
10139N/A<
dt><
span class="term">-x</
span></
dt>
10139N/A Only sign the DNSKEY RRset with key-signing keys, and omit
10139N/A signatures from zone-signing keys. (This is similar to the
10139N/A <
span><
strong class="command">dnssec-dnskey-kskonly yes;</
strong></
span> zone option in
10139N/A <
span><
strong class="command">named</
strong></
span>.)
10139N/A<
dt><
span class="term">-z</
span></
dt>
10139N/A Ignore KSK flag on key when determining what to sign. This
10139N/A causes KSK-flagged keys to sign all records, not just the
10139N/A DNSKEY RRset. (This is similar to the
10139N/A <
span><
strong class="command">update-check-ksk no;</
strong></
span> zone option in
10139N/A <
span><
strong class="command">named</
strong></
span>.)
10139N/A<
dt><
span class="term">-3 <
em class="replaceable"><
code>salt</
code></
em></
span></
dt>
10139N/A Generate an NSEC3 chain with the given hex encoded salt.
10139N/A A dash (<
em class="replaceable"><
code>salt</
code></
em>) can
10139N/A be used to indicate that no salt is to be used when generating the NSEC3 chain.
10139N/A<
dt><
span class="term">-H <
em class="replaceable"><
code>iterations</
code></
em></
span></
dt>
10139N/A When generating an NSEC3 chain, use this many iterations. The
10139N/A<
dt><
span class="term">-A</
span></
dt>
10139N/A When generating an NSEC3 chain set the OPTOUT flag on all
10139N/A NSEC3 records and do not generate NSEC3 records for insecure
10139N/A Using this option twice (
i.e., <
code class="option">-AA</
code>)
10139N/A turns the OPTOUT flag off for all records. This is useful
10139N/A when using the <
code class="option">-u</
code> option to modify an NSEC3
10139N/A chain which previously had OPTOUT set.
10139N/A<
dt><
span class="term">zonefile</
span></
dt>
10139N/A The file containing the zone to be signed.
10139N/A<
dt><
span class="term">key</
span></
dt>
10139N/A Specify which keys should be used to sign the zone. If
10139N/A no keys are specified, then the zone will be examined
10139N/A for DNSKEY records at the zone apex. If these are found and
10139N/A there are matching private keys, in the current directory,
10139N/A then these will be used for signing.
11232N/A<
div class="refsect1" lang="en">
11232N/A<
a name="id2670750"></
a><
h2>EXAMPLE</
h2>
10139N/A The following command signs the <
strong class="userinput"><
code>
example.com</
code></
strong>
10139N/A zone with the DSA key generated by <
span><
strong class="command">dnssec-keygen</
strong></
span>
10139N/A is not being used, the zone's keys must be in the master file
10139N/A for <
code class="filename">dsset</
code> files, in the current directory,
10139N/A so that DS records can be imported from them (<
span><
strong class="command">-g</
strong></
span>).
10139N/A In the above example, <
span><
strong class="command">dnssec-signzone</
strong></
span> creates
10139N/A file should be referenced in a zone statement in a
10139N/A This example re-signs a previously signed zone with default parameters.
10139N/A The private keys are assumed to be in the current directory.
10139N/A<
div class="refsect1" lang="en">
10139N/A<
a name="id2670898"></
a><
h2>SEE ALSO</
h2>
10139N/A<
p><
span class="citerefentry"><
span class="refentrytitle">dnssec-keygen</
span>(8)</
span>,
10139N/A <
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
10139N/A <
em class="citetitle">RFC 4033</
em>.
10139N/A<
div class="refsect1" lang="en">
10139N/A<
a name="id2670922"></
a><
h2>AUTHOR</
h2>
10139N/A<
p><
span class="corpauthor">Internet Systems Consortium</
span>
10139N/A<
table width="100%" summary="Navigation footer">
10139N/A<
td width="40%" align="left" valign="top">
10139N/A<
span class="application">dnssec-settime</
span>�</
td>
10139N/A<
td width="40%" align="right" valign="top">�<
span class="application">dnssec-verify</
span>