man.dnssec-signzone.html revision 7e71f05d8643aca84914437c900cb716444507e4
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica - This Source Code Form is subject to the terms of the Mozilla Public
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica - License, v. 2.0. If a copy of the MPL was not distributed with this
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica - file, You can obtain one at http://mozilla.org/MPL/2.0/.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<p><span class="command"><strong>dnssec-signzone</strong></span>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica signs a zone. It generates
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica NSEC and RRSIG records and produces a signed version of the
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica zone. The security status of delegations from the signed zone
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica (that is, whether the child zones are secure or not) is
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica determined by the presence or absence of a
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica <code class="filename">keyset</code> file for each child zone.
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj Verify all generated signatures.
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Specifies the DNS class of the zone.
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj Compatibility mode: Generate a
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj file in addition to
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj when signing a zone, for use by older versions of
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj <span class="command"><strong>dnssec-signzone</strong></span>.
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj <code class="filename">keyset-</code> files in <code class="option">directory</code>.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Output only those record types automatically managed by
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica NSEC3 and NSEC3PARAM records. If smart signing
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica (<code class="option">-S</code>) is used, DNSKEY records are also
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica included. The resulting file can be included in the original
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cannot be combined with <code class="option">-O raw</code>,
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica <code class="option">-O map</code>, or serial number updating.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica When applicable, specifies the hardware to use for
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cryptographic operations, such as a secure key store used
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica for signing.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica When BIND is built with OpenSSL PKCS#11 support, this defaults
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica to the string "pkcs11", which identifies an OpenSSL engine
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica that can drive a cryptographic accelerator or hardware service
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica module. When BIND is built with native PKCS#11 cryptography
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica (--enable-native-pkcs11), it defaults to the path of the PKCS#11
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica provider library specified via "--with-pkcs11".
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Generate DS records for child zones from
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica file. Existing DS records will be removed.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Key repository: Specify a directory to search for DNSSEC keys.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica If not specified, defaults to the current directory.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Treat specified key as a key signing key ignoring any
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica key flags. This option may be specified multiple times.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Generate a DLV set in addition to the key (DNSKEY) and DS sets.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica The domain is appended to the name of the records.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Sets the maximum TTL for the signed zone.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica in the output. This provides certainty as to the largest
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica possible TTL in the signed zone, which is useful to know when
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica rolling keys because it is the longest possible time before
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica signatures that have been retrieved by resolvers will expire
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica from resolver caches. Zones that are signed with this
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica option should be configured to use a matching
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica (Note: This option is incompatible with <code class="option">-D</code>,
8700009e2cc8cb186241e1fdd74973da1121ee4crica because it modifies non-DNSSEC data in the output zone.)
8700009e2cc8cb186241e1fdd74973da1121ee4crica<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
8700009e2cc8cb186241e1fdd74973da1121ee4crica Specify the date and time when the generated RRSIG records
8700009e2cc8cb186241e1fdd74973da1121ee4crica become valid. This can be either an absolute or relative
8700009e2cc8cb186241e1fdd74973da1121ee4crica time. An absolute start time is indicated by a number
8700009e2cc8cb186241e1fdd74973da1121ee4crica in YYYYMMDDHHMMSS notation; 20000530144500 denotes
8700009e2cc8cb186241e1fdd74973da1121ee4crica 14:45:00 UTC on May 30th, 2000. A relative start time is
8700009e2cc8cb186241e1fdd74973da1121ee4crica indicated by +N, which is N seconds from the current time.
8700009e2cc8cb186241e1fdd74973da1121ee4crica If no <code class="option">start-time</code> is specified, the current
8700009e2cc8cb186241e1fdd74973da1121ee4crica time minus 1 hour (to allow for clock skew) is used.
8700009e2cc8cb186241e1fdd74973da1121ee4crica<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
8700009e2cc8cb186241e1fdd74973da1121ee4crica Specify the date and time when the generated RRSIG records
8700009e2cc8cb186241e1fdd74973da1121ee4crica expire. As with <code class="option">start-time</code>, an absolute
8700009e2cc8cb186241e1fdd74973da1121ee4crica time is indicated in YYYYMMDDHHMMSS notation. A time relative
8700009e2cc8cb186241e1fdd74973da1121ee4crica to the start time is indicated with +N, which is N seconds from
8700009e2cc8cb186241e1fdd74973da1121ee4crica the start time. A time relative to the current time is
8700009e2cc8cb186241e1fdd74973da1121ee4crica indicated with now+N. If no <code class="option">end-time</code> is
8700009e2cc8cb186241e1fdd74973da1121ee4crica specified, 30 days from the start time is used as a default.
8700009e2cc8cb186241e1fdd74973da1121ee4crica <code class="option">end-time</code> must be later than
8700009e2cc8cb186241e1fdd74973da1121ee4crica<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
8700009e2cc8cb186241e1fdd74973da1121ee4crica Specify the date and time when the generated RRSIG records
8700009e2cc8cb186241e1fdd74973da1121ee4crica for the DNSKEY RRset will expire. This is to be used in cases
8700009e2cc8cb186241e1fdd74973da1121ee4crica when the DNSKEY signatures need to persist longer than
8700009e2cc8cb186241e1fdd74973da1121ee4crica signatures on other records; e.g., when the private component
8700009e2cc8cb186241e1fdd74973da1121ee4crica of the KSK is kept offline and the KSK signature is to be
8700009e2cc8cb186241e1fdd74973da1121ee4crica refreshed manually.
8700009e2cc8cb186241e1fdd74973da1121ee4crica As with <code class="option">start-time</code>, an absolute
8700009e2cc8cb186241e1fdd74973da1121ee4crica time is indicated in YYYYMMDDHHMMSS notation. A time relative
8700009e2cc8cb186241e1fdd74973da1121ee4crica to the start time is indicated with +N, which is N seconds from
8700009e2cc8cb186241e1fdd74973da1121ee4crica the start time. A time relative to the current time is
8700009e2cc8cb186241e1fdd74973da1121ee4crica indicated with now+N. If no <code class="option">extended end-time</code> is
8700009e2cc8cb186241e1fdd74973da1121ee4crica specified, the value of <code class="option">end-time</code> is used as
8700009e2cc8cb186241e1fdd74973da1121ee4crica the default. (<code class="option">end-time</code>, in turn, defaults to
8700009e2cc8cb186241e1fdd74973da1121ee4crica 30 days from the start time.) <code class="option">extended end-time</code>
8700009e2cc8cb186241e1fdd74973da1121ee4crica must be later than <code class="option">start-time</code>.
8700009e2cc8cb186241e1fdd74973da1121ee4crica<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
8700009e2cc8cb186241e1fdd74973da1121ee4crica The name of the output file containing the signed zone. The
8700009e2cc8cb186241e1fdd74973da1121ee4crica default is to append <code class="filename">.signed</code> to
8700009e2cc8cb186241e1fdd74973da1121ee4crica the input filename. If <code class="option">output-file</code> is
8700009e2cc8cb186241e1fdd74973da1121ee4crica set to <code class="literal">"-"</code>, then the signed zone is
8700009e2cc8cb186241e1fdd74973da1121ee4crica written to the standard output, with a default output
8700009e2cc8cb186241e1fdd74973da1121ee4crica format of "full".
8700009e2cc8cb186241e1fdd74973da1121ee4crica Prints a short summary of the options and arguments to
8700009e2cc8cb186241e1fdd74973da1121ee4crica <span class="command"><strong>dnssec-signzone</strong></span>.
8700009e2cc8cb186241e1fdd74973da1121ee4crica Prints version information.
8700009e2cc8cb186241e1fdd74973da1121ee4crica<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
8700009e2cc8cb186241e1fdd74973da1121ee4crica When a previously-signed zone is passed as input, records
8700009e2cc8cb186241e1fdd74973da1121ee4crica may be resigned. The <code class="option">interval</code> option
8700009e2cc8cb186241e1fdd74973da1121ee4crica specifies the cycle interval as an offset from the current
8700009e2cc8cb186241e1fdd74973da1121ee4crica time (in seconds). If a RRSIG record expires after the
8700009e2cc8cb186241e1fdd74973da1121ee4crica cycle interval, it is retained. Otherwise, it is considered
8700009e2cc8cb186241e1fdd74973da1121ee4crica to be expiring soon, and it will be replaced.
8700009e2cc8cb186241e1fdd74973da1121ee4crica The default cycle interval is one quarter of the difference
8700009e2cc8cb186241e1fdd74973da1121ee4crica between the signature end and start times. So if neither
8700009e2cc8cb186241e1fdd74973da1121ee4crica <code class="option">end-time</code> or <code class="option">start-time</code>
8700009e2cc8cb186241e1fdd74973da1121ee4crica are specified, <span class="command"><strong>dnssec-signzone</strong></span>
8700009e2cc8cb186241e1fdd74973da1121ee4crica signatures that are valid for 30 days, with a cycle
8700009e2cc8cb186241e1fdd74973da1121ee4crica interval of 7.5 days. Therefore, if any existing RRSIG records
8700009e2cc8cb186241e1fdd74973da1121ee4crica are due to expire in less than 7.5 days, they would be
8700009e2cc8cb186241e1fdd74973da1121ee4crica<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
8700009e2cc8cb186241e1fdd74973da1121ee4crica The format of the input zone file.
8700009e2cc8cb186241e1fdd74973da1121ee4crica Possible formats are <span class="command"><strong>"text"</strong></span> (default),
8700009e2cc8cb186241e1fdd74973da1121ee4crica <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
8700009e2cc8cb186241e1fdd74973da1121ee4crica This option is primarily intended to be used for dynamic
8700009e2cc8cb186241e1fdd74973da1121ee4crica signed zones so that the dumped zone file in a non-text
8700009e2cc8cb186241e1fdd74973da1121ee4crica format containing updates can be signed directly.
8700009e2cc8cb186241e1fdd74973da1121ee4crica The use of this option does not make much sense for
8700009e2cc8cb186241e1fdd74973da1121ee4crica non-dynamic zones.
8700009e2cc8cb186241e1fdd74973da1121ee4crica<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
8700009e2cc8cb186241e1fdd74973da1121ee4crica When signing a zone with a fixed signature lifetime, all
8700009e2cc8cb186241e1fdd74973da1121ee4crica RRSIG records issued at the time of signing expires
8700009e2cc8cb186241e1fdd74973da1121ee4crica simultaneously. If the zone is incrementally signed, i.e.
8700009e2cc8cb186241e1fdd74973da1121ee4crica a previously-signed zone is passed as input to the signer,
8700009e2cc8cb186241e1fdd74973da1121ee4crica all expired signatures have to be regenerated at about the
8700009e2cc8cb186241e1fdd74973da1121ee4crica same time. The <code class="option">jitter</code> option specifies a
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica jitter window that will be used to randomize the signature
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica expire time, thus spreading incremental signature
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica regeneration over time.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Signature lifetime jitter also to some extent benefits
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica validators and servers by spreading out cache expiration,
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica i.e. if large numbers of RRSIGs don't expire at the same time
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica from all caches there will be less congestion than if all
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica validators need to refetch at mostly the same time.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica When writing a signed zone to "raw" or "map" format, set the
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica "source serial" value in the header to the specified serial
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica number. (This is expected to be used primarily for testing
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica purposes.)
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Specifies the number of threads to use. By default, one
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica thread is started for each detected CPU.
8700009e2cc8cb186241e1fdd74973da1121ee4crica<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica The SOA serial number format of the signed zone.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica and <span class="command"><strong>"date"</strong></span>.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dd><p>Set the SOA serial number to the number of seconds
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica The zone origin. If not specified, the name of the zone file
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica is assumed to be the origin.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica The format of the output file containing the signed zone.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Possible formats are <span class="command"><strong>"text"</strong></span> (default),
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica which is the standard textual representation of the zone;
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica <span class="command"><strong>"full"</strong></span>, which is text output in a
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica format suitable for processing by external scripts;
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica the raw zone file: if N is 0, the raw file can be read by
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica can be read by release 9.9.0 or higher; the default is 1.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Use pseudo-random data when signing the zone. This is faster,
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica but less secure, than using real random data. This option
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica may be useful when signing large zones or when the entropy
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica source is limited.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Disable post sign verification tests.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica The post sign verification test ensures that for each algorithm
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica in use there is at least one non revoked self signed KSK key,
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica that all revoked KSK keys are self signed, and that all records
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica in the zone are signed by the algorithm.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica This option skips these tests.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Remove signatures from keys that are no longer active.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Normally, when a previously-signed zone is passed as input
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica to the signer, and a DNSKEY record has been removed and
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica replaced with a new one, signatures from the old key
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica that are still within their validity period are retained.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica This allows the zone to continue to validate with cached
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica copies of the old DNSKEY RRset. The <code class="option">-Q</code>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica signatures from keys that are no longer active. This
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica enables ZSK rollover using the procedure described in
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Remove signatures from keys that are no longer published.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica This option is similar to <code class="option">-Q</code>, except it
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica keys that are no longer published. This enables ZSK rollover
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica using the procedure described in RFC 4641, section 4.2.1.2
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica ("Double Signature Zone Signing Key Rollover").
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Specifies the source of randomness. If the operating
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica system does not provide a <code class="filename">/dev/random</code>
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica or equivalent device, the default source of randomness
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj is keyboard input. <code class="filename">randomdev</code>
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj the name of a character device or file containing random
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica data to be used instead of the default. The special value
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica <code class="filename">keyboard</code> indicates that keyboard
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica input should be used.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica search the key repository for keys that match the zone being
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica signed, and to include them in the zone if appropriate.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica When a key is found, its timing metadata is examined to
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica determine how it should be used, according to the following
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica rules. Each successive rule takes priority over the prior
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica If no timing metadata has been set for the key, the key is
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica published in the zone and used to sign the zone.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica If the key's publication date is set and is in the past, the
Kexample.com.+003+17247