doc/arm/man.dnssec-signzone.html

	man.dnssec-signzone.html revision 8ec3c085233cedb22b05da36e2773c8f357a7e45
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<!--
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - Copyright (C) 2000-2003 Internet Software Consortium.
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering -
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - Permission to use, copy, modify, and/or distribute this software for any
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - purpose with or without fee is hereby granted, provided that the above
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - copyright notice and this permission notice appear in all copies.
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering -
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering - PERFORMANCE OF THIS SOFTWARE.
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering-->
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<!-- $Id: man.dnssec-signzone.html,v 1.134 2009/10/06 01:14:42 tbox Exp $ -->
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<html>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<head>
b5efdb8af40ea759a1ea584c1bc44ecc81dd00ceLennart Poettering<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4ad7f2761da661853dcc29d542efb4727abb1101Nick Owens<title>dnssec-signzone</title>
07630cea1f3a845c09309f197ac7c4f11edd3b62Lennart Poettering<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
72667f0890372a952a7c5b8cc498ec3cf9440973Lennart Poettering<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
07630cea1f3a845c09309f197ac7c4f11edd3b62Lennart Poettering<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering</head>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering<div class="navheader">
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<table width="100%" summary="Navigation header">
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<tr>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<td width="20%" align="left">
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<th width="60%" align="center">Manual pages</th>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering</td>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering</tr>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering</table>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<hr>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering</div>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<div class="refentry" lang="en">
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<div class="refnamediv">
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<h2>Name</h2>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering</div>
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering<div class="refsynopsisdiv">
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering<h2>Synopsis</h2>
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering</div>
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering<div class="refsect1" lang="en">
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering<a name="id2610766"></a><h2>DESCRIPTION</h2>
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering<p><span><strong class="command">dnssec-signzone</strong></span>
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering      signs a zone.  It generates
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering      NSEC and RRSIG records and produces a signed version of the
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering      zone. The security status of delegations from the signed zone
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering      (that is, whether the child zones are secure or not) is
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering      determined by the presence or absence of a
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering      <code class="filename">keyset</code> file for each child zone.
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering    </p>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering</div>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<div class="refsect1" lang="en">
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<a name="id2610786"></a><h2>OPTIONS</h2>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<div class="variablelist"><dl>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<dt><span class="term">-a</span></dt>
d42800f18e78573c81e7caa134fb9311c5a32b5fLennart Poettering<dd><p>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering            Verify all generated signatures.
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering          </p></dd>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<dd><p>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering            Specifies the DNS class of the zone.
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering          </p></dd>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<dt><span class="term">-C</span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            Compatibility mode: Generate a
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            file in addition to
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            when signing a zone, for use by older versions of
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            <span><strong class="command">dnssec-signzone</strong></span>.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering          </p></dd>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            Look for <code class="filename">dsset-</code> or
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering          </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dd><p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            Uses a crypto hardware (OpenSSL engine) for the crypto operations
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            it supports, for instance signing with private keys from
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            a secure key store. When compiled with PKCS#11 support
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            it defaults to pcks11, the empty name resets it to no engine.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering          </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt><span class="term">-g</span></dt>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dd><p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            Generate DS records for child zones from
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            file.  Existing DS records will be removed.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering          </p></dd>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dd><p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            Key repository: Specify a directory to search for DNSSEC keys.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            If not specified, defaults to the current directory.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering          </p></dd>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            Treat specified key as a key signing key ignoring any
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            key flags.  This option may be specified multiple times.
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering          </p></dd>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering<dd><p>
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering            The domain is appended to the name of the records.
c296dd2eea308e9ef73eb81f31e9eeaa32c30895Lennart Poettering          </p></dd>
c296dd2eea308e9ef73eb81f31e9eeaa32c30895Lennart Poettering<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering<dd><p>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            Specify the date and time when the generated RRSIG records
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering            become valid.  This can be either an absolute or relative
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering            time.  An absolute start time is indicated by a number
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering            14:45:00 UTC on May 30th, 2000.  A relative start time is
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            indicated by +N, which is N seconds from the current time.
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            If no <code class="option">start-time</code> is specified, the current
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            time minus 1 hour (to allow for clock skew) is used.
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering          </p></dd>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering<dd><p>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            Specify the date and time when the generated RRSIG records
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            expire.  As with <code class="option">start-time</code>, an absolute
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            to the start time is indicated with +N, which is N seconds from
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            the start time.  A time relative to the current time is
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering            indicated with now+N.  If no <code class="option">end-time</code> is
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering            specified, 30 days from the start time is used as a default.
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            <code class="option">end-time</code> must be later than
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            <code class="option">start-time</code>.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering          </p></dd>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<dd><p>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            The name of the output file containing the signed zone.  The
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            default is to append <code class="filename">.signed</code> to
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            the
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            input filename.
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering          </p></dd>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering<dt><span class="term">-h</span></dt>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering<dd><p>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            Prints a short summary of the options and arguments to
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            <span><strong class="command">dnssec-signzone</strong></span>.
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering          </p></dd>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering<dd>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering<p>
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            When a previously-signed zone is passed as input, records
7feea00bb06bca94545d5682930c11a6dee9c642Lennart Poettering            may be resigned.  The <code class="option">interval</code> option
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            specifies the cycle interval as an offset from the current
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            time (in seconds).  If a RRSIG record expires after the
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            cycle interval, it is retained.  Otherwise, it is considered
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            to be expiring soon, and it will be replaced.
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering          </p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            The default cycle interval is one quarter of the difference
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            between the signature end and start times.  So if neither
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            <code class="option">end-time</code> or <code class="option">start-time</code>
78c6a153c47f8d597c827bdcaf8c4e42ac87f738Lennart Poettering            are specified, <span><strong class="command">dnssec-signzone</strong></span>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            generates
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            signatures that are valid for 30 days, with a cycle
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            interval of 7.5 days.  Therefore, if any existing RRSIG records
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            are due to expire in less than 7.5 days, they would be
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            replaced.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering          </p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</dd>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            The format of the input zone file.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        Possible formats are <span><strong class="command">"text"</strong></span> (default)
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        and <span><strong class="command">"raw"</strong></span>.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        This option is primarily intended to be used for dynamic
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            signed zones so that the dumped zone file in a non-text
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            format containing updates can be signed directly.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        The use of this option does not make much sense for
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        non-dynamic zones.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering          </p></dd>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<p>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            When signing a zone with a fixed signature lifetime, all
57f5ad3149b604d07816da61e6aa7dcf1cc56b64Lennart Poettering            RRSIG records issued at the time of signing expires
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            simultaneously.  If the zone is incrementally signed, i.e.
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            a previously-signed zone is passed as input to the signer,
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            all expired signatures have to be regenerated at about the
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            same time.  The <code class="option">jitter</code> option specifies a
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            jitter window that will be used to randomize the signature
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            expire time, thus spreading incremental signature
57f5ad3149b604d07816da61e6aa7dcf1cc56b64Lennart Poettering            regeneration over time.
57f5ad3149b604d07816da61e6aa7dcf1cc56b64Lennart Poettering          </p>
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering<p>
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            Signature lifetime jitter also to some extent benefits
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            validators and servers by spreading out cache expiration,
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            i.e. if large numbers of RRSIGs don't expire at the same time
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            from all caches there will be less congestion than if all
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            validators need to refetch at mostly the same time.
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering          </p>
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering</dd>
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering<dd><p>
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            Specifies the number of threads to use.  By default, one
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            thread is started for each detected CPU.
57f5ad3149b604d07816da61e6aa7dcf1cc56b64Lennart Poettering          </p></dd>
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd>
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering<p>
8bf52d3d17d364438191077d0750b8b80b5dc53aLennart Poettering            The SOA serial number format of the signed zone.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering        Possible formats are <span><strong class="command">"keep"</strong></span> (default),
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            <span><strong class="command">"increment"</strong></span> and
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        <span><strong class="command">"unixtime"</strong></span>.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering          </p>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<div class="variablelist"><dl>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<dd><p>Do not modify the SOA serial number.</p></dd>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>Increment the SOA serial number using RFC 1982
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering                      arithmetics.</p></dd>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<dd><p>Set the SOA serial number to the number of seconds
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            since epoch.</p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering</dl></div>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering</dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            The zone origin.  If not specified, the name of the zone file
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            is assumed to be the origin.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering          </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            The format of the output file containing the signed zone.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering        Possible formats are <span><strong class="command">"text"</strong></span> (default)
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering        and <span><strong class="command">"raw"</strong></span>.
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering          </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt><span class="term">-p</span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            Use pseudo-random data when signing the zone.  This is faster,
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            but less secure, than using real random data.  This option
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            may be useful when signing large zones or when the entropy
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            source is limited.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering          </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt><span class="term">-P</span></dt>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        Disable post sign verification tests.
5eefe544efbfbbd0d0026ca28913a9e82fec187cTom Gundersen          </p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<p>
5eefe544efbfbbd0d0026ca28913a9e82fec187cTom Gundersen        The post sign verification test ensures that for each algorithm
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering        in use there is at least one non revoked self signed KSK key,
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        that all revoked KSK keys are self signed, and that all records
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        in the zone are signed by the algorithm.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering        This option skips these tests.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering          </p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering</dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            Specifies the source of randomness.  If the operating
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            system does not provide a <code class="filename">/dev/random</code>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            or equivalent device, the default source of randomness
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            is keyboard input.  <code class="filename">randomdev</code>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            specifies
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            the name of a character device or file containing random
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            data to be used instead of the default.  The special value
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            <code class="filename">keyboard</code> indicates that keyboard
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering            input should be used.
5eefe544efbfbbd0d0026ca28913a9e82fec187cTom Gundersen          </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt><span class="term">-S</span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            search the key repository for keys that match the zone being
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            signed, and to include them in the zone if appropriate.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering          </p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            When a key is found, its timing metadata is examined to
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            determine how it should be used, according to the following
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            rules.  Each successive rule takes priority over the prior
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            ones:
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering          </p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<div class="variablelist"><dl>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  If no timing metadata has been set for the key, the key is
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  published in the zone and used to sign the zone.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  If the key's publication date is set and is in the past, the
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  key is published in the zone.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  If the key's activation date is set and in the past, the
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  key is published (regardless of publication date) and
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  used to sign the zone.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  If the key's revocation date is set and in the past, and the
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  key is published, then the key is revoked, and the revoked key
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  is used to sign the zone.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  If either of the key's unpublication or deletion dates are set
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  and in the past, the key is NOT published or used to sign the
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                  zone, regardless of any other metadata.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering                </p></dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering</dl></div>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering</dd>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<dd><p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering            Specifies the TTL to be used for new DNSKEY records imported
5eefe544efbfbbd0d0026ca28913a9e82fec187cTom Gundersen            into the zone from the key repository.  If not specified,
5eefe544efbfbbd0d0026ca28913a9e82fec187cTom Gundersen            the default is the minimum TTL value from the zone's SOA
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            record.  This option is ignored when signing without
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            <code class="option">-S</code>, since DNSKEY records are not imported
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            from the key repository in that case.  It is also ignored if
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            there are any pre-existing DNSKEY records at the zone apex,
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            in which case new records' TTL values will be set to match
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            them.
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering          </p></dd>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering<dt><span class="term">-t</span></dt>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering<dd><p>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            Print statistics at completion.
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering          </p></dd>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering<dt><span class="term">-u</span></dt>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering<dd><p>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            Update NSEC/NSEC3 chain when re-signing a previously signed
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            zone.  With this option, a zone signed with NSEC can be
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            switched to NSEC3, or a zone signed with NSEC3 can
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            be switch to NSEC or to NSEC3 with different parameters.
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            retain the existing chain when re-signing.
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering          </p></dd>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering<dd><p>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            Sets the debugging level.
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering          </p></dd>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering<dt><span class="term">-z</span></dt>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering<dd><p>
e926785a1feff01901e6298261a9f635791d3b17Lennart Poettering            Ignore KSK flag on key when determining what to sign.
fd009cd80e511587c6afae59da8aff14e5e18fa3Lennart Poettering          </p></dd>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering<dd><p>
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering            Generate an NSEC3 chain with the given hex encoded salt.
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering        A dash (<em class="replaceable"><code>salt</code></em>) can
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering        be used to indicate that no salt is to be used when generating          the NSEC3 chain.
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering          </p></dd>
0f05c387597a93fa74cdf7d351fd255aca56026dLennart Poettering<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
0f05c387597a93fa74cdf7d351fd255aca56026dLennart Poettering<dd><p>
0f05c387597a93fa74cdf7d351fd255aca56026dLennart Poettering        When generating an NSEC3 chain, use this many interations.  The
0f05c387597a93fa74cdf7d351fd255aca56026dLennart Poettering        default is 10.
fd009cd80e511587c6afae59da8aff14e5e18fa3Lennart Poettering          </p></dd>
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering<dt><span class="term">-A</span></dt>
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering<dd>
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering<p>
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering        When generating an NSEC3 chain set the OPTOUT flag on all
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        NSEC3 records and do not generate NSEC3 records for insecure
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        delegations.
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering          </p>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering<p>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        Using this option twice (i.e., <code class="option">-AA</code>)
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        turns the OPTOUT flag off for all records.  This is useful
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        when using the <code class="option">-u</code> option to modify an NSEC3
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        chain which previously had OPTOUT set.
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering          </p>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering</dd>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering<dt><span class="term">zonefile</span></dt>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering<dd><p>
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering            The file containing the zone to be signed.
7e8e0422aeb16f2a09a40546c61df753d10029b6Lennart Poettering          </p></dd>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering<dt><span class="term">key</span></dt>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering<dd><p>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        Specify which keys should be used to sign the zone.  If
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        no keys are specified, then the zone will be examined
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        for DNSKEY records at the zone apex.  If these are found and
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        there are matching private keys, in the current directory,
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering        then these will be used for signing.
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering          </p></dd>
81f7fc5e841472b626698f386ed9445dac13944aLennart Poettering</dl></div>
faa133f3aa7a18f26563dc5d6b95898cb315c37aLennart Poettering</div>
934e9b10b4f4bfb48e21883670c7f45b6911fa9bLennart Poettering<div class="refsect1" lang="en">
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<a name="id2662410"></a><h2>EXAMPLE</h2>
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen<p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering      The following command signs the <strong class="userinput"><code>example.com</code></strong>
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen      (Kexample.com.+003+17247).  The zone's keys must be in the master
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen      file (<code class="filename">db.example.com</code>).  This invocation looks
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen      for <code class="filename">keyset</code> files, in the current directory,
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen      so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
6b2f709364b3bb4277de3d6fa2e5b45ba3c12424Lennart Poettering    </p>
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
5d27351f8546530cf779847b0b04b0172c09f9d0Tom GundersenKexample.com.+003+17247
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poetteringdb.example.com.signed
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering%</pre>
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering<p>
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
29c1519ed4899d139fa7b2079311cff6c4fb64a8Lennart Poettering      the file <code class="filename">db.example.com.signed</code>.  This
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen      file should be referenced in a zone statement in a
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen      <code class="filename">named.conf</code> file.
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering    </p>
105e151299dc1208855380be2b22d0db2d66ebc6Lennart Poettering<p>
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen      This example re-signs a previously signed zone with default parameters.
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen      The private keys are assumed to be in the current directory.
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen    </p>
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen<pre class="programlisting">% cp db.example.com.signed db.example.com
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen% dnssec-signzone -o example.com db.example.com
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersendb.example.com.signed
5d27351f8546530cf779847b0b04b0172c09f9d0Tom Gundersen%</pre>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</div>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<div class="refsect1" lang="en">
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<a name="id2662483"></a><h2>SEE ALSO</h2>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering      <em class="citetitle">RFC 4033</em>.
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering    </p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</div>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<div class="refsect1" lang="en">
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<a name="id2662507"></a><h2>AUTHOR</h2>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<p><span class="corpauthor">Internet Systems Consortium</span>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering    </p>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</div>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</div>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<div class="navfooter">
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<hr>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<table width="100%" summary="Navigation footer">
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<tr>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<td width="40%" align="left">
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</td>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</tr>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<tr>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<td width="40%" align="left" valign="top">
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<span class="application">dnssec-settime</span>�</td>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</td>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</tr>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</table>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</div>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</body>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering</html>
547973dea7abd6c124ff6c79fe2bbe322a7314aeLennart Poettering