man.dnssec-signzone.html revision c2258eedf2d9d0207b45b90014f8fde5413b41a3
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
1167fc7904c5f0a472f8df207ac46dd52c7f1ec8Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater - License, v. 2.0. If a copy of the MPL was not distributed with this
46da3117812814a29432a8d9a9ccf8acdbfdadceAutomatic Updater - file, You can obtain one at http://mozilla.org/MPL/2.0/.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
e171a4137c6ba348957e61b7c4c3541493c0da02Automatic Updater<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
e171a4137c6ba348957e61b7c4c3541493c0da02Automatic Updater<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
58be84825d7f5de30e50eb7206b37227ecd8055bAutomatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<table width="100%" summary="Navigation header">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<th width="60%" align="center">Manual pages</th>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
2d2dc37599979c83495510f8af8d1756753aa2c5Automatic Updater<a name="id-1.14.14.7"></a><h2>DESCRIPTION</h2>
2d2dc37599979c83495510f8af8d1756753aa2c5Automatic Updater<p><span class="command"><strong>dnssec-signzone</strong></span>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt signs a zone. It generates
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater NSEC and RRSIG records and produces a signed version of the
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater zone. The security status of delegations from the signed zone
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater (that is, whether the child zones are secure or not) is
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater determined by the presence or absence of a
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <code class="filename">keyset</code> file for each child zone.
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<a name="id-1.14.14.8"></a><h2>OPTIONS</h2>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<div class="variablelist"><dl class="variablelist">
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews Verify all generated signatures.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Specifies the DNS class of the zone.
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater Compatibility mode: Generate a
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater file in addition to
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews when signing a zone, for use by older versions of
1a06700908f5a1d9f4a8d51285a0fd971e2f9117Automatic Updater <span class="command"><strong>dnssec-signzone</strong></span>.
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Look for <code class="filename">dsset-</code> or
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <code class="filename">keyset-</code> files in <code class="option">directory</code>.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews Output only those record types automatically managed by
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson NSEC3 and NSEC3PARAM records. If smart signing
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater (<code class="option">-S</code>) is used, DNSKEY records are also
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater included. The resulting file can be included in the original
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater cannot be combined with <code class="option">-O raw</code>,
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater <code class="option">-O map</code>, or serial number updating.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews When applicable, specifies the hardware to use for
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont cryptographic operations, such as a secure key store used
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews When BIND is built with OpenSSL PKCS#11 support, this defaults
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater to the string "pkcs11", which identifies an OpenSSL engine
e23256e740b238bddb4ba41ffac5f81a01c92245Automatic Updater that can drive a cryptographic accelerator or hardware service
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews module. When BIND is built with native PKCS#11 cryptography
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews (--enable-native-pkcs11), it defaults to the path of the PKCS#11
08e3b6797706a13054bad749dea04e94b514b8e7Automatic Updater provider library specified via "--with-pkcs11".
418cc932318b1d67f88a36904d88d8a5a0a2ba09Automatic Updater Generate DS records for child zones from
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews file. Existing DS records will be removed.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater Key repository: Specify a directory to search for DNSSEC keys.
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater If not specified, defaults to the current directory.
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater Treat specified key as a key signing key ignoring any
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater key flags. This option may be specified multiple times.
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Generate a DLV set in addition to the key (DNSKEY) and DS sets.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The domain is appended to the name of the records.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater Sets the maximum TTL for the signed zone.
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater in the output. This provides certainty as to the largest
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater possible TTL in the signed zone, which is useful to know when
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater rolling keys because it is the longest possible time before
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater signatures that have been retrieved by resolvers will expire
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson from resolver caches. Zones that are signed with this
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater option should be configured to use a matching
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
27794bebe2634b5ac374e78972649c79300b876aAutomatic Updater (Note: This option is incompatible with <code class="option">-D</code>,
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater because it modifies non-DNSSEC data in the output zone.)
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater Specify the date and time when the generated RRSIG records
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater become valid. This can be either an absolute or relative
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater time. An absolute start time is indicated by a number
f4029eb7463e99df00618de89f0bee5ac062a237Automatic Updater in YYYYMMDDHHMMSS notation; 20000530144500 denotes
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater 14:45:00 UTC on May 30th, 2000. A relative start time is
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater indicated by +N, which is N seconds from the current time.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If no <code class="option">start-time</code> is specified, the current
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater time minus 1 hour (to allow for clock skew) is used.
f4029eb7463e99df00618de89f0bee5ac062a237Automatic Updater<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Specify the date and time when the generated RRSIG records
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater expire. As with <code class="option">start-time</code>, an absolute
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater time is indicated in YYYYMMDDHHMMSS notation. A time relative
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to the start time is indicated with +N, which is N seconds from
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the start time. A time relative to the current time is
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater indicated with now+N. If no <code class="option">end-time</code> is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specified, 30 days from the start time is used as a default.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="option">end-time</code> must be later than
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Specify the date and time when the generated RRSIG records
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater for the DNSKEY RRset will expire. This is to be used in cases
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater when the DNSKEY signatures need to persist longer than
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater signatures on other records; e.g., when the private component
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater of the KSK is kept offline and the KSK signature is to be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater refreshed manually.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater As with <code class="option">start-time</code>, an absolute
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater time is indicated in YYYYMMDDHHMMSS notation. A time relative
71bd43eebd9d6e42dbcae62b730f5b6508d5acd8Automatic Updater to the start time is indicated with +N, which is N seconds from
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the start time. A time relative to the current time is
7262eb86f2b465822206122921e2f357218f0cfdAutomatic Updater indicated with now+N. If no <code class="option">extended end-time</code> is
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews specified, the value of <code class="option">end-time</code> is used as
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the default. (<code class="option">end-time</code>, in turn, defaults to
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater 30 days from the start time.) <code class="option">extended end-time</code>
bbb069be941f649228760edcc241122933c066d2Automatic Updater must be later than <code class="option">start-time</code>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater The name of the output file containing the signed zone. The
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews default is to append <code class="filename">.signed</code> to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the input filename. If <code class="option">output-file</code> is
e628576d3b3d91c8954679077f4c208f1e43b433Automatic Updater set to <code class="literal">"-"</code>, then the signed zone is
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews written to the standard output, with a default output
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews format of "full".
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Prints a short summary of the options and arguments to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="command"><strong>dnssec-signzone</strong></span>.
995eaa289ba9709c64ef89b3776e53c36adc0010Automatic Updater Prints version information.
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater When a previously-signed zone is passed as input, records
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater may be resigned. The <code class="option">interval</code> option
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater specifies the cycle interval as an offset from the current
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater time (in seconds). If a RRSIG record expires after the
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater cycle interval, it is retained. Otherwise, it is considered
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater to be expiring soon, and it will be replaced.
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater The default cycle interval is one quarter of the difference
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater between the signature end and start times. So if neither
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater <code class="option">end-time</code> or <code class="option">start-time</code>
099b86fb8136a7dff81df85cf395978c16eb254cAutomatic Updater are specified, <span class="command"><strong>dnssec-signzone</strong></span>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater signatures that are valid for 30 days, with a cycle
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records
572cb2c1c931f6bc6a4a019c103ae88239b0eb96Automatic Updater are due to expire in less than 7.5 days, they would be
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
56e7dc0c24b04210dcbffb180a9e35644fb820daAutomatic Updater The format of the input zone file.
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater Possible formats are <span class="command"><strong>"text"</strong></span> (default),
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews This option is primarily intended to be used for dynamic
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews signed zones so that the dumped zone file in a non-text
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews format containing updates can be signed directly.
ca35524ce2b57e6f1b261d23565d1288a355d12fAutomatic Updater The use of this option does not make much sense for
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews non-dynamic zones.
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews When signing a zone with a fixed signature lifetime, all
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater RRSIG records issued at the time of signing expires
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews simultaneously. If the zone is incrementally signed, i.e.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews a previously-signed zone is passed as input to the signer,
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews all expired signatures have to be regenerated at about the
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater same time. The <code class="option">jitter</code> option specifies a
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews jitter window that will be used to randomize the signature
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews expire time, thus spreading incremental signature
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater regeneration over time.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater Signature lifetime jitter also to some extent benefits
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater validators and servers by spreading out cache expiration,
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater i.e. if large numbers of RRSIGs don't expire at the same time
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater from all caches there will be less congestion than if all
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater validators need to refetch at mostly the same time.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When writing a signed zone to "raw" or "map" format, set the
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater "source serial" value in the header to the specified serial
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater number. (This is expected to be used primarily for testing
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews Specifies the number of threads to use. By default, one
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews thread is started for each detected CPU.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater The SOA serial number format of the signed zone.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater and <span class="command"><strong>"date"</strong></span>.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<div class="variablelist"><dl class="variablelist">
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dd><p>Do not modify the SOA serial number.</p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
b13d89bd89878137c81b36a36596cca3920f27a4Automatic Updater<dd><p>Increment the SOA serial number using RFC 1982
b13d89bd89878137c81b36a36596cca3920f27a4Automatic Updater<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
b13d89bd89878137c81b36a36596cca3920f27a4Automatic Updater<dd><p>Set the SOA serial number to the number of seconds
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dd><p>Set the SOA serial number to today's date in
b1265b5a06df36d490d4bdf54284fb133a1f5a84Automatic Updater<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The zone origin. If not specified, the name of the zone file
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater is assumed to be the origin.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The format of the output file containing the signed zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Possible formats are <span class="command"><strong>"text"</strong></span> (default),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington which is the standard textual representation of the zone;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>"full"</strong></span>, which is text output in a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington format suitable for processing by external scripts;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the raw zone file: if N is 0, the raw file can be read by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be read by release 9.9.0 or higher; the default is 1.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Use pseudo-random data when signing the zone. This is faster,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington but less secure, than using real random data. This option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington may be useful when signing large zones or when the entropy
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington source is limited.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Disable post sign verification tests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The post sign verification test ensures that for each algorithm
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in use there is at least one non revoked self signed KSK key,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that all revoked KSK keys are self signed, and that all records
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in the zone are signed by the algorithm.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This option skips these tests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Remove signatures from keys that are no longer active.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Normally, when a previously-signed zone is passed as input
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to the signer, and a DNSKEY record has been removed and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington replaced with a new one, signatures from the old key
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that are still within their validity period are retained.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This allows the zone to continue to validate with cached
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington copies of the old DNSKEY RRset. The <code class="option">-Q</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signatures from keys that are no longer active. This
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater enables ZSK rollover using the procedure described in
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater Remove signatures from keys that are no longer published.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater This option is similar to <code class="option">-Q</code>, except it
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater keys that are no longer published. This enables ZSK rollover
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater using the procedure described in RFC 4641, section 4.2.1.2
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater ("Double Signature Zone Signing Key Rollover").
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington Specifies the source of randomness. If the operating
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington system does not provide a <code class="filename">/dev/random</code>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington or equivalent device, the default source of randomness
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews is keyboard input. <code class="filename">randomdev</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the name of a character device or file containing random
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews data to be used instead of the default. The special value
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <code class="filename">keyboard</code> indicates that keyboard
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews input should be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington search the key repository for keys that match the zone being
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signed, and to include them in the zone if appropriate.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When a key is found, its timing metadata is examined to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater determine how it should be used, according to the following
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater rules. Each successive rule takes priority over the prior
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="variablelist"><dl class="variablelist">
e01f44b37ba11c9d34f4a8394f950efae5c07f33Automatic Updater If no timing metadata has been set for the key, the key is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater published in the zone and used to sign the zone.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If the key's publication date is set and is in the past, the
3de6db3208d51de1e138b63b9670430c03f99694Automatic Updater key is published in the zone.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater If the key's activation date is set and in the past, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington key is published (regardless of publication date) and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington used to sign the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If the key's revocation date is set and in the past, and the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington key is published, then the key is revoked, and the revoked key
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is used to sign the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If either of the key's unpublication or deletion dates are set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and in the past, the key is NOT published or used to sign the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone, regardless of any other metadata.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Specifies a TTL to be used for new DNSKEY records imported
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington into the zone from the key repository. If not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington specified, the default is the TTL value from the zone's SOA
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater record. This option is ignored when signing without
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <code class="option">-S</code>, since DNSKEY records are not imported
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington from the key repository in that case. It is also ignored if
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater there are any pre-existing DNSKEY records at the zone apex,
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater in which case new records' TTL values will be set to match
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater them, or if any of the imported DNSKEY records had a default
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater TTL value. In the event of a a conflict between TTL values in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater imported keys, the shortest one is used.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Print statistics at completion.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Update NSEC/NSEC3 chain when re-signing a previously signed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone. With this option, a zone signed with NSEC can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington switched to NSEC3, or a zone signed with NSEC3 can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be switch to NSEC or to NSEC3 with different parameters.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington retain the existing chain when re-signing.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Sets the debugging level.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Only sign the DNSKEY RRset with key-signing keys, and omit
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews signatures from zone-signing keys. (This is similar to the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named</strong></span>.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Ignore KSK flag on key when determining what to sign. This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington causes KSK-flagged keys to sign all records, not just the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington DNSKEY RRset. (This is similar to the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>named</strong></span>.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Generate an NSEC3 chain with the given hex encoded salt.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A dash (<em class="replaceable"><code>salt</code></em>) can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be used to indicate that no salt is to be used when generating the NSEC3 chain.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When generating an NSEC3 chain, use this many iterations. The
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater default is 10.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When generating an NSEC3 chain set the OPTOUT flag on all
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington NSEC3 records and do not generate NSEC3 records for insecure
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Using this option twice (i.e., <code class="option">-AA</code>)
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews turns the OPTOUT flag off for all records. This is useful
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington when using the <code class="option">-u</code> option to modify an NSEC3
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews chain which previously had OPTOUT set.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The file containing the zone to be signed.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Specify which keys should be used to sign the zone. If
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington no keys are specified, then the zone will be examined
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for DNSKEY records at the zone apex. If these are found and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington there are matching private keys, in the current directory,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington then these will be used for signing.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<a name="id-1.14.14.9"></a><h2>EXAMPLE</h2>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The following command signs the <strong class="userinput"><code>example.com</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (Kexample.com.+003+17247). Because the <span class="command"><strong>-S</strong></span> option
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater is not being used, the zone's keys must be in the master file
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater (<code class="filename">db.example.com</code>). This invocation looks
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater for <code class="filename">dsset</code> files, in the current directory,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the file <code class="filename">db.example.com.signed</code>. This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington file should be referenced in a zone statement in a
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater <code class="filename">named.conf</code> file.
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater This example re-signs a previously signed zone with default parameters.
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater The private keys are assumed to be in the current directory.
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater<pre class="programlisting">% cp db.example.com.signed db.example.com
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater% dnssec-signzone -o example.com db.example.com
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<table width="100%" summary="Navigation footer">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<span class="application">dnssec-settime</span>�</td>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<td width="40%" align="right" valign="top">�<span class="application">dnssec-verify</span>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0rc1</p>