man.dnssec-signzone.html revision cedb0bd0c1e3c461b7e479a16d3adfd5b150f1f4
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - Copyright (C) 2000-2003 Internet Software Consortium.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - Permission to use, copy, modify, and distribute this software for any
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - purpose with or without fee is hereby granted, provided that the above
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - copyright notice and this permission notice appear in all copies.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster - PERFORMANCE OF THIS SOFTWARE.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<!-- $Id: man.dnssec-signzone.html,v 1.9 2005/10/13 03:14:04 marka Exp $ -->
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<table width="100%" summary="Navigation header">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<th width="60%" align="center">Manual pages</th>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<p><span><strong class="command">dnssec-signzone</strong></span>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signs a zone. It generates
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NSEC and RRSIG records and produces a signed version of the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster zone. The security status of delegations from the signed zone
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (that is, whether the child zones are secure or not) is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster determined by the presence or absence of a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <code class="filename">keyset</code> file for each child zone.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Verify all generated signatures.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Specifies the DNS class of the zone.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Treat specified key as a key signing key ignoring any
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster key flags. This option may be specified multiple times.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Generate a DLV set in addition to the key (DNSKEY) and DS sets.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The domain is appended to the name of the records.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Look for <code class="filename">keyset</code> files in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <code class="option">directory</code> as the directory
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Generate DS records for child zones from keyset files.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Existing DS records will be removed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Specify the date and time when the generated RRSIG records
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster become valid. This can be either an absolute or relative
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster time. An absolute start time is indicated by a number
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster in YYYYMMDDHHMMSS notation; 20000530144500 denotes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster 14:45:00 UTC on May 30th, 2000. A relative start time is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster indicated by +N, which is N seconds from the current time.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster If no <code class="option">start-time</code> is specified, the current
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster time minus 1 hour (to allow for clock skew) is used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Specify the date and time when the generated RRSIG records
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster expire. As with <code class="option">start-time</code>, an absolute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster time is indicated in YYYYMMDDHHMMSS notation. A time relative
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster to the start time is indicated with +N, which is N seconds from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster the start time. A time relative to the current time is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster indicated with now+N. If no <code class="option">end-time</code> is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster specified, 30 days from the start time is used as a default.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The name of the output file containing the signed zone. The
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster default is to append <code class="filename">.signed</code> to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Prints a short summary of the options and arguments to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <span><strong class="command">dnssec-signzone</strong></span>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster When a previously signed zone is passed as input, records
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster may be resigned. The <code class="option">interval</code> option
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster specifies the cycle interval as an offset from the current
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster time (in seconds). If a RRSIG record expires after the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster cycle interval, it is retained. Otherwise, it is considered
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster to be expiring soon, and it will be replaced.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The default cycle interval is one quarter of the difference
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster between the signature end and start times. So if neither
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <code class="option">end-time</code> or <code class="option">start-time</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster are specified, <span><strong class="command">dnssec-signzone</strong></span>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signatures that are valid for 30 days, with a cycle
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster interval of 7.5 days. Therefore, if any existing RRSIG records
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster are due to expire in less than 7.5 days, they would be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The format of the input zone file.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Possible formats are <span><strong class="command">"text"</strong></span> (default)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster and <span><strong class="command">"raw"</strong></span>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster This option is primarily intended to be used for dynamic
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signed zones so that the dumped zone file in a non-text
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster format containing updates can be signed directly.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The use of this option does not make much sense for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster non-dynamic zones.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster When signing a zone with a fixed signature lifetime, all
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster RRSIG records issued at the time of signing expires
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster simultaneously. If the zone is incrementally signed, i.e.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster a previously signed zone is passed as input to the signer,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster all expired signatures has to be regenerated at about the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster same time. The <code class="option">jitter</code> option specifies a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster jitter window that will be used to randomize the signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster expire time, thus spreading incremental signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster regeneration over time.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Signature lifetime jitter also to some extent benefits
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster validators and servers by spreading out cache expiration,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster i.e. if large numbers of RRSIGs don't expire at the same time
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster from all caches there will be less congestion than if all
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster validators need to refetch at mostly the same time.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Specifies the number of threads to use. By default, one
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster thread is started for each detected CPU.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The zone origin. If not specified, the name of the zone file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster is assumed to be the origin.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The format of the output file containing the signed zone.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Possible formats are <span><strong class="command">"text"</strong></span> (default)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster and <span><strong class="command">"raw"</strong></span>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Use pseudo-random data when signing the zone. This is faster,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster but less secure, than using real random data. This option
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster may be useful when signing large zones or when the entropy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster source is limited.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Specifies the source of randomness. If the operating
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster system does not provide a <code class="filename">/dev/random</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster or equivalent device, the default source of randomness
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster is keyboard input. <code class="filename">randomdev</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster the name of a character device or file containing random
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster data to be used instead of the default. The special value
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <code class="filename">keyboard</code> indicates that keyboard
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster input should be used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Print statistics at completion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Sets the debugging level.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Ignore KSK flag on key when determining what to sign.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The file containing the zone to be signed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The keys used to sign the zone. If no keys are specified, the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster default all zone keys that have private key files in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster current directory.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The following command signs the <strong class="userinput"><code>example.com</code></strong>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster man page. The zone's keys must be in the zone. If there are
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <code class="filename">keyset</code> files associated with child
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster they must be in the current directory.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <strong class="userinput"><code>example.com</code></strong>, the following command would be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<p><strong class="userinput"><code>dnssec-signzone -o example.com db.example.com
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster The command would print a string of the form:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster the file <code class="filename">db.example.com.signed</code>. This
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster should be referenced in a zone statement in a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<p><span class="corpauthor">Internet Systems Consortium</span>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<table width="100%" summary="Navigation footer">
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="40%" align="left" valign="top"><span class="application">dnssec-keygen</span>�</td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span></td>