man.dnssec-signzone.html revision fd2597f75693a2279fdf588bd40dfe2407c42028
ca41b452ede6feaa9d8739ec3cae19389a7b0d03Bob Halley - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - Permission to use, copy, modify, and/or distribute this software for any
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - purpose with or without fee is hereby granted, provided that the above
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - copyright notice and this permission notice appear in all copies.
15a44745412679c30a6d022733925af70a38b715David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
15a44745412679c30a6d022733925af70a38b715David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
15a44745412679c30a6d022733925af70a38b715David Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15a44745412679c30a6d022733925af70a38b715David Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15a44745412679c30a6d022733925af70a38b715David Lawrence - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15a44745412679c30a6d022733925af70a38b715David Lawrence - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15a44745412679c30a6d022733925af70a38b715David Lawrence - PERFORMANCE OF THIS SOFTWARE.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
899f7f9af527d3dfe8345dcc8210d7c23fc950afDavid Lawrence<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
9550eb2dab1d03e03e6c060f92e655d47ac1fc1bMichael Graff<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson<table width="100%" summary="Navigation header">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<th width="60%" align="center">Manual pages</th>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id-1.14.13.7"></a><h2>DESCRIPTION</h2>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="command"><strong>dnssec-signzone</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence signs a zone. It generates
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence NSEC and RRSIG records and produces a signed version of the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone. The security status of delegations from the signed zone
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (that is, whether the child zones are secure or not) is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence determined by the presence or absence of a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">keyset</code> file for each child zone.
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence<div class="variablelist"><dl class="variablelist">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Verify all generated signatures.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies the DNS class of the zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Compatibility mode: Generate a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence file in addition to
d409ceeda41a256e8114423674d844d5f5035ee8Bob Halley <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence when signing a zone, for use by older versions of
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson <span class="command"><strong>dnssec-signzone</strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Look for <code class="filename">dsset-</code> or
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">keyset-</code> files in <code class="option">directory</code>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Output only those record types automatically managed by
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson NSEC3 and NSEC3PARAM records. If smart signing
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (<code class="option">-S</code>) is used, DNSKEY records are also
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence included. The resulting file can be included in the original
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence cannot be combined with <code class="option">-O raw</code>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">-O map</code>, or serial number updating.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence When applicable, specifies the hardware to use for
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence cryptographic operations, such as a secure key store used
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When BIND is built with OpenSSL PKCS#11 support, this defaults
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to the string "pkcs11", which identifies an OpenSSL engine
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence that can drive a cryptographic accelerator or hardware service
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence module. When BIND is built with native PKCS#11 cryptography
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (--enable-native-pkcs11), it defaults to the path of the PKCS#11
61e9c1cdbe29683bb2db388e4fc6a6fd59315cefDavid Lawrence provider library specified via "--with-pkcs11".
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Generate DS records for child zones from
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence file. Existing DS records will be removed.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Key repository: Specify a directory to search for DNSSEC keys.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If not specified, defaults to the current directory.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Treat specified key as a key signing key ignoring any
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff key flags. This option may be specified multiple times.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff Generate a DLV set in addition to the key (DNSKEY) and DS sets.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The domain is appended to the name of the records.
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff Sets the maximum TTL for the signed zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
5fe5a0c02634eaadfcbc3528bf2c184557110a3bAndreas Gustafsson input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in the output. This provides certainty as to the largest
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff possible TTL in the signed zone, which is useful to know when
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff rolling keys because it is the longest possible time before
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence signatures that have been retrieved by resolvers will expire
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence from resolver caches. Zones that are signed with this
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence option should be configured to use a matching
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (Note: This option is incompatible with <code class="option">-D</code>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence because it modifies non-DNSSEC data in the output zone.)
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Specify the date and time when the generated RRSIG records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence become valid. This can be either an absolute or relative
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence time. An absolute start time is indicated by a number
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence in YYYYMMDDHHMMSS notation; 20000530144500 denotes
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence 14:45:00 UTC on May 30th, 2000. A relative start time is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence indicated by +N, which is N seconds from the current time.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence If no <code class="option">start-time</code> is specified, the current
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence time minus 1 hour (to allow for clock skew) is used.
1b106e224d3931e85d68c091fe1ec7758d9f07cbAndreas Gustafsson<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Specify the date and time when the generated RRSIG records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence expire. As with <code class="option">start-time</code>, an absolute
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence time is indicated in YYYYMMDDHHMMSS notation. A time relative
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence to the start time is indicated with +N, which is N seconds from
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence the start time. A time relative to the current time is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence indicated with now+N. If no <code class="option">end-time</code> is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence specified, 30 days from the start time is used as a default.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <code class="option">end-time</code> must be later than
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Specify the date and time when the generated RRSIG records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence for the DNSKEY RRset will expire. This is to be used in cases
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence when the DNSKEY signatures need to persist longer than
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence signatures on other records; e.g., when the private component
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence of the KSK is kept offline and the KSK signature is to be
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence refreshed manually.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence As with <code class="option">start-time</code>, an absolute
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence time is indicated in YYYYMMDDHHMMSS notation. A time relative
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence to the start time is indicated with +N, which is N seconds from
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence the start time. A time relative to the current time is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence indicated with now+N. If no <code class="option">extended end-time</code> is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence specified, the value of <code class="option">end-time</code> is used as
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the default. (<code class="option">end-time</code>, in turn, defaults to
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence 30 days from the start time.) <code class="option">extended end-time</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence must be later than <code class="option">start-time</code>.
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The name of the output file containing the signed zone. The
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence default is to append <code class="filename">.signed</code> to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the input filename. If <code class="option">output-file</code> is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence set to <code class="literal">"-"</code>, then the signed zone is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence written to the standard output, with a default output
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence format of "full".
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Prints a short summary of the options and arguments to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dnssec-signzone</strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Prints version information.
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence When a previously-signed zone is passed as input, records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence may be resigned. The <code class="option">interval</code> option
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence specifies the cycle interval as an offset from the current
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence time (in seconds). If a RRSIG record expires after the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence cycle interval, it is retained. Otherwise, it is considered
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence to be expiring soon, and it will be replaced.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence The default cycle interval is one quarter of the difference
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence between the signature end and start times. So if neither
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <code class="option">end-time</code> or <code class="option">start-time</code>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence are specified, <span class="command"><strong>dnssec-signzone</strong></span>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence signatures that are valid for 30 days, with a cycle
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence interval of 7.5 days. Therefore, if any existing RRSIG records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence are due to expire in less than 7.5 days, they would be
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence The format of the input zone file.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Possible formats are <span class="command"><strong>"text"</strong></span> (default),
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence This option is primarily intended to be used for dynamic
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence signed zones so that the dumped zone file in a non-text
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence format containing updates can be signed directly.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence The use of this option does not make much sense for
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence non-dynamic zones.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence When signing a zone with a fixed signature lifetime, all
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence RRSIG records issued at the time of signing expires
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence simultaneously. If the zone is incrementally signed, i.e.
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence a previously-signed zone is passed as input to the signer,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence all expired signatures have to be regenerated at about the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence same time. The <code class="option">jitter</code> option specifies a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence jitter window that will be used to randomize the signature
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence expire time, thus spreading incremental signature
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence regeneration over time.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Signature lifetime jitter also to some extent benefits
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence validators and servers by spreading out cache expiration,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence i.e. if large numbers of RRSIGs don't expire at the same time
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence from all caches there will be less congestion than if all
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence validators need to refetch at mostly the same time.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When writing a signed zone to "raw" or "map" format, set the
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence "source serial" value in the header to the specified serial
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence number. (This is expected to be used primarily for testing
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Specifies the number of threads to use. By default, one
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence thread is started for each detected CPU.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence The SOA serial number format of the signed zone.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence and <span class="command"><strong>"date"</strong></span>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<div class="variablelist"><dl class="variablelist">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
0bd4e3591ac1a729c7ec8f811844119473350975David Lawrence<dd><p>Do not modify the SOA serial number.</p></dd>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>Increment the SOA serial number using RFC 1982
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>Set the SOA serial number to the number of seconds
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence<dd><p>Set the SOA serial number to today's date in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The zone origin. If not specified, the name of the zone file
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence is assumed to be the origin.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The format of the output file containing the signed zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Possible formats are <span class="command"><strong>"text"</strong></span> (default),
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence which is the standard textual representation of the zone;
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>"full"</strong></span>, which is text output in a
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence format suitable for processing by external scripts;
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence the raw zone file: if N is 0, the raw file can be read by
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence can be read by release 9.9.0 or higher; the default is 1.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Use pseudo-random data when signing the zone. This is faster,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence but less secure, than using real random data. This option
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence may be useful when signing large zones or when the entropy
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence source is limited.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Disable post sign verification tests.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence The post sign verification test ensures that for each algorithm
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence in use there is at least one non revoked self signed KSK key,
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence that all revoked KSK keys are self signed, and that all records
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in the zone are signed by the algorithm.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence This option skips these tests.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence Remove signatures from keys that are no longer active.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Normally, when a previously-signed zone is passed as input
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to the signer, and a DNSKEY record has been removed and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence replaced with a new one, signatures from the old key
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence that are still within their validity period are retained.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence This allows the zone to continue to validate with cached
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence copies of the old DNSKEY RRset. The <code class="option">-Q</code>
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence signatures from keys that are no longer active. This
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence enables ZSK rollover using the procedure described in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Remove signatures from keys that are no longer published.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence This option is similar to <code class="option">-Q</code>, except it
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence keys that are no longer published. This enables ZSK rollover
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence using the procedure described in RFC 4641, section 4.2.1.2
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence ("Double Signature Zone Signing Key Rollover").
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies the source of randomness. If the operating
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence system does not provide a <code class="filename">/dev/random</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence or equivalent device, the default source of randomness
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is keyboard input. <code class="filename">randomdev</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the name of a character device or file containing random
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence data to be used instead of the default. The special value
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">keyboard</code> indicates that keyboard
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence input should be used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence search the key repository for keys that match the zone being
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence signed, and to include them in the zone if appropriate.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When a key is found, its timing metadata is examined to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence determine how it should be used, according to the following
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence rules. Each successive rule takes priority over the prior
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence<div class="variablelist"><dl class="variablelist">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence If no timing metadata has been set for the key, the key is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence published in the zone and used to sign the zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If the key's publication date is set and is in the past, the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence key is published in the zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If the key's activation date is set and in the past, the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence key is published (regardless of publication date) and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence used to sign the zone.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence If the key's revocation date is set and in the past, and the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence key is published, then the key is revoked, and the revoked key
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is used to sign the zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If either of the key's unpublication or deletion dates are set
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and in the past, the key is NOT published or used to sign the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone, regardless of any other metadata.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies a TTL to be used for new DNSKEY records imported
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence into the zone from the key repository. If not
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence specified, the default is the TTL value from the zone's SOA
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence record. This option is ignored when signing without
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">-S</code>, since DNSKEY records are not imported
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence from the key repository in that case. It is also ignored if
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence there are any pre-existing DNSKEY records at the zone apex,
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence in which case new records' TTL values will be set to match
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence them, or if any of the imported DNSKEY records had a default
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence TTL value. In the event of a a conflict between TTL values in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence imported keys, the shortest one is used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Print statistics at completion.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Update NSEC/NSEC3 chain when re-signing a previously signed
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone. With this option, a zone signed with NSEC can be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence switched to NSEC3, or a zone signed with NSEC3 can
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence be switch to NSEC or to NSEC3 with different parameters.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence retain the existing chain when re-signing.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the debugging level.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Only sign the DNSKEY RRset with key-signing keys, and omit
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence signatures from zone-signing keys. (This is similar to the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>named</strong></span>.)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Ignore KSK flag on key when determining what to sign. This
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence causes KSK-flagged keys to sign all records, not just the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence DNSKEY RRset. (This is similar to the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="command"><strong>named</strong></span>.)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Generate an NSEC3 chain with the given hex encoded salt.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence A dash (<em class="replaceable"><code>salt</code></em>) can
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence be used to indicate that no salt is to be used when generating the NSEC3 chain.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When generating an NSEC3 chain, use this many iterations. The
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence default is 10.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When generating an NSEC3 chain set the OPTOUT flag on all
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence NSEC3 records and do not generate NSEC3 records for insecure
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Using this option twice (i.e., <code class="option">-AA</code>)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence turns the OPTOUT flag off for all records. This is useful
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence when using the <code class="option">-u</code> option to modify an NSEC3
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence chain which previously had OPTOUT set.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The file containing the zone to be signed.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specify which keys should be used to sign the zone. If
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence no keys are specified, then the zone will be examined
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence for DNSKEY records at the zone apex. If these are found and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence there are matching private keys, in the current directory,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence then these will be used for signing.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The following command signs the <strong class="userinput"><code>example.com</code></strong>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (Kexample.com.+003+17247). Because the <span class="command"><strong>-S</strong></span> option
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is not being used, the zone's keys must be in the master file
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (<code class="filename">db.example.com</code>). This invocation looks
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence for <code class="filename">dsset</code> files, in the current directory,
0c7b7a19e5a3c23fbb789238dcc4d43cd55387a0Brian Wellington so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence the file <code class="filename">db.example.com.signed</code>. This
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence file should be referenced in a zone statement in a
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence <code class="filename">named.conf</code> file.
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence This example re-signs a previously signed zone with default parameters.
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence The private keys are assumed to be in the current directory.
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence<pre class="programlisting">% cp db.example.com.signed db.example.com
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence% dnssec-signzone -o example.com db.example.com
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence<table width="100%" summary="Navigation footer">
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<span class="application">dnssec-settime</span>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="40%" align="right" valign="top">�<span class="application">dnssec-verify</span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>