doc/arm/man.dnssec-signzone.html

	man.dnssec-signzone.html revision 04bbadfbcb8a755cb208c4034073a3c0eb96b9aa
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<title>dnssec-signzone</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<th width="60%" align="center">Manual pages</th>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refentry" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refnamediv">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<h2>Name</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsynopsisdiv">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<h2>Synopsis</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2621783"></a><h2>DESCRIPTION</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span><strong class="command">dnssec-signzone</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      signs a zone.  It generates
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      NSEC and RRSIG records and produces a signed version of the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      zone. The security status of delegations from the signed zone
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      (that is, whether the child zones are secure or not) is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      determined by the presence or absence of a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="filename">keyset</code> file for each child zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2621802"></a><h2>OPTIONS</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="variablelist"><dl>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-a</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Verify all generated signatures.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specifies the DNS class of the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-C</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Compatibility mode: Generate a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            file in addition to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            when signing a zone, for use by older versions of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <span><strong class="command">dnssec-signzone</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Look for <code class="filename">dsset-</code> or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-D</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Output only those record types automatically managed by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        NSEC3 and NSEC3PARAM records. If smart signing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        (<code class="option">-S</code>) is used, DNSKEY records are also
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        included. The resulting file can be included in the original
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        cannot be combined with <code class="option">-O raw</code>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="option">-O map</code>, or serial number updating.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            When applicable, specifies the hardware to use for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            cryptographic operations, such as a secure key store used
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            for signing.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            When BIND is built with OpenSSL PKCS#11 support, this defaults
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            to the string "pkcs11", which identifies an OpenSSL engine
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            that can drive a cryptographic accelerator or hardware service
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            module.  When BIND is built with native PKCS#11 cryptography
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            provider library specified via "--with-pkcs11".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-g</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Generate DS records for child zones from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            file.  Existing DS records will be removed.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Key repository: Specify a directory to search for DNSSEC keys.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            If not specified, defaults to the current directory.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Treat specified key as a key signing key ignoring any
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            key flags.  This option may be specified multiple times.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            The domain is appended to the name of the records.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specify the date and time when the generated RRSIG records
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            become valid.  This can be either an absolute or relative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            time.  An absolute start time is indicated by a number
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            14:45:00 UTC on May 30th, 2000.  A relative start time is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            indicated by +N, which is N seconds from the current time.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            If no <code class="option">start-time</code> is specified, the current
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            time minus 1 hour (to allow for clock skew) is used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specify the date and time when the generated RRSIG records
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            expire.  As with <code class="option">start-time</code>, an absolute
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            to the start time is indicated with +N, which is N seconds from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the start time.  A time relative to the current time is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            indicated with now+N.  If no <code class="option">end-time</code> is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            specified, 30 days from the start time is used as a default.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="option">end-time</code> must be later than
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="option">start-time</code>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specify the date and time when the generated RRSIG records
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            for the DNSKEY RRset will expire.  This is to be used in cases
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            when the DNSKEY signatures need to persist longer than
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            signatures on other records; e.g., when the private component
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            of the KSK is kept offline and the KSK signature is to be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            refreshed manually.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            As with <code class="option">start-time</code>, an absolute
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            to the start time is indicated with +N, which is N seconds from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the start time.  A time relative to the current time is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            indicated with now+N.  If no <code class="option">extended end-time</code> is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            specified, the value of <code class="option">end-time</code> is used as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the default.  (<code class="option">end-time</code>, in turn, defaults to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            30 days from the start time.) <code class="option">extended end-time</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            must be later than <code class="option">start-time</code>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            The name of the output file containing the signed zone.  The
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            default is to append <code class="filename">.signed</code> to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the input filename.  If <code class="option">output-file</code> is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            set to <code class="literal">"-"</code>, then the signed zone is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            written to the standard output, with a default output
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            format of "full".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-h</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Prints a short summary of the options and arguments to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <span><strong class="command">dnssec-signzone</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            When a previously-signed zone is passed as input, records
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            may be resigned.  The <code class="option">interval</code> option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            specifies the cycle interval as an offset from the current
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            time (in seconds).  If a RRSIG record expires after the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            cycle interval, it is retained.  Otherwise, it is considered
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            to be expiring soon, and it will be replaced.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            The default cycle interval is one quarter of the difference
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            between the signature end and start times.  So if neither
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="option">end-time</code> or <code class="option">start-time</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            are specified, <span><strong class="command">dnssec-signzone</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            generates
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            signatures that are valid for 30 days, with a cycle
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            interval of 7.5 days.  Therefore, if any existing RRSIG records
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            are due to expire in less than 7.5 days, they would be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            replaced.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            The format of the input zone file.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Possible formats are <span><strong class="command">"text"</strong></span> (default),
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        This option is primarily intended to be used for dynamic
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            signed zones so that the dumped zone file in a non-text
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            format containing updates can be signed directly.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        The use of this option does not make much sense for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        non-dynamic zones.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            When signing a zone with a fixed signature lifetime, all
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            RRSIG records issued at the time of signing expires
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            simultaneously.  If the zone is incrementally signed, i.e.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            a previously-signed zone is passed as input to the signer,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            all expired signatures have to be regenerated at about the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            same time.  The <code class="option">jitter</code> option specifies a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            jitter window that will be used to randomize the signature
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            expire time, thus spreading incremental signature
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            regeneration over time.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Signature lifetime jitter also to some extent benefits
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            validators and servers by spreading out cache expiration,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            i.e. if large numbers of RRSIGs don't expire at the same time
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            from all caches there will be less congestion than if all
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            validators need to refetch at mostly the same time.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            When writing a signed zone to "raw" or "map" format, set the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            "source serial" value in the header to the specified serial
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            number.  (This is expected to be used primarily for testing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            purposes.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specifies the number of threads to use.  By default, one
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            thread is started for each detected CPU.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            The SOA serial number format of the signed zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Possible formats are <span><strong class="command">"keep"</strong></span> (default),
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <span><strong class="command">"increment"</strong></span> and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <span><strong class="command">"unixtime"</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="variablelist"><dl>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>Do not modify the SOA serial number.</p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>Increment the SOA serial number using RFC 1982
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                      arithmetics.</p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>Set the SOA serial number to the number of seconds
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            since epoch.</p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dl></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            The zone origin.  If not specified, the name of the zone file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            is assumed to be the origin.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            The format of the output file containing the signed zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Possible formats are <span><strong class="command">"text"</strong></span> (default),
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            which is the standard textual representation of the zone;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <span><strong class="command">"full"</strong></span>, which is text output in a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            format suitable for processing by external scripts;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            binary formats for rapid loading by <span><strong class="command">named</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <span><strong class="command">"raw=N"</strong></span> specifies the format version of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the raw zone file: if N is 0, the raw file can be read by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            any version of <span><strong class="command">named</strong></span>; if N is 1, the file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            can be read by release 9.9.0 or higher; the default is 1.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-p</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Use pseudo-random data when signing the zone.  This is faster,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            but less secure, than using real random data.  This option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            may be useful when signing large zones or when the entropy
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            source is limited.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-P</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Disable post sign verification tests.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        The post sign verification test ensures that for each algorithm
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        in use there is at least one non revoked self signed KSK key,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        that all revoked KSK keys are self signed, and that all records
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        in the zone are signed by the algorithm.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        This option skips these tests.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-Q</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Remove signatures from keys that are no longer active.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Normally, when a previously-signed zone is passed as input
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            to the signer, and a DNSKEY record has been removed and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            replaced with a new one, signatures from the old key
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            that are still within their validity period are retained.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        This allows the zone to continue to validate with cached
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        copies of the old DNSKEY RRset.  The <code class="option">-Q</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            forces <span><strong class="command">dnssec-signzone</strong></span> to remove
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            signatures from keys that are no longer active. This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            enables ZSK rollover using the procedure described in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-R</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Remove signatures from keys that are no longer published.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            This option is similar to <code class="option">-Q</code>, except it
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            keys that are no longer published. This enables ZSK rollover
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            using the procedure described in RFC 4641, section 4.2.1.2
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            ("Double Signature Zone Signing Key Rollover").
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specifies the source of randomness.  If the operating
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            system does not provide a <code class="filename">/dev/random</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            or equivalent device, the default source of randomness
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            is keyboard input.  <code class="filename">randomdev</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            specifies
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the name of a character device or file containing random
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            data to be used instead of the default.  The special value
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">keyboard</code> indicates that keyboard
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            input should be used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-S</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            search the key repository for keys that match the zone being
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            signed, and to include them in the zone if appropriate.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            When a key is found, its timing metadata is examined to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            determine how it should be used, according to the following
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            rules.  Each successive rule takes priority over the prior
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            ones:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="variablelist"><dl>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  If no timing metadata has been set for the key, the key is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  published in the zone and used to sign the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  If the key's publication date is set and is in the past, the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  key is published in the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  If the key's activation date is set and in the past, the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  key is published (regardless of publication date) and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  used to sign the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  If the key's revocation date is set and in the past, and the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  key is published, then the key is revoked, and the revoked key
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  is used to sign the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  If either of the key's unpublication or deletion dates are set
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  and in the past, the key is NOT published or used to sign the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                  zone, regardless of any other metadata.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt                </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dl></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specifies a TTL to be used for new DNSKEY records imported
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            into the zone from the key repository.  If not
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            specified, the default is the TTL value from the zone's SOA
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            record.  This option is ignored when signing without
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="option">-S</code>, since DNSKEY records are not imported
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            from the key repository in that case.  It is also ignored if
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            there are any pre-existing DNSKEY records at the zone apex,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            in which case new records' TTL values will be set to match
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            them, or if any of the imported DNSKEY records had a default
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            TTL value.  In the event of a a conflict between TTL values in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            imported keys, the shortest one is used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-t</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Print statistics at completion.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-u</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Update NSEC/NSEC3 chain when re-signing a previously signed
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            zone.  With this option, a zone signed with NSEC can be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            switched to NSEC3, or a zone signed with NSEC3 can
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            be switch to NSEC or to NSEC3 with different parameters.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            retain the existing chain when re-signing.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Sets the debugging level.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-x</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Only sign the DNSKEY RRset with key-signing keys, and omit
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            signatures from zone-signing keys.  (This is similar to the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <span><strong class="command">named</strong></span>.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-z</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Ignore KSK flag on key when determining what to sign.  This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            causes KSK-flagged keys to sign all records, not just the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            DNSKEY RRset.  (This is similar to the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <span><strong class="command">update-check-ksk no;</strong></span> zone option in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <span><strong class="command">named</strong></span>.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Generate an NSEC3 chain with the given hex encoded salt.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        A dash (<em class="replaceable"><code>salt</code></em>) can
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        be used to indicate that no salt is to be used when generating          the NSEC3 chain.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        When generating an NSEC3 chain, use this many iterations.  The
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        default is 10.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-A</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        When generating an NSEC3 chain set the OPTOUT flag on all
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        NSEC3 records and do not generate NSEC3 records for insecure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        delegations.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Using this option twice (i.e., <code class="option">-AA</code>)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        turns the OPTOUT flag off for all records.  This is useful
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        when using the <code class="option">-u</code> option to modify an NSEC3
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        chain which previously had OPTOUT set.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">zonefile</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            The file containing the zone to be signed.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">key</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Specify which keys should be used to sign the zone.  If
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        no keys are specified, then the zone will be examined
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        for DNSKEY records at the zone apex.  If these are found and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        there are matching private keys, in the current directory,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        then these will be used for signing.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dl></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2669969"></a><h2>EXAMPLE</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      The following command signs the <strong class="userinput"><code>example.com</code></strong>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      (Kexample.com.+003+17247).  Because the <span><strong class="command">-S</strong></span> option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      is not being used, the zone's keys must be in the master file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      (<code class="filename">db.example.com</code>).  This invocation looks
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      for <code class="filename">dsset</code> files, in the current directory,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntKexample.com.+003+17247
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntdb.example.com.signed
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt%</pre>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      the file <code class="filename">db.example.com.signed</code>.  This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      file should be referenced in a zone statement in a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <code class="filename">named.conf</code> file.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      This example re-signs a previously signed zone with default parameters.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      The private keys are assumed to be in the current directory.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<pre class="programlisting">% cp db.example.com.signed db.example.com
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt% dnssec-signzone -o example.com db.example.com
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntdb.example.com.signed
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt%</pre>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2670116"></a><h2>SEE ALSO</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2670144"></a><h2>AUTHOR</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span class="corpauthor">Internet Systems Consortium</span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="navfooter">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<hr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<table width="100%" summary="Navigation footer">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="left">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="left" valign="top">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<span class="application">dnssec-settime</span>�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="right" valign="top">�<span class="application">dnssec-verify</span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</table>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</body>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</html>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt