doc/arm/man.dnssec-signzone.html

	man.dnssec-signzone.html revision 0c6ada0a814f3c5417daa1654129bc2af56ed504
89a126810703c666309310d0f3189e9834d70b5bTimo Sirainen<!--
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen - Copyright (C) 2000-2003 Internet Software Consortium.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen -
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen - Permission to use, copy, modify, and distribute this software for any
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen - purpose with or without fee is hereby granted, provided that the above
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen - copyright notice and this permission notice appear in all copies.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen -
5fb3bff645380804c9db2510940c41db6b8fdb01Timo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen - PERFORMANCE OF THIS SOFTWARE.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen-->
b5e6f6f27c1461f0f9f202615eeb738a645188c3Timo Sirainen<!-- $Id: man.dnssec-signzone.html,v 1.77 2008/06/18 01:12:16 tbox Exp $ -->
00efa7d99981e18e286c02b18c1163dde18ee521Timo Sirainen<html>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<head>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen<title>dnssec-signzone</title>
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b5e6f6f27c1461f0f9f202615eeb738a645188c3Timo Sirainen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen</head>
2f2823ad8928654ed405467c6c1f4fd4c6f5cf7cTimo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
641f0c0900ee6e7cf9667f4b40ed95cec7d0cdcaTimo Sirainen<div class="navheader">
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<table width="100%" summary="Navigation header">
b5e6f6f27c1461f0f9f202615eeb738a645188c3Timo Sirainen<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
00efa7d99981e18e286c02b18c1163dde18ee521Timo Sirainen<tr>
2f2823ad8928654ed405467c6c1f4fd4c6f5cf7cTimo Sirainen<td width="20%" align="left">
2f2823ad8928654ed405467c6c1f4fd4c6f5cf7cTimo Sirainen<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<th width="60%" align="center">Manual pages</th>
2f2823ad8928654ed405467c6c1f4fd4c6f5cf7cTimo Sirainen<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen</td>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen</tr>
b5e6f6f27c1461f0f9f202615eeb738a645188c3Timo Sirainen</table>
00efa7d99981e18e286c02b18c1163dde18ee521Timo Sirainen<hr>
2f2823ad8928654ed405467c6c1f4fd4c6f5cf7cTimo Sirainen</div>
2f2823ad8928654ed405467c6c1f4fd4c6f5cf7cTimo Sirainen<div class="refentry" lang="en">
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<div class="refnamediv">
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen<h2>Name</h2>
43d32cbe60fdaef2699d99f1ca259053e9350411Timo Sirainen<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen</div>
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen<div class="refsynopsisdiv">
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen<h2>Synopsis</h2>
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen</div>
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen<div class="refsect1" lang="en">
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen<a name="id2604181"></a><h2>DESCRIPTION</h2>
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen<p><span><strong class="command">dnssec-signzone</strong></span>
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen      signs a zone.  It generates
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen      NSEC and RRSIG records and produces a signed version of the
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen      zone. The security status of delegations from the signed zone
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen      (that is, whether the child zones are secure or not) is
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen      determined by the presence or absence of a
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen      <code class="filename">keyset</code> file for each child zone.
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen    </p>
59151b71059df1190acd75d8717ed04a7920c862Timo Sirainen</div>
b5e6f6f27c1461f0f9f202615eeb738a645188c3Timo Sirainen<div class="refsect1" lang="en">
00efa7d99981e18e286c02b18c1163dde18ee521Timo Sirainen<a name="id2604200"></a><h2>OPTIONS</h2>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<div class="variablelist"><dl>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<dt><span class="term">-a</span></dt>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<dd><p>
00efa7d99981e18e286c02b18c1163dde18ee521Timo Sirainen            Verify all generated signatures.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen          </p></dd>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<dd><p>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            Specifies the DNS class of the zone.
b5e6f6f27c1461f0f9f202615eeb738a645188c3Timo Sirainen          </p></dd>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<dd><p>
00efa7d99981e18e286c02b18c1163dde18ee521Timo Sirainen            Treat specified key as a key signing key ignoring any
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            key flags.  This option may be specified multiple times.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen          </p></dd>
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
825f6569a5276488133796c2f529c65128a09ba0Timo Sirainen<dd><p>
039e42997fe5e0d1c5ad9306dc0ae69bf0e1ca10Timo Sirainen            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            The domain is appended to the name of the records.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen          </p></dd>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dd><p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            Look for <code class="filename">keyset</code> files in
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            <code class="option">directory</code> as the directory
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen          </p></dd>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dt><span class="term">-g</span></dt>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dd><p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            Generate DS records for child zones from keyset files.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            Existing DS records will be removed.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen          </p></dd>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dd><p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            Specify the date and time when the generated RRSIG records
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            become valid.  This can be either an absolute or relative
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            time.  An absolute start time is indicated by a number
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            14:45:00 UTC on May 30th, 2000.  A relative start time is
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            indicated by +N, which is N seconds from the current time.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            If no <code class="option">start-time</code> is specified, the current
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            time minus 1 hour (to allow for clock skew) is used.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen          </p></dd>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dd><p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            Specify the date and time when the generated RRSIG records
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            expire.  As with <code class="option">start-time</code>, an absolute
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            to the start time is indicated with +N, which is N seconds from
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            the start time.  A time relative to the current time is
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            indicated with now+N.  If no <code class="option">end-time</code> is
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            specified, 30 days from the start time is used as a default.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen          </p></dd>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dd><p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            The name of the output file containing the signed zone.  The
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            default is to append <code class="filename">.signed</code> to
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            the
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            input filename.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen          </p></dd>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dt><span class="term">-h</span></dt>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dd><p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            Prints a short summary of the options and arguments to
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            <span><strong class="command">dnssec-signzone</strong></span>.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen          </p></dd>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dd>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            When a previously-signed zone is passed as input, records
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            may be resigned.  The <code class="option">interval</code> option
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            specifies the cycle interval as an offset from the current
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            time (in seconds).  If a RRSIG record expires after the
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            cycle interval, it is retained.  Otherwise, it is considered
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            to be expiring soon, and it will be replaced.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen          </p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            The default cycle interval is one quarter of the difference
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            between the signature end and start times.  So if neither
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            <code class="option">end-time</code> or <code class="option">start-time</code>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            are specified, <span><strong class="command">dnssec-signzone</strong></span>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            generates
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            signatures that are valid for 30 days, with a cycle
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            interval of 7.5 days.  Therefore, if any existing RRSIG records
1ec927ba3bb5a904754219c2dd5e2514ea77a6f8Timo Sirainen            are due to expire in less than 7.5 days, they would be
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            replaced.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen          </p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen</dd>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen<dd><p>
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            The format of the input zone file.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen        Possible formats are <span><strong class="command">"text"</strong></span> (default)
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen        and <span><strong class="command">"raw"</strong></span>.
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen        This option is primarily intended to be used for dynamic
73a552a9ed06cd6017ad4ee4b252a8b38c8ac42dTimo Sirainen            signed zones so that the dumped zone file in a non-text
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            format containing updates can be signed directly.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen        The use of this option does not make much sense for
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen        non-dynamic zones.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen          </p></dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            When signing a zone with a fixed signature lifetime, all
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            RRSIG records issued at the time of signing expires
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            simultaneously.  If the zone is incrementally signed, i.e.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            a previously-signed zone is passed as input to the signer,
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            all expired signatures have to be regenerated at about the
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            same time.  The <code class="option">jitter</code> option specifies a
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            jitter window that will be used to randomize the signature
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            expire time, thus spreading incremental signature
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            regeneration over time.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen          </p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            Signature lifetime jitter also to some extent benefits
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            validators and servers by spreading out cache expiration,
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            i.e. if large numbers of RRSIGs don't expire at the same time
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            from all caches there will be less congestion than if all
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            validators need to refetch at mostly the same time.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen          </p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen</dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dd><p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            Specifies the number of threads to use.  By default, one
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            thread is started for each detected CPU.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen          </p></dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            The SOA serial number format of the signed zone.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen        Possible formats are <span><strong class="command">"keep"</strong></span> (default),
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            <span><strong class="command">"increment"</strong></span> and
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen        <span><strong class="command">"unixtime"</strong></span>.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen          </p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<div class="variablelist"><dl>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dd><p>Do not modify the SOA serial number.</p></dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dd><p>Increment the SOA serial number using RFC 1982
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen                      arithmetics.</p></dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dd><p>Set the SOA serial number to the number of seconds
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            since epoch.</p></dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen</dl></div>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen</dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dd><p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            The zone origin.  If not specified, the name of the zone file
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            is assumed to be the origin.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen          </p></dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dd><p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            The format of the output file containing the signed zone.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen        Possible formats are <span><strong class="command">"text"</strong></span> (default)
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen        and <span><strong class="command">"raw"</strong></span>.
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen          </p></dd>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dt><span class="term">-p</span></dt>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen<dd><p>
32ee977e189266744ef69ac4e832fd3111d6f949Timo Sirainen            Use pseudo-random data when signing the zone.  This is faster,
            but less secure, than using real random data.  This option
            may be useful when signing large zones or when the entropy
            source is limited.
          </p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
            Specifies the source of randomness.  If the operating
            system does not provide a <code class="filename">/dev/random</code>
            or equivalent device, the default source of randomness
            is keyboard input.  <code class="filename">randomdev</code>
            specifies
            the name of a character device or file containing random
            data to be used instead of the default.  The special value
            <code class="filename">keyboard</code> indicates that keyboard
            input should be used.
          </p></dd>
<dt><span class="term">-t</span></dt>
<dd><p>
            Print statistics at completion.
          </p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
            Sets the debugging level.
          </p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
            Ignore KSK flag on key when determining what to sign.
          </p></dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
            The file containing the zone to be signed.
          </p></dd>
<dt><span class="term">key</span></dt>
<dd><p>
        Specify which keys should be used to sign the zone.  If
        no keys are specified, then the zone will be examined
        for DNSKEY records at the zone apex.  If these are found and
        there are matching private keys, in the current directory,
        then these will be used for signing.
          </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2658817"></a><h2>EXAMPLE</h2>
<p>
      The following command signs the <strong class="userinput"><code>example.com</code></strong>
      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
      (Kexample.com.+003+17247).  The zone's keys must be in the master
      file (<code class="filename">db.example.com</code>).  This invocation looks
      for <code class="filename">keyset</code> files, in the current directory,
      so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
    </p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</pre>
<p>
      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
      the file <code class="filename">db.example.com.signed</code>.  This
      file should be referenced in a zone statement in a
      <code class="filename">named.conf</code> file.
    </p>
<p>
      This example re-signs a previously signed zone with default parameters.
      The private keys are assumed to be in the current directory.
    </p>
<pre class="programlisting">% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
<a name="id2659026"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 2535</em>.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2659050"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-keygen</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
</td>
</tr>
</table>
</div>
</body>
</html>