doc/arm/man.dnssec-signzone.html

	man.dnssec-signzone.html revision 1224c3b69b3d18f7127aa042644936af25a2d679
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<!--
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync -
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - Permission to use, copy, modify, and distribute this software for any
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - purpose with or without fee is hereby granted, provided that the above
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - copyright notice and this permission notice appear in all copies.
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync -
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync - PERFORMANCE OF THIS SOFTWARE.
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync-->
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<!-- $Id: man.dnssec-signzone.html,v 1.50 2007/06/20 02:27:33 marka Exp $ -->
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<html>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<head>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<title>dnssec-signzone</title>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync</head>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<div class="navheader">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<table width="100%" summary="Navigation header">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<tr>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<td width="20%" align="left">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<th width="60%" align="center">Manual pages</th>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync</td>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync</tr>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync</table>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<hr>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync</div>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<div class="refentry" lang="en">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<div class="refnamediv">
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<h2>Name</h2>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync</div>
17ef1920962b3df57bf6d2704ced1586396d96f0vboxsync<div class="refsynopsisdiv">
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<h2>Synopsis</h2>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync</div>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<div class="refsect1" lang="en">
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<a name="id2599691"></a><h2>DESCRIPTION</h2>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<p><span><strong class="command">dnssec-signzone</strong></span>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync      signs a zone.  It generates
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync      NSEC and RRSIG records and produces a signed version of the
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync      zone. The security status of delegations from the signed zone
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync      (that is, whether the child zones are secure or not) is
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync      determined by the presence or absence of a
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync      <code class="filename">keyset</code> file for each child zone.
8867771015571c5542d39e393d7fe6304421a928vboxsync    </p>
8867771015571c5542d39e393d7fe6304421a928vboxsync</div>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<div class="refsect1" lang="en">
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<a name="id2599710"></a><h2>OPTIONS</h2>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<div class="variablelist"><dl>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dt><span class="term">-a</span></dt>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dd><p>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            Verify all generated signatures.
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync          </p></dd>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dd><p>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            Specifies the DNS class of the zone.
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync          </p></dd>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dd><p>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            Treat specified key as a key signing key ignoring any
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            key flags.  This option may be specified multiple times.
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync          </p></dd>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
8867771015571c5542d39e393d7fe6304421a928vboxsync            The domain is appended to the name of the records.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            Look for <code class="filename">keyset</code> files in
8867771015571c5542d39e393d7fe6304421a928vboxsync            <code class="option">directory</code> as the directory
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-g</span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            Generate DS records for child zones from keyset files.
8867771015571c5542d39e393d7fe6304421a928vboxsync            Existing DS records will be removed.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dd><p>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            Specify the date and time when the generated RRSIG records
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            become valid.  This can be either an absolute or relative
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            time.  An absolute start time is indicated by a number
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            14:45:00 UTC on May 30th, 2000.  A relative start time is
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            indicated by +N, which is N seconds from the current time.
8867771015571c5542d39e393d7fe6304421a928vboxsync            If no <code class="option">start-time</code> is specified, the current
8867771015571c5542d39e393d7fe6304421a928vboxsync            time minus 1 hour (to allow for clock skew) is used.
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync          </p></dd>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dd><p>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            Specify the date and time when the generated RRSIG records
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            expire.  As with <code class="option">start-time</code>, an absolute
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            to the start time is indicated with +N, which is N seconds from
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            the start time.  A time relative to the current time is
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            indicated with now+N.  If no <code class="option">end-time</code> is
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            specified, 30 days from the start time is used as a default.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            The name of the output file containing the signed zone.  The
8867771015571c5542d39e393d7fe6304421a928vboxsync            default is to append <code class="filename">.signed</code> to
8867771015571c5542d39e393d7fe6304421a928vboxsync            the
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            input filename.
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync          </p></dd>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<dt><span class="term">-h</span></dt>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<dd><p>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            Prints a short summary of the options and arguments to
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            <span><strong class="command">dnssec-signzone</strong></span>.
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync          </p></dd>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<dd>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            When a previously-signed zone is passed as input, records
8867771015571c5542d39e393d7fe6304421a928vboxsync            may be resigned.  The <code class="option">interval</code> option
8867771015571c5542d39e393d7fe6304421a928vboxsync            specifies the cycle interval as an offset from the current
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            time (in seconds).  If a RRSIG record expires after the
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            cycle interval, it is retained.  Otherwise, it is considered
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            to be expiring soon, and it will be replaced.
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync          </p>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<p>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            The default cycle interval is one quarter of the difference
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            between the signature end and start times.  So if neither
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            <code class="option">end-time</code> or <code class="option">start-time</code>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            are specified, <span><strong class="command">dnssec-signzone</strong></span>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            generates
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            signatures that are valid for 30 days, with a cycle
8867771015571c5542d39e393d7fe6304421a928vboxsync            interval of 7.5 days.  Therefore, if any existing RRSIG records
8867771015571c5542d39e393d7fe6304421a928vboxsync            are due to expire in less than 7.5 days, they would be
8867771015571c5542d39e393d7fe6304421a928vboxsync            replaced.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync</dd>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            The format of the input zone file.
8867771015571c5542d39e393d7fe6304421a928vboxsync        Possible formats are <span><strong class="command">"text"</strong></span> (default)
8867771015571c5542d39e393d7fe6304421a928vboxsync        and <span><strong class="command">"raw"</strong></span>.
8867771015571c5542d39e393d7fe6304421a928vboxsync        This option is primarily intended to be used for dynamic
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            signed zones so that the dumped zone file in a non-text
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            format containing updates can be signed directly.
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync        The use of this option does not make much sense for
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync        non-dynamic zones.
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync          </p></dd>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<dd>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<p>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            When signing a zone with a fixed signature lifetime, all
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            RRSIG records issued at the time of signing expires
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            simultaneously.  If the zone is incrementally signed, i.e.
fe14fe6d46ce87a9b25cbdacb3a20b1f87bf34c7vboxsync            a previously-signed zone is passed as input to the signer,
8867771015571c5542d39e393d7fe6304421a928vboxsync            all expired signatures have to be regenerated at about the
8867771015571c5542d39e393d7fe6304421a928vboxsync            same time.  The <code class="option">jitter</code> option specifies a
8867771015571c5542d39e393d7fe6304421a928vboxsync            jitter window that will be used to randomize the signature
8867771015571c5542d39e393d7fe6304421a928vboxsync            expire time, thus spreading incremental signature
8867771015571c5542d39e393d7fe6304421a928vboxsync            regeneration over time.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p>
8867771015571c5542d39e393d7fe6304421a928vboxsync<p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            Signature lifetime jitter also to some extent benefits
8867771015571c5542d39e393d7fe6304421a928vboxsync            validators and servers by spreading out cache expiration,
8867771015571c5542d39e393d7fe6304421a928vboxsync            i.e. if large numbers of RRSIGs don't expire at the same time
8867771015571c5542d39e393d7fe6304421a928vboxsync            from all caches there will be less congestion than if all
8867771015571c5542d39e393d7fe6304421a928vboxsync            validators need to refetch at mostly the same time.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p>
8867771015571c5542d39e393d7fe6304421a928vboxsync</dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            Specifies the number of threads to use.  By default, one
8867771015571c5542d39e393d7fe6304421a928vboxsync            thread is started for each detected CPU.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            The SOA serial number format of the signed zone.
8867771015571c5542d39e393d7fe6304421a928vboxsync        Possible formats are <span><strong class="command">"keep"</strong></span> (default),
8867771015571c5542d39e393d7fe6304421a928vboxsync            <span><strong class="command">"increment"</strong></span> and
8867771015571c5542d39e393d7fe6304421a928vboxsync        <span><strong class="command">"unixtime"</strong></span>.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p>
8867771015571c5542d39e393d7fe6304421a928vboxsync<div class="variablelist"><dl>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>Do not modify the SOA serial number.</p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>Increment the SOA serial number using RFC 1982
8867771015571c5542d39e393d7fe6304421a928vboxsync                      arithmetics.</p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>Set the SOA serial number to the number of seconds
8867771015571c5542d39e393d7fe6304421a928vboxsync            since epoch.</p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync</dl></div>
8867771015571c5542d39e393d7fe6304421a928vboxsync</dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            The zone origin.  If not specified, the name of the zone file
8867771015571c5542d39e393d7fe6304421a928vboxsync            is assumed to be the origin.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            The format of the output file containing the signed zone.
8867771015571c5542d39e393d7fe6304421a928vboxsync        Possible formats are <span><strong class="command">"text"</strong></span> (default)
8867771015571c5542d39e393d7fe6304421a928vboxsync        and <span><strong class="command">"raw"</strong></span>.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-p</span></dt>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<dd><p>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync            Use pseudo-random data when signing the zone.  This is faster,
8867771015571c5542d39e393d7fe6304421a928vboxsync            but less secure, than using real random data.  This option
8867771015571c5542d39e393d7fe6304421a928vboxsync            may be useful when signing large zones or when the entropy
8867771015571c5542d39e393d7fe6304421a928vboxsync            source is limited.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            Specifies the source of randomness.  If the operating
8867771015571c5542d39e393d7fe6304421a928vboxsync            system does not provide a <code class="filename">/dev/random</code>
8867771015571c5542d39e393d7fe6304421a928vboxsync            or equivalent device, the default source of randomness
8867771015571c5542d39e393d7fe6304421a928vboxsync            is keyboard input.  <code class="filename">randomdev</code>
8867771015571c5542d39e393d7fe6304421a928vboxsync            specifies
8867771015571c5542d39e393d7fe6304421a928vboxsync            the name of a character device or file containing random
8867771015571c5542d39e393d7fe6304421a928vboxsync            data to be used instead of the default.  The special value
8867771015571c5542d39e393d7fe6304421a928vboxsync            <code class="filename">keyboard</code> indicates that keyboard
8867771015571c5542d39e393d7fe6304421a928vboxsync            input should be used.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-t</span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            Print statistics at completion.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            Sets the debugging level.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">-z</span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            Ignore KSK flag on key when determining what to sign.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">zonefile</span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync            The file containing the zone to be signed.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dt><span class="term">key</span></dt>
8867771015571c5542d39e393d7fe6304421a928vboxsync<dd><p>
8867771015571c5542d39e393d7fe6304421a928vboxsync        Specify which keys should be used to sign the zone.  If
8867771015571c5542d39e393d7fe6304421a928vboxsync        no keys are specified, then the zone will be examined
8867771015571c5542d39e393d7fe6304421a928vboxsync        for DNSKEY records at the zone apex.  If these are found and
8867771015571c5542d39e393d7fe6304421a928vboxsync        there are matching private keys, in the current directory,
8867771015571c5542d39e393d7fe6304421a928vboxsync        then these will be used for signing.
8867771015571c5542d39e393d7fe6304421a928vboxsync          </p></dd>
8867771015571c5542d39e393d7fe6304421a928vboxsync</dl></div>
8867771015571c5542d39e393d7fe6304421a928vboxsync</div>
8867771015571c5542d39e393d7fe6304421a928vboxsync<div class="refsect1" lang="en">
8867771015571c5542d39e393d7fe6304421a928vboxsync<a name="id2653440"></a><h2>EXAMPLE</h2>
8867771015571c5542d39e393d7fe6304421a928vboxsync<p>
8867771015571c5542d39e393d7fe6304421a928vboxsync      The following command signs the <strong class="userinput"><code>example.com</code></strong>
8867771015571c5542d39e393d7fe6304421a928vboxsync      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
8867771015571c5542d39e393d7fe6304421a928vboxsync      (Kexample.com.+003+17247).  The zone's keys must be in the master
8867771015571c5542d39e393d7fe6304421a928vboxsync      file (<code class="filename">db.example.com</code>).  This invocation looks
8867771015571c5542d39e393d7fe6304421a928vboxsync      for <code class="filename">keyset</code> files, in the current directory,
8867771015571c5542d39e393d7fe6304421a928vboxsync      so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
8867771015571c5542d39e393d7fe6304421a928vboxsync    </p>
8867771015571c5542d39e393d7fe6304421a928vboxsync<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
8867771015571c5542d39e393d7fe6304421a928vboxsyncKexample.com.+003+17247
8867771015571c5542d39e393d7fe6304421a928vboxsyncdb.example.com.signed
8867771015571c5542d39e393d7fe6304421a928vboxsync%</pre>
8867771015571c5542d39e393d7fe6304421a928vboxsync<p>
8867771015571c5542d39e393d7fe6304421a928vboxsync      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
8867771015571c5542d39e393d7fe6304421a928vboxsync      the file <code class="filename">db.example.com.signed</code>.  This
8867771015571c5542d39e393d7fe6304421a928vboxsync      file should be referenced in a zone statement in a
8867771015571c5542d39e393d7fe6304421a928vboxsync      <code class="filename">named.conf</code> file.
8867771015571c5542d39e393d7fe6304421a928vboxsync    </p>
8867771015571c5542d39e393d7fe6304421a928vboxsync<p>
8867771015571c5542d39e393d7fe6304421a928vboxsync      This example re-signs a previously signed zone with default parameters.
8867771015571c5542d39e393d7fe6304421a928vboxsync      The private keys are assumed to be in the current directory.
8867771015571c5542d39e393d7fe6304421a928vboxsync    </p>
8867771015571c5542d39e393d7fe6304421a928vboxsync<pre class="programlisting">% cp db.example.com.signed db.example.com
8867771015571c5542d39e393d7fe6304421a928vboxsync% dnssec-signzone -o example.com db.example.com
8867771015571c5542d39e393d7fe6304421a928vboxsyncdb.example.com.signed
8867771015571c5542d39e393d7fe6304421a928vboxsync%</pre>
8867771015571c5542d39e393d7fe6304421a928vboxsync</div>
8867771015571c5542d39e393d7fe6304421a928vboxsync<div class="refsect1" lang="en">
8867771015571c5542d39e393d7fe6304421a928vboxsync<a name="id2653512"></a><h2>SEE ALSO</h2>
8867771015571c5542d39e393d7fe6304421a928vboxsync<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
8867771015571c5542d39e393d7fe6304421a928vboxsync      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
8867771015571c5542d39e393d7fe6304421a928vboxsync      <em class="citetitle">RFC 2535</em>.
8867771015571c5542d39e393d7fe6304421a928vboxsync    </p>
8867771015571c5542d39e393d7fe6304421a928vboxsync</div>
8867771015571c5542d39e393d7fe6304421a928vboxsync<div class="refsect1" lang="en">
8867771015571c5542d39e393d7fe6304421a928vboxsync<a name="id2653537"></a><h2>AUTHOR</h2>
8867771015571c5542d39e393d7fe6304421a928vboxsync<p><span class="corpauthor">Internet Systems Consortium</span>
8867771015571c5542d39e393d7fe6304421a928vboxsync    </p>
8867771015571c5542d39e393d7fe6304421a928vboxsync</div>
8867771015571c5542d39e393d7fe6304421a928vboxsync</div>
8867771015571c5542d39e393d7fe6304421a928vboxsync<div class="navfooter">
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<hr>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<table width="100%" summary="Navigation footer">
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<tr>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<td width="40%" align="left">
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
9de47c4ec7b0fc9a384e4b815153de399da7b8devboxsync<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync</td>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync</tr>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync<tr>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync<td width="40%" align="left" valign="top">
c999f225d03074008a0c21cdd5d3594da476e243vboxsync<span class="application">dnssec-keygen</span>�</td>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync</td>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync</tr>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync</table>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync</div>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync</body>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync</html>
c999f225d03074008a0c21cdd5d3594da476e243vboxsync