man.dnssec-signzone.html revision 1238b38c9f0ab563b762dc0fd00ac6c34c2b7295
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - Copyright (C) 2000-2003 Internet Software Consortium.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - Permission to use, copy, modify, and/or distribute this software for any
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - purpose with or without fee is hereby granted, provided that the above
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - copyright notice and this permission notice appear in all copies.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce - PERFORMANCE OF THIS SOFTWARE.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<!-- $Id: man.dnssec-signzone.html,v 1.163 2010/06/26 01:14:18 tbox Exp $ -->
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p><span><strong class="command">dnssec-signzone</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signs a zone. It generates
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce NSEC and RRSIG records and produces a signed version of the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone. The security status of delegations from the signed zone
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (that is, whether the child zones are secure or not) is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce determined by the presence or absence of a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">keyset</code> file for each child zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Verify all generated signatures.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Specifies the DNS class of the zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Compatibility mode: Generate a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file in addition to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce when signing a zone, for use by older versions of
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">dnssec-signzone</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">keyset-</code> files in <code class="option">directory</code>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Uses a crypto hardware (OpenSSL engine) for the crypto operations
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce it supports, for instance signing with private keys from
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a secure key store. When compiled with PKCS#11 support
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce it defaults to pkcs11; the empty name resets it to no engine.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Generate DS records for child zones from
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file. Existing DS records will be removed.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Key repository: Specify a directory to search for DNSSEC keys.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If not specified, defaults to the current directory.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Treat specified key as a key signing key ignoring any
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce key flags. This option may be specified multiple times.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Generate a DLV set in addition to the key (DNSKEY) and DS sets.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The domain is appended to the name of the records.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Specify the date and time when the generated RRSIG records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce become valid. This can be either an absolute or relative
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce time. An absolute start time is indicated by a number
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in YYYYMMDDHHMMSS notation; 20000530144500 denotes
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce 14:45:00 UTC on May 30th, 2000. A relative start time is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce indicated by +N, which is N seconds from the current time.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If no <code class="option">start-time</code> is specified, the current
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce time minus 1 hour (to allow for clock skew) is used.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Specify the date and time when the generated RRSIG records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce expire. As with <code class="option">start-time</code>, an absolute
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce time is indicated in YYYYMMDDHHMMSS notation. A time relative
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to the start time is indicated with +N, which is N seconds from
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the start time. A time relative to the current time is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce indicated with now+N. If no <code class="option">end-time</code> is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce specified, 30 days from the start time is used as a default.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="option">end-time</code> must be later than
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The name of the output file containing the signed zone. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce default is to append <code class="filename">.signed</code> to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce input filename.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Prints a short summary of the options and arguments to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">dnssec-signzone</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When a previously-signed zone is passed as input, records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce may be resigned. The <code class="option">interval</code> option
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce specifies the cycle interval as an offset from the current
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce time (in seconds). If a RRSIG record expires after the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce cycle interval, it is retained. Otherwise, it is considered
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce to be expiring soon, and it will be replaced.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The default cycle interval is one quarter of the difference
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce between the signature end and start times. So if neither
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="option">end-time</code> or <code class="option">start-time</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce are specified, <span><strong class="command">dnssec-signzone</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signatures that are valid for 30 days, with a cycle
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce interval of 7.5 days. Therefore, if any existing RRSIG records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce are due to expire in less than 7.5 days, they would be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The format of the input zone file.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Possible formats are <span><strong class="command">"text"</strong></span> (default)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and <span><strong class="command">"raw"</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This option is primarily intended to be used for dynamic
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signed zones so that the dumped zone file in a non-text
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce format containing updates can be signed directly.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The use of this option does not make much sense for
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce non-dynamic zones.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When signing a zone with a fixed signature lifetime, all
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce RRSIG records issued at the time of signing expires
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce simultaneously. If the zone is incrementally signed, i.e.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce a previously-signed zone is passed as input to the signer,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce all expired signatures have to be regenerated at about the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce same time. The <code class="option">jitter</code> option specifies a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce jitter window that will be used to randomize the signature
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce expire time, thus spreading incremental signature
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce regeneration over time.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Signature lifetime jitter also to some extent benefits
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce validators and servers by spreading out cache expiration,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce i.e. if large numbers of RRSIGs don't expire at the same time
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce from all caches there will be less congestion than if all
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce validators need to refetch at mostly the same time.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Specifies the number of threads to use. By default, one
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce thread is started for each detected CPU.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The SOA serial number format of the signed zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Possible formats are <span><strong class="command">"keep"</strong></span> (default),
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">"increment"</strong></span> and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">"unixtime"</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dd><p>Do not modify the SOA serial number.</p></dd>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dd><p>Increment the SOA serial number using RFC 1982
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dd><p>Set the SOA serial number to the number of seconds
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The zone origin. If not specified, the name of the zone file
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is assumed to be the origin.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The format of the output file containing the signed zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Possible formats are <span><strong class="command">"text"</strong></span> (default)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and <span><strong class="command">"raw"</strong></span>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Use pseudo-random data when signing the zone. This is faster,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce but less secure, than using real random data. This option
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce may be useful when signing large zones or when the entropy
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce source is limited.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Disable post sign verification tests.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The post sign verification test ensures that for each algorithm
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in use there is at least one non revoked self signed KSK key,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce that all revoked KSK keys are self signed, and that all records
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in the zone are signed by the algorithm.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This option skips these tests.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Specifies the source of randomness. If the operating
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce system does not provide a <code class="filename">/dev/random</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or equivalent device, the default source of randomness
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is keyboard input. <code class="filename">randomdev</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the name of a character device or file containing random
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce data to be used instead of the default. The special value
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="filename">keyboard</code> indicates that keyboard
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce input should be used.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce search the key repository for keys that match the zone being
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signed, and to include them in the zone if appropriate.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When a key is found, its timing metadata is examined to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce determine how it should be used, according to the following
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce rules. Each successive rule takes priority over the prior
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If no timing metadata has been set for the key, the key is
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce published in the zone and used to sign the zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If the key's publication date is set and is in the past, the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce key is published in the zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If the key's activation date is set and in the past, the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce key is published (regardless of publication date) and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce used to sign the zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If the key's revocation date is set and in the past, and the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce key is published, then the key is revoked, and the revoked key
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is used to sign the zone.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce If either of the key's unpublication or deletion dates are set
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce and in the past, the key is NOT published or used to sign the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone, regardless of any other metadata.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Specifies the TTL to be used for new DNSKEY records imported
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce into the zone from the key repository. If not specified,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the default is the minimum TTL value from the zone's SOA
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce record. This option is ignored when signing without
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <code class="option">-S</code>, since DNSKEY records are not imported
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce from the key repository in that case. It is also ignored if
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce there are any pre-existing DNSKEY records at the zone apex,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce in which case new records' TTL values will be set to match
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Print statistics at completion.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Update NSEC/NSEC3 chain when re-signing a previously signed
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone. With this option, a zone signed with NSEC can be
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce switched to NSEC3, or a zone signed with NSEC3 can
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be switch to NSEC or to NSEC3 with different parameters.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce retain the existing chain when re-signing.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Sets the debugging level.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Only sign the DNSKEY RRset with key-signing keys, and omit
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce signatures from zone-signing keys. (This is similar to the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">named</strong></span>.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Ignore KSK flag on key when determining what to sign. This
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce causes KSK-flagged keys to sign all records, not just the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce DNSKEY RRset. (This is similar to the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">update-check-ksk no;</strong></span> zone option in
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">named</strong></span>.)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Generate an NSEC3 chain with the given hex encoded salt.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce A dash (<em class="replaceable"><code>salt</code></em>) can
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be used to indicate that no salt is to be used when generating the NSEC3 chain.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When generating an NSEC3 chain, use this many interations. The
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce default is 10.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce When generating an NSEC3 chain set the OPTOUT flag on all
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce NSEC3 records and do not generate NSEC3 records for insecure
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce delegations.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Using this option twice (i.e., <code class="option">-AA</code>)
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce turns the OPTOUT flag off for all records. This is useful
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce when using the <code class="option">-u</code> option to modify an NSEC3
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce chain which previously had OPTOUT set.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The file containing the zone to be signed.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Specify which keys should be used to sign the zone. If
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce no keys are specified, then the zone will be examined
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for DNSKEY records at the zone apex. If these are found and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce there are matching private keys, in the current directory,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce then these will be used for signing.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The following command signs the <strong class="userinput"><code>example.com</code></strong>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is not being used, the zone's keys must be in the master file
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce (<code class="filename">db.example.com</code>). This invocation looks
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce for <code class="filename">dsset</code> files, in the current directory,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce the file <code class="filename">db.example.com.signed</code>. This
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce file should be referenced in a zone statement in a
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This example re-signs a previously signed zone with default parameters.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce The private keys are assumed to be in the current directory.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<pre class="programlisting">% cp db.example.com.signed db.example.com
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<p><span class="corpauthor">Internet Systems Consortium</span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<span class="application">dnssec-settime</span>�</td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>