man.dnssec-signzone.html revision 1acf72525e7e0b41074593495dc5351485903569
c80e152862cc3e3207dc837fde7116bd4c0e4b9dTinderbox User - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
c80e152862cc3e3207dc837fde7116bd4c0e4b9dTinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
8d1b3ceb4d491ce32572f1702f37ed585eede993Evan Hunt - Permission to use, copy, modify, and distribute this software for any
d77cb075aae5595e460e3299bfc1e8ea5d42b560Evan Hunt - purpose with or without fee is hereby granted, provided that the above
d77cb075aae5595e460e3299bfc1e8ea5d42b560Evan Hunt - copyright notice and this permission notice appear in all copies.
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
701a93f5a592e4652343e049aa495d409c3ee133Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
7ec97ae74e42ec21b354fd2d1366313b41d947d6Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
701a93f5a592e4652343e049aa495d409c3ee133Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
002f1373374a0b72fc0329baa682917929bef168Tony Finch<!-- $Id: man.dnssec-signzone.html,v 1.90 2008/10/22 01:11:41 tbox Exp $ -->
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
73cf0ba4e82c6baef638ecc4e31321223f841d28Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
73cf0ba4e82c6baef638ecc4e31321223f841d28Mark Andrews<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
73cf0ba4e82c6baef638ecc4e31321223f841d28Mark Andrews<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
d8351dfc9b725b0d727be7acab6247d7d501d9a0Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
3a29ce9c08dd31709c73e7187aebda0d360c537bEvan Hunt<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
f1740da065d4555039fe8bb53beb4153e3f94de3Mark Andrews<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
f1740da065d4555039fe8bb53beb4153e3f94de3Mark Andrews<th width="60%" align="center">Manual pages</th>
31c7ab4fb3f7710af87dc9c3d64c5daf9a3dea35Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
635e4351b04fd61ca6d853bdac6268c090b55129Mark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
fc04365d2f83f197c8a54545dd9cd4ce6a209940Mark Andrews<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt<p><span><strong class="command">dnssec-signzone</strong></span>
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt signs a zone. It generates
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt NSEC and RRSIG records and produces a signed version of the
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt zone. The security status of delegations from the signed zone
6fb3db01acad7f5c1f4e23789fb0f2ce56cc07deMukund Sivaraman (that is, whether the child zones are secure or not) is
6fb3db01acad7f5c1f4e23789fb0f2ce56cc07deMukund Sivaraman determined by the presence or absence of a
6fb3db01acad7f5c1f4e23789fb0f2ce56cc07deMukund Sivaraman <code class="filename">keyset</code> file for each child zone.
2cf0fe3b8092f64f8f68ae3693fe2e73e90ad1a4Mark Andrews Verify all generated signatures.
2cf0fe3b8092f64f8f68ae3693fe2e73e90ad1a4Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
4221d9cd1d02311fbf9b5f08a038f5af78b10b4aEvan Hunt Specifies the DNS class of the zone.
4221d9cd1d02311fbf9b5f08a038f5af78b10b4aEvan Hunt<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
4221d9cd1d02311fbf9b5f08a038f5af78b10b4aEvan Hunt Treat specified key as a key signing key ignoring any
f9c410d93711fbf312a0162f1e2d3f2a5ede69afFrancis Dupont key flags. This option may be specified multiple times.
f9c410d93711fbf312a0162f1e2d3f2a5ede69afFrancis Dupont<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
e526027287b849f0b6ab6e069156697cbafa22c1Michał Kępień Generate a DLV set in addition to the key (DNSKEY) and DS sets.
e526027287b849f0b6ab6e069156697cbafa22c1Michał Kępień The domain is appended to the name of the records.
e526027287b849f0b6ab6e069156697cbafa22c1Michał Kępień<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
929329d2d66a7e1083c70a9c918381935bf12799Mukund Sivaraman Look for <code class="filename">keyset</code> files in
929329d2d66a7e1083c70a9c918381935bf12799Mukund Sivaraman <code class="option">directory</code> as the directory
afefd754734f896bf3e0590177fff83e7cdfdf35Mark Andrews Generate DS records for child zones from keyset files.
afefd754734f896bf3e0590177fff83e7cdfdf35Mark Andrews Existing DS records will be removed.
f0353a586c2bfbae999193cb644b6bc94c7944d8Mark Andrews<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt Specify the date and time when the generated RRSIG records
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt become valid. This can be either an absolute or relative
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt time. An absolute start time is indicated by a number
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt in YYYYMMDDHHMMSS notation; 20000530144500 denotes
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt 14:45:00 UTC on May 30th, 2000. A relative start time is
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt indicated by +N, which is N seconds from the current time.
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt If no <code class="option">start-time</code> is specified, the current
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt time minus 1 hour (to allow for clock skew) is used.
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
cad79077bd5b2616bc4a7a6b3cbc0953bef8917fMark Andrews Specify the date and time when the generated RRSIG records
cad79077bd5b2616bc4a7a6b3cbc0953bef8917fMark Andrews expire. As with <code class="option">start-time</code>, an absolute
cad79077bd5b2616bc4a7a6b3cbc0953bef8917fMark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative
adfe58e8e5cd1890585e92b67f1fd01989a1fa7dMark Andrews to the start time is indicated with +N, which is N seconds from
adfe58e8e5cd1890585e92b67f1fd01989a1fa7dMark Andrews the start time. A time relative to the current time is
adfe58e8e5cd1890585e92b67f1fd01989a1fa7dMark Andrews indicated with now+N. If no <code class="option">end-time</code> is
c3237dec879f82855403ff7e3ba87b298172efd5Mark Andrews specified, 30 days from the start time is used as a default.
c3237dec879f82855403ff7e3ba87b298172efd5Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
c3237dec879f82855403ff7e3ba87b298172efd5Mark Andrews The name of the output file containing the signed zone. The
cb616c6d5c2ece1fac37fa6e0bca2b53d4043098Mark Andrews default is to append <code class="filename">.signed</code> to
cb616c6d5c2ece1fac37fa6e0bca2b53d4043098Mark Andrews input filename.
534057c9f91a3eb6e0541f3526459c716239b337Mark Andrews Prints a short summary of the options and arguments to
534057c9f91a3eb6e0541f3526459c716239b337Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>.
0f14b041328c062b1fa391887376388dfc8b2fe5Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
0f14b041328c062b1fa391887376388dfc8b2fe5Mark Andrews When a previously-signed zone is passed as input, records
f7f4730e563a2749629fe7fef4cd9513cd2bfab7Mark Andrews may be resigned. The <code class="option">interval</code> option
f7f4730e563a2749629fe7fef4cd9513cd2bfab7Mark Andrews specifies the cycle interval as an offset from the current
1848d38f441ebf70ab21f6151bc3487a92d25b63Mark Andrews time (in seconds). If a RRSIG record expires after the
1848d38f441ebf70ab21f6151bc3487a92d25b63Mark Andrews cycle interval, it is retained. Otherwise, it is considered
2d82ed9456e72dc4373bea19d63411afe1c48962Mark Andrews to be expiring soon, and it will be replaced.
a5a1cbece45e6ca68aafe3b9b995eac6b0f45dd2Mark Andrews The default cycle interval is one quarter of the difference
a5a1cbece45e6ca68aafe3b9b995eac6b0f45dd2Mark Andrews between the signature end and start times. So if neither
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews <code class="option">end-time</code> or <code class="option">start-time</code>
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews are specified, <span><strong class="command">dnssec-signzone</strong></span>
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews signatures that are valid for 30 days, with a cycle
677f507de7c546c187c1505c48bc7b440545485cMark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records
677f507de7c546c187c1505c48bc7b440545485cMark Andrews are due to expire in less than 7.5 days, they would be
677f507de7c546c187c1505c48bc7b440545485cMark Andrews<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
677f507de7c546c187c1505c48bc7b440545485cMark Andrews The format of the input zone file.
677f507de7c546c187c1505c48bc7b440545485cMark Andrews Possible formats are <span><strong class="command">"text"</strong></span> (default)
677f507de7c546c187c1505c48bc7b440545485cMark Andrews and <span><strong class="command">"raw"</strong></span>.
677f507de7c546c187c1505c48bc7b440545485cMark Andrews This option is primarily intended to be used for dynamic
bf459d24a117ae2c54c37016430b41cd6d73491cMark Andrews signed zones so that the dumped zone file in a non-text
bf459d24a117ae2c54c37016430b41cd6d73491cMark Andrews format containing updates can be signed directly.
bf459d24a117ae2c54c37016430b41cd6d73491cMark Andrews The use of this option does not make much sense for
677f507de7c546c187c1505c48bc7b440545485cMark Andrews non-dynamic zones.
677f507de7c546c187c1505c48bc7b440545485cMark Andrews<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
f53e0bda467d96dfeeba1b4da30c37b37766bb75Evan Hunt When signing a zone with a fixed signature lifetime, all
f53e0bda467d96dfeeba1b4da30c37b37766bb75Evan Hunt RRSIG records issued at the time of signing expires
f53e0bda467d96dfeeba1b4da30c37b37766bb75Evan Hunt simultaneously. If the zone is incrementally signed, i.e.
f53e0bda467d96dfeeba1b4da30c37b37766bb75Evan Hunt a previously-signed zone is passed as input to the signer,
81e3e3084980afcd61416f572c6e72d38a3808abMichał Kępień all expired signatures have to be regenerated at about the
81e3e3084980afcd61416f572c6e72d38a3808abMichał Kępień same time. The <code class="option">jitter</code> option specifies a
81e3e3084980afcd61416f572c6e72d38a3808abMichał Kępień jitter window that will be used to randomize the signature
81e3e3084980afcd61416f572c6e72d38a3808abMichał Kępień expire time, thus spreading incremental signature
64d7fa3ec4785b390665860aa6bdae304b3c1d24Mark Andrews regeneration over time.
64d7fa3ec4785b390665860aa6bdae304b3c1d24Mark Andrews Signature lifetime jitter also to some extent benefits
64d7fa3ec4785b390665860aa6bdae304b3c1d24Mark Andrews validators and servers by spreading out cache expiration,
64d7fa3ec4785b390665860aa6bdae304b3c1d24Mark Andrews i.e. if large numbers of RRSIGs don't expire at the same time
75505befa93c993aa5d2df24a2b64eac0c34cbffMark Andrews from all caches there will be less congestion than if all
75505befa93c993aa5d2df24a2b64eac0c34cbffMark Andrews validators need to refetch at mostly the same time.
a38f07c73790170842e4523b4a474d01ca0dede1Michał Kępień<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
39d5523a8afc73cbdb4fa426de2ce071267a5d6fMark Andrews Specifies the number of threads to use. By default, one
39d5523a8afc73cbdb4fa426de2ce071267a5d6fMark Andrews thread is started for each detected CPU.
39d5523a8afc73cbdb4fa426de2ce071267a5d6fMark Andrews<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
1f4a3c7088594d1b64cd734eb69e1fd023fde8bfMichał Kępień The SOA serial number format of the signed zone.
91827e6fd3851a5fe129ef5409ff45833ca01a0eMark Andrews Possible formats are <span><strong class="command">"keep"</strong></span> (default),
91827e6fd3851a5fe129ef5409ff45833ca01a0eMark Andrews <span><strong class="command">"increment"</strong></span> and
91827e6fd3851a5fe129ef5409ff45833ca01a0eMark Andrews <span><strong class="command">"unixtime"</strong></span>.
35aae5884f410180706a89a9715bf9a85eeeb4b7Michał Kępień<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
57b1d64d9ae12d56973716e96f9743a00d47af4aMichał Kępień<dd><p>Do not modify the SOA serial number.</p></dd>
57b1d64d9ae12d56973716e96f9743a00d47af4aMichał Kępień<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
57b1d64d9ae12d56973716e96f9743a00d47af4aMichał Kępień<dd><p>Increment the SOA serial number using RFC 1982
2d517e233ff3b3fcd272eb5b2e2d3db6d31a1681Michał Kępień<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
2d517e233ff3b3fcd272eb5b2e2d3db6d31a1681Michał Kępień<dd><p>Set the SOA serial number to the number of seconds
86d2f9abc8493321aacb0d540485de4d562fb734Mark Andrews<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
86d2f9abc8493321aacb0d540485de4d562fb734Mark Andrews The zone origin. If not specified, the name of the zone file
86d2f9abc8493321aacb0d540485de4d562fb734Mark Andrews is assumed to be the origin.
86d2f9abc8493321aacb0d540485de4d562fb734Mark Andrews<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
09c3efda414314d7edcfb2aed9463fb935fc95a6Mark Andrews The format of the output file containing the signed zone.
86d2f9abc8493321aacb0d540485de4d562fb734Mark Andrews Possible formats are <span><strong class="command">"text"</strong></span> (default)
c7e57ce1b0bca9bc7da14bec485f7a7e3e4c761fMichał Kępień and <span><strong class="command">"raw"</strong></span>.
3ed16e796dba90c96933c8a8a3f5b9404d8d3e61Mark Andrews Use pseudo-random data when signing the zone. This is faster,
3ed16e796dba90c96933c8a8a3f5b9404d8d3e61Mark Andrews but less secure, than using real random data. This option
14d8a144779b54b103d2da741a2242bf5f9052f7Mark Andrews may be useful when signing large zones or when the entropy
14d8a144779b54b103d2da741a2242bf5f9052f7Mark Andrews source is limited.
70e041bea19b6ad9522b89c2299ad315a2deaafdMark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
70e041bea19b6ad9522b89c2299ad315a2deaafdMark Andrews Specifies the source of randomness. If the operating
67247b4a8304bac790648a351a95b8b0f4c512a6Mark Andrews system does not provide a <code class="filename">/dev/random</code>
67247b4a8304bac790648a351a95b8b0f4c512a6Mark Andrews or equivalent device, the default source of randomness
eeb919b6f572e033d97cf001e4cd44aaff54e5dcMichał Kępień is keyboard input. <code class="filename">randomdev</code>
eeb919b6f572e033d97cf001e4cd44aaff54e5dcMichał Kępień the name of a character device or file containing random
a55438eda32ecebf43ead45b216662b7923a465fMark Andrews data to be used instead of the default. The special value
a55438eda32ecebf43ead45b216662b7923a465fMark Andrews <code class="filename">keyboard</code> indicates that keyboard
a55438eda32ecebf43ead45b216662b7923a465fMark Andrews input should be used.
9789e54e55b61b669fb31a8b70e9655e8357dda2Mark Andrews Print statistics at completion.
f8362536c647625e602c8450a778a2b7ba90c9f4Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
f8362536c647625e602c8450a778a2b7ba90c9f4Mark Andrews Sets the debugging level.
24231e53a5c3079431f84dcddfee1e761fec7329Mark Andrews Ignore KSK flag on key when determining what to sign.
4b669b69bae7dedda2faa09a7ade247499c1d49cMichał Kępień<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
4b669b69bae7dedda2faa09a7ade247499c1d49cMichał Kępień Generate a NSEC3 chain with the given hex encoded salt.
eb11b39981689e4a20fbe95e533577eacab992b4Mukund Sivaraman A dash (<em class="replaceable"><code>salt</code></em>) can
eb11b39981689e4a20fbe95e533577eacab992b4Mukund Sivaraman be used to indicate that no salt is to be used when generating the NSEC3 chain.
8daeae9b01a2b7eb9fd6511b352b03bd7d96ae79Michał Kępień<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
e7c0f978425f45731b08be1363f20626b0344f23Evan Hunt When generating a NSEC3 chain use this many interations. The
e7c0f978425f45731b08be1363f20626b0344f23Evan Hunt default is 100.
575e9d9e4b6beaae688f107814a320b91243a4b2Mark Andrews When generating a NSEC3 chain set the OPTOUT flag on all
575e9d9e4b6beaae688f107814a320b91243a4b2Mark Andrews NSEC3 records and do not generate NSEC3 records for insecure
575e9d9e4b6beaae688f107814a320b91243a4b2Mark Andrews delegations.
7c442d7fe06bc95432af7513764e5cc85e133648Evan Hunt The file containing the zone to be signed.
5e1ca7a326741a8f74e6f2b907c7e1fbf428bf80Michał Kępień Specify which keys should be used to sign the zone. If
5e1ca7a326741a8f74e6f2b907c7e1fbf428bf80Michał Kępień no keys are specified, then the zone will be examined
ba93bc80a7bce5ba07b2f98e68f0f57402f2459cMark Andrews for DNSKEY records at the zone apex. If these are found and
ba93bc80a7bce5ba07b2f98e68f0f57402f2459cMark Andrews there are matching private keys, in the current directory,
8ed107eab48687887d45a1ceb18b712bc7209dbaTinderbox User then these will be used for signing.
e5715e1fe12e5ad17522bd41c31e637c869d27b7Evan Hunt The following command signs the <strong class="userinput"><code>example.com</code></strong>
b7b76d6b855cd4c1152c26d34fb61af05f965c5eEvan Hunt zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
b7b76d6b855cd4c1152c26d34fb61af05f965c5eEvan Hunt (Kexample.com.+003+17247). The zone's keys must be in the master
b7b76d6b855cd4c1152c26d34fb61af05f965c5eEvan Hunt file (<code class="filename">db.example.com</code>). This invocation looks
b7b76d6b855cd4c1152c26d34fb61af05f965c5eEvan Hunt for <code class="filename">keyset</code> files, in the current directory,
764e2f3413ca89d09abffb3eb228c8c820bf08b8Mark Andrews so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
764e2f3413ca89d09abffb3eb228c8c820bf08b8Mark Andrews<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
50433a667cf0ed3ac7807768b745b0d870ff8c8bMark Andrews In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
50433a667cf0ed3ac7807768b745b0d870ff8c8bMark Andrews the file <code class="filename">db.example.com.signed</code>. This
3c12bec945ee71a38c5ba6f624abd12e2da7eea5Mark Andrews file should be referenced in a zone statement in a
f44202ab640d22e17b4c74bdad7817622918bd27Mark Andrews This example re-signs a previously signed zone with default parameters.
ad9772c559c6aa42f8930f4acf1a2d833a08040aMichał Kępień The private keys are assumed to be in the current directory.
ad9772c559c6aa42f8930f4acf1a2d833a08040aMichał Kępień<pre class="programlisting">% cp db.example.com.signed db.example.com
ad9772c559c6aa42f8930f4acf1a2d833a08040aMichał Kępień% dnssec-signzone -o example.com db.example.com
6216df5ccded056abd5db4abac4e5cbd78c73f45Evan Hunt<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
6216df5ccded056abd5db4abac4e5cbd78c73f45Evan Hunt <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
56e30ebae6fdb0bdf94419caff3a43fb2d16c5dfEvan Hunt<p><span class="corpauthor">Internet Systems Consortium</span>
f592d2f76cac7115038124c510d2ba3050334b4dEvan Hunt<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
f592d2f76cac7115038124c510d2ba3050334b4dEvan Hunt<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
f592d2f76cac7115038124c510d2ba3050334b4dEvan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
1c8aa38b53a0494fc7d4c3439594d1913987f264Mark Andrews<span class="application">dnssec-keygen</span>�</td>
1c8aa38b53a0494fc7d4c3439594d1913987f264Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
1c8aa38b53a0494fc7d4c3439594d1913987f264Mark Andrews<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>