man.dnssec-signzone.html revision 1acf72525e7e0b41074593495dc5351485903569
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
f0aad5341752aefe5059832f6cf3abc3283c6e16Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: man.dnssec-signzone.html,v 1.90 2008/10/22 01:11:41 tbox Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1Tinderbox User<th width="60%" align="center">Manual pages</th>
f0aad5341752aefe5059832f6cf3abc3283c6e16Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p><span><strong class="command">dnssec-signzone</strong></span>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User signs a zone. It generates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NSEC and RRSIG records and produces a signed version of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone. The security status of delegations from the signed zone
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews (that is, whether the child zones are secure or not) is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein determined by the presence or absence of a
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <code class="filename">keyset</code> file for each child zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Verify all generated signatures.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the DNS class of the zone.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Treat specified key as a key signing key ignoring any
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User key flags. This option may be specified multiple times.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a DLV set in addition to the key (DNSKEY) and DS sets.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The domain is appended to the name of the records.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Look for <code class="filename">keyset</code> files in
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <code class="option">directory</code> as the directory
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User Generate DS records for child zones from keyset files.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User Existing DS records will be removed.
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Specify the date and time when the generated RRSIG records
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User become valid. This can be either an absolute or relative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt time. An absolute start time is indicated by a number
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in YYYYMMDDHHMMSS notation; 20000530144500 denotes
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User 14:45:00 UTC on May 30th, 2000. A relative start time is
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User indicated by +N, which is N seconds from the current time.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User If no <code class="option">start-time</code> is specified, the current
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater time minus 1 hour (to allow for clock skew) is used.
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User expire. As with <code class="option">start-time</code>, an absolute
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User time is indicated in YYYYMMDDHHMMSS notation. A time relative
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to the start time is indicated with +N, which is N seconds from
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the start time. A time relative to the current time is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User indicated with now+N. If no <code class="option">end-time</code> is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User specified, 30 days from the start time is used as a default.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The name of the output file containing the signed zone. The
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User default is to append <code class="filename">.signed</code> to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt input filename.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Prints a short summary of the options and arguments to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span><strong class="command">dnssec-signzone</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User When a previously-signed zone is passed as input, records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User may be resigned. The <code class="option">interval</code> option
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User specifies the cycle interval as an offset from the current
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User time (in seconds). If a RRSIG record expires after the
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater cycle interval, it is retained. Otherwise, it is considered
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to be expiring soon, and it will be replaced.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The default cycle interval is one quarter of the difference
bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User between the signature end and start times. So if neither
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="option">end-time</code> or <code class="option">start-time</code>
bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User are specified, <span><strong class="command">dnssec-signzone</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User signatures that are valid for 30 days, with a cycle
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User are due to expire in less than 7.5 days, they would be
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User The format of the input zone file.
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default)
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User and <span><strong class="command">"raw"</strong></span>.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User This option is primarily intended to be used for dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signed zones so that the dumped zone file in a non-text
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein format containing updates can be signed directly.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews The use of this option does not make much sense for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein non-dynamic zones.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When signing a zone with a fixed signature lifetime, all
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt RRSIG records issued at the time of signing expires
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein simultaneously. If the zone is incrementally signed, i.e.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a previously-signed zone is passed as input to the signer,
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User all expired signatures have to be regenerated at about the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein same time. The <code class="option">jitter</code> option specifies a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt jitter window that will be used to randomize the signature
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein expire time, thus spreading incremental signature
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User regeneration over time.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Signature lifetime jitter also to some extent benefits
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt validators and servers by spreading out cache expiration,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein i.e. if large numbers of RRSIGs don't expire at the same time
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User from all caches there will be less congestion than if all
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User validators need to refetch at mostly the same time.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Specifies the number of threads to use. By default, one
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User thread is started for each detected CPU.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The SOA serial number format of the signed zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Possible formats are <span><strong class="command">"keep"</strong></span> (default),
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span><strong class="command">"increment"</strong></span> and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span><strong class="command">"unixtime"</strong></span>.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater<dd><p>Do not modify the SOA serial number.</p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dd><p>Increment the SOA serial number using RFC 1982
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>Set the SOA serial number to the number of seconds
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User The zone origin. If not specified, the name of the zone file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is assumed to be the origin.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User The format of the output file containing the signed zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Possible formats are <span><strong class="command">"text"</strong></span> (default)
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User and <span><strong class="command">"raw"</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Use pseudo-random data when signing the zone. This is faster,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt but less secure, than using real random data. This option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt may be useful when signing large zones or when the entropy
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt source is limited.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Specifies the source of randomness. If the operating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein system does not provide a <code class="filename">/dev/random</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt or equivalent device, the default source of randomness
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User is keyboard input. <code class="filename">randomdev</code>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User the name of a character device or file containing random
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User data to be used instead of the default. The special value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">keyboard</code> indicates that keyboard
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt input should be used.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Print statistics at completion.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the debugging level.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Ignore KSK flag on key when determining what to sign.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User Generate a NSEC3 chain with the given hex encoded salt.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt A dash (<em class="replaceable"><code>salt</code></em>) can
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt be used to indicate that no salt is to be used when generating the NSEC3 chain.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When generating a NSEC3 chain use this many interations. The
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt default is 100.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User When generating a NSEC3 chain set the OPTOUT flag on all
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User NSEC3 records and do not generate NSEC3 records for insecure
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt delegations.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The file containing the zone to be signed.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User Specify which keys should be used to sign the zone. If
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User no keys are specified, then the zone will be examined
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt for DNSKEY records at the zone apex. If these are found and
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater there are matching private keys, in the current directory,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User then these will be used for signing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The following command signs the <strong class="userinput"><code>example.com</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User (Kexample.com.+003+17247). The zone's keys must be in the master
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews file (<code class="filename">db.example.com</code>). This invocation looks
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews for <code class="filename">keyset</code> files, in the current directory,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the file <code class="filename">db.example.com.signed</code>. This
e108f2ec640e1acb54999c0ade58af606149956dTinderbox User file should be referenced in a zone statement in a
6d382c9fcec316a84a237779fb64bb471b6f9d43Tinderbox User <code class="filename">named.conf</code> file.
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User This example re-signs a previously signed zone with default parameters.
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User The private keys are assumed to be in the current directory.
f9aef05653eeb454c489d5bd2bde6daab774ad4aTinderbox User<pre class="programlisting">% cp db.example.com.signed db.example.com
f9aef05653eeb454c489d5bd2bde6daab774ad4aTinderbox User% dnssec-signzone -o example.com db.example.com
922312472e2e05ebc64993d465999c5351b83036Automatic Updater<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User<table width="100%" summary="Navigation footer">
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
c3dc968140ab7f04795acc7835e4e89ccb0c0a27Tinderbox User<span class="application">dnssec-keygen</span>�</td>
c3dc968140ab7f04795acc7835e4e89ccb0c0a27Tinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>