man.dnssec-signzone.html revision 2a6d4c9948b3f4f31311bd799d114585a30419a9
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
f0aad5341752aefe5059832f6cf3abc3283c6e16Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<!-- $Id: man.dnssec-signzone.html,v 1.135 2009/10/07 01:14:42 tbox Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<th width="60%" align="center">Manual pages</th>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User<p><span><strong class="command">dnssec-signzone</strong></span>
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User signs a zone. It generates
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User NSEC and RRSIG records and produces a signed version of the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User zone. The security status of delegations from the signed zone
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (that is, whether the child zones are secure or not) is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt determined by the presence or absence of a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="filename">keyset</code> file for each child zone.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Verify all generated signatures.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specifies the DNS class of the zone.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Compatibility mode: Generate a
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User file in addition to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User when signing a zone, for use by older versions of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span><strong class="command">dnssec-signzone</strong></span>.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Look for <code class="filename">dsset-</code> or
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User <code class="filename">keyset-</code> files in <code class="option">directory</code>.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Uses a crypto hardware (OpenSSL engine) for the crypto operations
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User it supports, for instance signing with private keys from
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User a secure key store. When compiled with PKCS#11 support
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User it defaults to pcks11, the empty name resets it to no engine.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Generate DS records for child zones from
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User file. Existing DS records will be removed.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Key repository: Specify a directory to search for DNSSEC keys.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User If not specified, defaults to the current directory.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Treat specified key as a key signing key ignoring any
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User key flags. This option may be specified multiple times.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Generate a DLV set in addition to the key (DNSKEY) and DS sets.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User The domain is appended to the name of the records.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Specify the date and time when the generated RRSIG records
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User become valid. This can be either an absolute or relative
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User time. An absolute start time is indicated by a number
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User in YYYYMMDDHHMMSS notation; 20000530144500 denotes
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User 14:45:00 UTC on May 30th, 2000. A relative start time is
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User indicated by +N, which is N seconds from the current time.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User If no <code class="option">start-time</code> is specified, the current
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User time minus 1 hour (to allow for clock skew) is used.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User Specify the date and time when the generated RRSIG records
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User expire. As with <code class="option">start-time</code>, an absolute
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User time is indicated in YYYYMMDDHHMMSS notation. A time relative
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User to the start time is indicated with +N, which is N seconds from
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User the start time. A time relative to the current time is
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User indicated with now+N. If no <code class="option">end-time</code> is
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User specified, 30 days from the start time is used as a default.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <code class="option">end-time</code> must be later than
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The name of the output file containing the signed zone. The
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User default is to append <code class="filename">.signed</code> to
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User input filename.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Prints a short summary of the options and arguments to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span><strong class="command">dnssec-signzone</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User When a previously-signed zone is passed as input, records
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User may be resigned. The <code class="option">interval</code> option
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User specifies the cycle interval as an offset from the current
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User time (in seconds). If a RRSIG record expires after the
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User cycle interval, it is retained. Otherwise, it is considered
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User to be expiring soon, and it will be replaced.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The default cycle interval is one quarter of the difference
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User between the signature end and start times. So if neither
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">end-time</code> or <code class="option">start-time</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt are specified, <span><strong class="command">dnssec-signzone</strong></span>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User signatures that are valid for 30 days, with a cycle
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User are due to expire in less than 7.5 days, they would be
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User The format of the input zone file.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Possible formats are <span><strong class="command">"text"</strong></span> (default)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User and <span><strong class="command">"raw"</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This option is primarily intended to be used for dynamic
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt signed zones so that the dumped zone file in a non-text
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User format containing updates can be signed directly.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The use of this option does not make much sense for
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User non-dynamic zones.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User When signing a zone with a fixed signature lifetime, all
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt RRSIG records issued at the time of signing expires
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt simultaneously. If the zone is incrementally signed, i.e.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a previously-signed zone is passed as input to the signer,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User all expired signatures have to be regenerated at about the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt same time. The <code class="option">jitter</code> option specifies a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User jitter window that will be used to randomize the signature
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt expire time, thus spreading incremental signature
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User regeneration over time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Signature lifetime jitter also to some extent benefits
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein validators and servers by spreading out cache expiration,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein i.e. if large numbers of RRSIGs don't expire at the same time
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from all caches there will be less congestion than if all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein validators need to refetch at mostly the same time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the number of threads to use. By default, one
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein thread is started for each detected CPU.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The SOA serial number format of the signed zone.
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User Possible formats are <span><strong class="command">"keep"</strong></span> (default),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">"increment"</strong></span> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">"unixtime"</strong></span>.
(Kexample.com.+003+17247). The zone's keys must be in the master
Kexample.com.+003+17247