man.dnssec-signzone.html revision 2fa992d017c027173a47c834db88bef10df453c0
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - Copyright (C) 2000-2003 Internet Software Consortium.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - Permission to use, copy, modify, and/or distribute this software for any
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - purpose with or without fee is hereby granted, provided that the above
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin - copyright notice and this permission notice appear in all copies.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - PERFORMANCE OF THIS SOFTWARE.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<!-- $Id$ -->
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<p><span><strong class="command">dnssec-signzone</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signs a zone. It generates
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin NSEC and RRSIG records and produces a signed version of the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin zone. The security status of delegations from the signed zone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (that is, whether the child zones are secure or not) is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin determined by the presence or absence of a
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="filename">keyset</code> file for each child zone.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Verify all generated signatures.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Specifies the DNS class of the zone.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Compatibility mode: Generate a
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin file in addition to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin when signing a zone, for use by older versions of
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span><strong class="command">dnssec-signzone</strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="filename">keyset-</code> files in <code class="option">directory</code>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Output only those record types automatically managed by
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin NSEC3 and NSEC3PARAM records. If smart signing
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (<code class="option">-S</code>) is used, DNSKEY records are also
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin included. The resulting file can be included in the original
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin cannot be combined with <code class="option">-O raw</code>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="option">-O map</code>, or serial number updating.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin When applicable, specifies the hardware to use for
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin cryptographic operations, such as a secure key store used
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin for signing.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin When BIND is built with OpenSSL PKCS#11 support, this defaults
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to the string "pkcs11", which identifies an OpenSSL engine
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin that can drive a cryptographic accelerator or hardware service
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin module. When BIND is built with native PKCS#11 cryptography
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (--enable-native-pkcs11), it defaults to the path of the PKCS#11
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin provider library specified via "--with-pkcs11".
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Generate DS records for child zones from
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin file. Existing DS records will be removed.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Key repository: Specify a directory to search for DNSSEC keys.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin If not specified, defaults to the current directory.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Treat specified key as a key signing key ignoring any
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin key flags. This option may be specified multiple times.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Generate a DLV set in addition to the key (DNSKEY) and DS sets.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The domain is appended to the name of the records.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Sets the maximum TTL for the signed zone.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin in the output. This provides certainty as to the largest
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin possible TTL in the signed zone, which is useful to know when
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin rolling keys because it is the longest possible time before
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signatures that have been retrieved by resolvers will expire
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin from resolver caches. Zones that are signed with this
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin option should be configured to use a matching
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin (Note: This option is incompatible with <code class="option">-D</code>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin because it modifies non-DNSSEC data in the output zone.)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Specify the date and time when the generated RRSIG records
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin become valid. This can be either an absolute or relative
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin time. An absolute start time is indicated by a number
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin in YYYYMMDDHHMMSS notation; 20000530144500 denotes
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin 14:45:00 UTC on May 30th, 2000. A relative start time is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin indicated by +N, which is N seconds from the current time.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin If no <code class="option">start-time</code> is specified, the current
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin time minus 1 hour (to allow for clock skew) is used.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Specify the date and time when the generated RRSIG records
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin expire. As with <code class="option">start-time</code>, an absolute
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin time is indicated in YYYYMMDDHHMMSS notation. A time relative
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to the start time is indicated with +N, which is N seconds from
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the start time. A time relative to the current time is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin indicated with now+N. If no <code class="option">end-time</code> is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin specified, 30 days from the start time is used as a default.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="option">end-time</code> must be later than
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Specify the date and time when the generated RRSIG records
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin for the DNSKEY RRset will expire. This is to be used in cases
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin when the DNSKEY signatures need to persist longer than
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signatures on other records; e.g., when the private component
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin of the KSK is kept offline and the KSK signature is to be
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin refreshed manually.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin As with <code class="option">start-time</code>, an absolute
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin time is indicated in YYYYMMDDHHMMSS notation. A time relative
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to the start time is indicated with +N, which is N seconds from
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the start time. A time relative to the current time is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin indicated with now+N. If no <code class="option">extended end-time</code> is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin specified, the value of <code class="option">end-time</code> is used as
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the default. (<code class="option">end-time</code>, in turn, defaults to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin 30 days from the start time.) <code class="option">extended end-time</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin must be later than <code class="option">start-time</code>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The name of the output file containing the signed zone. The
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin default is to append <code class="filename">.signed</code> to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the input filename. If <code class="option">output-file</code> is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin set to <code class="literal">"-"</code>, then the signed zone is
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin written to the standard output, with a default output
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin format of "full".
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Prints a short summary of the options and arguments to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span><strong class="command">dnssec-signzone</strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Prints version information.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin When a previously-signed zone is passed as input, records
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin may be resigned. The <code class="option">interval</code> option
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin specifies the cycle interval as an offset from the current
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin time (in seconds). If a RRSIG record expires after the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin cycle interval, it is retained. Otherwise, it is considered
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to be expiring soon, and it will be replaced.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The default cycle interval is one quarter of the difference
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin between the signature end and start times. So if neither
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="option">end-time</code> or <code class="option">start-time</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin are specified, <span><strong class="command">dnssec-signzone</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signatures that are valid for 30 days, with a cycle
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin interval of 7.5 days. Therefore, if any existing RRSIG records
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin are due to expire in less than 7.5 days, they would be
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The format of the input zone file.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Possible formats are <span><strong class="command">"text"</strong></span> (default),
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin This option is primarily intended to be used for dynamic
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signed zones so that the dumped zone file in a non-text
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin format containing updates can be signed directly.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The use of this option does not make much sense for
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin non-dynamic zones.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin When signing a zone with a fixed signature lifetime, all
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin RRSIG records issued at the time of signing expires
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin simultaneously. If the zone is incrementally signed, i.e.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin a previously-signed zone is passed as input to the signer,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin all expired signatures have to be regenerated at about the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin same time. The <code class="option">jitter</code> option specifies a
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin jitter window that will be used to randomize the signature
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin expire time, thus spreading incremental signature
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin regeneration over time.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Signature lifetime jitter also to some extent benefits
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin validators and servers by spreading out cache expiration,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin i.e. if large numbers of RRSIGs don't expire at the same time
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin from all caches there will be less congestion than if all
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin validators need to refetch at mostly the same time.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin When writing a signed zone to "raw" or "map" format, set the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin "source serial" value in the header to the specified serial
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin number. (This is expected to be used primarily for testing
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin purposes.)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Specifies the number of threads to use. By default, one
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin thread is started for each detected CPU.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The SOA serial number format of the signed zone.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Possible formats are <span><strong class="command">"keep"</strong></span> (default),
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span><strong class="command">"increment"</strong></span>, <span><strong class="command">"unixtime"</strong></span>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin and <span><strong class="command">"date"</strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dd><p>Set the SOA serial number to the number of seconds
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term"><span><strong class="command">"date"</strong></span></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The zone origin. If not specified, the name of the zone file
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin is assumed to be the origin.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The format of the output file containing the signed zone.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Possible formats are <span><strong class="command">"text"</strong></span> (default),
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin which is the standard textual representation of the zone;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span><strong class="command">"full"</strong></span>, which is text output in a
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin format suitable for processing by external scripts;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin binary formats for rapid loading by <span><strong class="command">named</strong></span>.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <span><strong class="command">"raw=N"</strong></span> specifies the format version of
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the raw zone file: if N is 0, the raw file can be read by
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin any version of <span><strong class="command">named</strong></span>; if N is 1, the file
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin can be read by release 9.9.0 or higher; the default is 1.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Use pseudo-random data when signing the zone. This is faster,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin but less secure, than using real random data. This option
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin may be useful when signing large zones or when the entropy
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin source is limited.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Disable post sign verification tests.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin The post sign verification test ensures that for each algorithm
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin in use there is at least one non revoked self signed KSK key,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin that all revoked KSK keys are self signed, and that all records
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin in the zone are signed by the algorithm.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin This option skips these tests.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Remove signatures from keys that are no longer active.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Normally, when a previously-signed zone is passed as input
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin to the signer, and a DNSKEY record has been removed and
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin replaced with a new one, signatures from the old key
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin that are still within their validity period are retained.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin This allows the zone to continue to validate with cached
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin copies of the old DNSKEY RRset. The <code class="option">-Q</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin forces <span><strong class="command">dnssec-signzone</strong></span> to remove
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin signatures from keys that are no longer active. This
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin enables ZSK rollover using the procedure described in
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Remove signatures from keys that are no longer published.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin This option is similar to <code class="option">-Q</code>, except it
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin keys that are no longer published. This enables ZSK rollover
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin using the procedure described in RFC 4641, section 4.2.1.2
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin ("Double Signature Zone Signing Key Rollover").
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Specifies the source of randomness. If the operating
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin system does not provide a <code class="filename">/dev/random</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin or equivalent device, the default source of randomness
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin is keyboard input. <code class="filename">randomdev</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin the name of a character device or file containing random
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin data to be used instead of the default. The special value
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin <code class="filename">keyboard</code> indicates that keyboard
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin input should be used.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
Kexample.com.+003+17247