man.dnssec-signzone.html revision 40f508f08bb887b14739f7b64e4d0a892586948f
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - purpose with or without fee is hereby granted, provided that the above
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - copyright notice and this permission notice appear in all copies.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<!-- $Id$ -->
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<table width="100%" summary="Navigation header">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<th width="60%" align="center">Manual pages</th>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p><span><strong class="command">dnssec-signzone</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signs a zone. It generates
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews NSEC and RRSIG records and produces a signed version of the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone. The security status of delegations from the signed zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (that is, whether the child zones are secure or not) is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews determined by the presence or absence of a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">keyset</code> file for each child zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Verify all generated signatures.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Specifies the DNS class of the zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Compatibility mode: Generate a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file in addition to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews when signing a zone, for use by older versions of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">dnssec-signzone</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Look for <code class="filename">dsset-</code> or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">keyset-</code> files in <code class="option">directory</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Output only those record types automatically managed by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews NSEC3 and NSEC3PARAM records. If smart signing
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (<code class="option">-S</code>) is used, DNSKEY records are also
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews included. The resulting file can be included in the original
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cannot be combined with <code class="option">-O raw</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">-O map</code>, or serial number updating.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When applicable, specifies the hardware to use for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cryptographic operations, such as a secure key store used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for signing.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When BIND is built with OpenSSL PKCS#11 support, this defaults
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to the string "pkcs11", which identifies an OpenSSL engine
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that can drive a cryptographic accelerator or hardware service
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews module. When BIND is built with native PKCS#11 cryptography
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (--enable-native-pkcs11), it defaults to the path of the PKCS#11
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews provider library specified via "--with-pkcs11".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Generate DS records for child zones from
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file. Existing DS records will be removed.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Key repository: Specify a directory to search for DNSSEC keys.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If not specified, defaults to the current directory.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Treat specified key as a key signing key ignoring any
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key flags. This option may be specified multiple times.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Generate a DLV set in addition to the key (DNSKEY) and DS sets.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The domain is appended to the name of the records.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Sets the maximum TTL for the signed zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the output. This provides certainty as to the largest
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews possible TTL in the signed zone, which is useful to know when
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews rolling keys because it is the longest possible time before
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signatures that have been retrieved by resolvers will expire
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews from resolver caches. Zones that are signed with this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews option should be configured to use a matching
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (Note: This option is incompatible with <code class="option">-D</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews because it modifies non-DNSSEC data in the output zone.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Specify the date and time when the generated RRSIG records
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews become valid. This can be either an absolute or relative
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews time. An absolute start time is indicated by a number
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in YYYYMMDDHHMMSS notation; 20000530144500 denotes
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 14:45:00 UTC on May 30th, 2000. A relative start time is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews indicated by +N, which is N seconds from the current time.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If no <code class="option">start-time</code> is specified, the current
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews time minus 1 hour (to allow for clock skew) is used.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Specify the date and time when the generated RRSIG records
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews expire. As with <code class="option">start-time</code>, an absolute
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to the start time is indicated with +N, which is N seconds from
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the start time. A time relative to the current time is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews indicated with now+N. If no <code class="option">end-time</code> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specified, 30 days from the start time is used as a default.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">end-time</code> must be later than
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Specify the date and time when the generated RRSIG records
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for the DNSKEY RRset will expire. This is to be used in cases
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews when the DNSKEY signatures need to persist longer than
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signatures on other records; e.g., when the private component
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the KSK is kept offline and the KSK signature is to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews refreshed manually.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews As with <code class="option">start-time</code>, an absolute
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to the start time is indicated with +N, which is N seconds from
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the start time. A time relative to the current time is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews indicated with now+N. If no <code class="option">extended end-time</code> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specified, the value of <code class="option">end-time</code> is used as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the default. (<code class="option">end-time</code>, in turn, defaults to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 30 days from the start time.) <code class="option">extended end-time</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews must be later than <code class="option">start-time</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The name of the output file containing the signed zone. The
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews default is to append <code class="filename">.signed</code> to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the input filename. If <code class="option">output-file</code> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews set to <code class="literal">"-"</code>, then the signed zone is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews written to the standard output, with a default output
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews format of "full".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Prints a short summary of the options and arguments to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">dnssec-signzone</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Prints version information.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When a previously-signed zone is passed as input, records
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews may be resigned. The <code class="option">interval</code> option
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specifies the cycle interval as an offset from the current
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews time (in seconds). If a RRSIG record expires after the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cycle interval, it is retained. Otherwise, it is considered
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to be expiring soon, and it will be replaced.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The default cycle interval is one quarter of the difference
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews between the signature end and start times. So if neither
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">end-time</code> or <code class="option">start-time</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are specified, <span><strong class="command">dnssec-signzone</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signatures that are valid for 30 days, with a cycle
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews interval of 7.5 days. Therefore, if any existing RRSIG records
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are due to expire in less than 7.5 days, they would be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The format of the input zone file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Possible formats are <span><strong class="command">"text"</strong></span> (default),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This option is primarily intended to be used for dynamic
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signed zones so that the dumped zone file in a non-text
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews format containing updates can be signed directly.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The use of this option does not make much sense for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews non-dynamic zones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When signing a zone with a fixed signature lifetime, all
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews RRSIG records issued at the time of signing expires
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews simultaneously. If the zone is incrementally signed, i.e.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a previously-signed zone is passed as input to the signer,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews all expired signatures have to be regenerated at about the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews same time. The <code class="option">jitter</code> option specifies a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews jitter window that will be used to randomize the signature
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews expire time, thus spreading incremental signature
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews regeneration over time.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Signature lifetime jitter also to some extent benefits
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews validators and servers by spreading out cache expiration,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews i.e. if large numbers of RRSIGs don't expire at the same time
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews from all caches there will be less congestion than if all
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews validators need to refetch at mostly the same time.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When writing a signed zone to "raw" or "map" format, set the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "source serial" value in the header to the specified serial
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews number. (This is expected to be used primarily for testing
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Specifies the number of threads to use. By default, one
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews thread is started for each detected CPU.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The SOA serial number format of the signed zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Possible formats are <span><strong class="command">"keep"</strong></span> (default),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">"increment"</strong></span>, <span><strong class="command">"unixtime"</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <span><strong class="command">"date"</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dd><p>Do not modify the SOA serial number.</p></dd>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dd><p>Increment the SOA serial number using RFC 1982
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dd><p>Set the SOA serial number to the number of seconds
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">"date"</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dd><p>Set the SOA serial number to today's date in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The zone origin. If not specified, the name of the zone file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is assumed to be the origin.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The format of the output file containing the signed zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Possible formats are <span><strong class="command">"text"</strong></span> (default),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which is the standard textual representation of the zone;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">"full"</strong></span>, which is text output in a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews format suitable for processing by external scripts;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews binary formats for rapid loading by <span><strong class="command">named</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">"raw=N"</strong></span> specifies the format version of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the raw zone file: if N is 0, the raw file can be read by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews any version of <span><strong class="command">named</strong></span>; if N is 1, the file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews can be read by release 9.9.0 or higher; the default is 1.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Use pseudo-random data when signing the zone. This is faster,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews but less secure, than using real random data. This option
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews may be useful when signing large zones or when the entropy
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews source is limited.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Disable post sign verification tests.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The post sign verification test ensures that for each algorithm
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in use there is at least one non revoked self signed KSK key,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that all revoked KSK keys are self signed, and that all records
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the zone are signed by the algorithm.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This option skips these tests.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Remove signatures from keys that are no longer active.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Normally, when a previously-signed zone is passed as input
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to the signer, and a DNSKEY record has been removed and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews replaced with a new one, signatures from the old key
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that are still within their validity period are retained.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This allows the zone to continue to validate with cached
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews copies of the old DNSKEY RRset. The <code class="option">-Q</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forces <span><strong class="command">dnssec-signzone</strong></span> to remove
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews signatures from keys that are no longer active. This
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews enables ZSK rollover using the procedure described in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Remove signatures from keys that are no longer published.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This option is similar to <code class="option">-Q</code>, except it
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews keys that are no longer published. This enables ZSK rollover
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews using the procedure described in RFC 4641, section 4.2.1.2
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ("Double Signature Zone Signing Key Rollover").
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Specifies the source of randomness. If the operating
Kexample.com.+003+17247