man.dnssec-signzone.html revision 4abdfc917e6635a7c81d1f931a0c79227e72d025
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen - Copyright (C) 2000-2003 Internet Software Consortium.
d1fff80640050631b06bfab904a34b2ad24601e8Timo Sirainen - Permission to use, copy, modify, and distribute this software for any
47e9fdee55c2074425cf0316f4f64fbbb790301cTimo Sirainen - purpose with or without fee is hereby granted, provided that the above
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen - copyright notice and this permission notice appear in all copies.
38f227941bcf673e0e523c1ac7267bca9cbcd2c4Timo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
38f227941bcf673e0e523c1ac7267bca9cbcd2c4Timo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
47e9fdee55c2074425cf0316f4f64fbbb790301cTimo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
3e564425db51f3921ce4de11859777135fdedd15Timo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
3e564425db51f3921ce4de11859777135fdedd15Timo Sirainen - PERFORMANCE OF THIS SOFTWARE.
3e564425db51f3921ce4de11859777135fdedd15Timo Sirainen<!-- $Id: man.dnssec-signzone.html,v 1.37 2007/01/26 23:29:04 marka Exp $ -->
02a6291366caff79793db35d479e2a062bec2af4Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8f5b34c22e4c3bfb35ca13c4744867eb5ddbd3d6Timo Sirainen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
95d9395d15540b3a96f75c7f9fd73e6d8ad5e897Timo Sirainen<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
95d9395d15540b3a96f75c7f9fd73e6d8ad5e897Timo Sirainen<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
705f6fbad395e6f014838e797b7dbcaceafd2f1dTimo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
705f6fbad395e6f014838e797b7dbcaceafd2f1dTimo Sirainen<table width="100%" summary="Navigation header">
c5a6a6565be93224fc26522eda855b0990f256e8Timo Sirainen<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
303e375b7e76278f4ec541f49af0476d3e4ee710Timo Sirainen<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
303e375b7e76278f4ec541f49af0476d3e4ee710Timo Sirainen<th width="60%" align="center">Manual pages</th>
8cca3b43b28365cfee4dc733c00caaeab8ecd2adTimo Sirainen<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
1358e2c58ce29231485a5cfa454756d429ad3d2cTimo Sirainen<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
b55f914c0ade77252cfd798ea8eb9a84bda56315Timo Sirainen<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
a020eb653b2620a989e4795adceb6136037327b2Timo Sirainen<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
d1fff80640050631b06bfab904a34b2ad24601e8Timo Sirainen<p><span><strong class="command">dnssec-signzone</strong></span>
009217abb57a24a4076092e8e4e165545747839eStephan Bosch signs a zone. It generates
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen NSEC and RRSIG records and produces a signed version of the
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen zone. The security status of delegations from the signed zone
762e17079d29d9f1838114ff5fec9ceaba8eb6a8Timo Sirainen (that is, whether the child zones are secure or not) is
b9b841558c5f91db7f5fc71c0ac62aad1bbf6418Timo Sirainen determined by the presence or absence of a
b9b841558c5f91db7f5fc71c0ac62aad1bbf6418Timo Sirainen <code class="filename">keyset</code> file for each child zone.
211caf3c233d562b0c8137e5eefae3cb1ef13003Stephan Bosch Verify all generated signatures.
211caf3c233d562b0c8137e5eefae3cb1ef13003Stephan Bosch<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
d1fff80640050631b06bfab904a34b2ad24601e8Timo Sirainen Specifies the DNS class of the zone.
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen Treat specified key as a key signing key ignoring any
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen key flags. This option may be specified multiple times.
fc464e5b2b2ab4d415a5d5b90ce4475d34620a75Timo Sirainen<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
50b9773bebe5c66485728e21e4da6e99db388c92Timo Sirainen Generate a DLV set in addition to the key (DNSKEY) and DS sets.
50b9773bebe5c66485728e21e4da6e99db388c92Timo Sirainen The domain is appended to the name of the records.
2fb9ae42f9e36388ec6db24188b9108434043fd0Timo Sirainen<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
2fb9ae42f9e36388ec6db24188b9108434043fd0Timo Sirainen Look for <code class="filename">keyset</code> files in
2fb9ae42f9e36388ec6db24188b9108434043fd0Timo Sirainen <code class="option">directory</code> as the directory
97180ea9c26c4de0807daaad21e03c80643b09fdTimo Sirainen Generate DS records for child zones from keyset files.
97180ea9c26c4de0807daaad21e03c80643b09fdTimo Sirainen Existing DS records will be removed.
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
57ff998a443881c8959a8e65f6325cf19fefc1d0Timo Sirainen Specify the date and time when the generated RRSIG records
6dc2060d6e0261e4bfd453f1eb1c165cc8d905c1Timo Sirainen become valid. This can be either an absolute or relative
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen time. An absolute start time is indicated by a number
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen in YYYYMMDDHHMMSS notation; 20000530144500 denotes
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen 14:45:00 UTC on May 30th, 2000. A relative start time is
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen indicated by +N, which is N seconds from the current time.
3482fee0e3733456512ba110780824e6daa7ff9fTimo Sirainen If no <code class="option">start-time</code> is specified, the current
3482fee0e3733456512ba110780824e6daa7ff9fTimo Sirainen time minus 1 hour (to allow for clock skew) is used.
3482fee0e3733456512ba110780824e6daa7ff9fTimo Sirainen<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen Specify the date and time when the generated RRSIG records
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen expire. As with <code class="option">start-time</code>, an absolute
61d3fd14828b68d789f3df73d1dbed56e37b7931Timo Sirainen time is indicated in YYYYMMDDHHMMSS notation. A time relative
61d3fd14828b68d789f3df73d1dbed56e37b7931Timo Sirainen to the start time is indicated with +N, which is N seconds from
2092da86f3a332e8d7eae1300a3b9852fed8f2f8Sergey Kitov the start time. A time relative to the current time is
2092da86f3a332e8d7eae1300a3b9852fed8f2f8Sergey Kitov indicated with now+N. If no <code class="option">end-time</code> is
2092da86f3a332e8d7eae1300a3b9852fed8f2f8Sergey Kitov specified, 30 days from the start time is used as a default.
2092da86f3a332e8d7eae1300a3b9852fed8f2f8Sergey Kitov<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
62fc2fe221eccc834ac6b11b94b55335d5027cd1Timo Sirainen The name of the output file containing the signed zone. The
62fc2fe221eccc834ac6b11b94b55335d5027cd1Timo Sirainen default is to append <code class="filename">.signed</code> to
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen Prints a short summary of the options and arguments to
d1bf4ae66b8bf3b9e28df1823d6d4adda2b923b6Timo Sirainen <span><strong class="command">dnssec-signzone</strong></span>.
4dc81fe17cc3aca2e8e9ccb988f90bae12ca2ad0Timo Sirainen<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
55e04e5659b27c520633835d3f04e2eca7f21117Timo Sirainen When a previously signed zone is passed as input, records
55e04e5659b27c520633835d3f04e2eca7f21117Timo Sirainen may be resigned. The <code class="option">interval</code> option
55e04e5659b27c520633835d3f04e2eca7f21117Timo Sirainen specifies the cycle interval as an offset from the current
55e04e5659b27c520633835d3f04e2eca7f21117Timo Sirainen time (in seconds). If a RRSIG record expires after the
fa2433aebcf3fccfa30ca9eed9b1a9166cf92ee2Timo Sirainen cycle interval, it is retained. Otherwise, it is considered
fa2433aebcf3fccfa30ca9eed9b1a9166cf92ee2Timo Sirainen to be expiring soon, and it will be replaced.
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen The default cycle interval is one quarter of the difference
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen between the signature end and start times. So if neither
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen <code class="option">end-time</code> or <code class="option">start-time</code>
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen are specified, <span><strong class="command">dnssec-signzone</strong></span>
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen signatures that are valid for 30 days, with a cycle
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen interval of 7.5 days. Therefore, if any existing RRSIG records
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen are due to expire in less than 7.5 days, they would be
47e9fdee55c2074425cf0316f4f64fbbb790301cTimo Sirainen<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
544a946df4de398125bafb51f26d5e3697bde649Timo Sirainen The format of the input zone file.
544a946df4de398125bafb51f26d5e3697bde649Timo Sirainen Possible formats are <span><strong class="command">"text"</strong></span> (default)
7e95ba7f38b9b421287d36c6152f8a9e6b9f225bTimo Sirainen and <span><strong class="command">"raw"</strong></span>.
7e95ba7f38b9b421287d36c6152f8a9e6b9f225bTimo Sirainen This option is primarily intended to be used for dynamic
608bdb7f008cd5cd332d727018a9e8173abec998Timo Sirainen signed zones so that the dumped zone file in a non-text
608bdb7f008cd5cd332d727018a9e8173abec998Timo Sirainen format containing updates can be signed directly.
95dcc0f8e80cc8c9278c904c3cd06dcc4a6d2d33Timo Sirainen The use of this option does not make much sense for
95dcc0f8e80cc8c9278c904c3cd06dcc4a6d2d33Timo Sirainen non-dynamic zones.
47e9fdee55c2074425cf0316f4f64fbbb790301cTimo Sirainen<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
19cadcc25c26af7afea1355d78e20ad64eaad263Timo Sirainen When signing a zone with a fixed signature lifetime, all
d23dfc385f22d7a2c466d29501c9e0ce5a243deeTimo Sirainen RRSIG records issued at the time of signing expires
d23dfc385f22d7a2c466d29501c9e0ce5a243deeTimo Sirainen simultaneously. If the zone is incrementally signed, i.e.
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen a previously signed zone is passed as input to the signer,
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen all expired signatures has to be regenerated at about the
24ff040448e018738515f7bfcc6f1a6e5d08c10dSergey Kitov same time. The <code class="option">jitter</code> option specifies a
24ff040448e018738515f7bfcc6f1a6e5d08c10dSergey Kitov jitter window that will be used to randomize the signature
24ff040448e018738515f7bfcc6f1a6e5d08c10dSergey Kitov expire time, thus spreading incremental signature
24ff040448e018738515f7bfcc6f1a6e5d08c10dSergey Kitov regeneration over time.
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen Signature lifetime jitter also to some extent benefits
i.e. if large numbers of RRSIGs don't expire at the same time