doc/arm/man.dnssec-signzone.html

	man.dnssec-signzone.html revision 507151045be68c671ffd4e2f37e17cdfa0376fc4
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<!--
ca41b452ede6feaa9d8739ec3cae19389a7b0d03Bob Halley - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence -
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - Permission to use, copy, modify, and distribute this software for any
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - purpose with or without fee is hereby granted, provided that the above
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - copyright notice and this permission notice appear in all copies.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence -
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - PERFORMANCE OF THIS SOFTWARE.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence-->
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<!-- $Id: man.dnssec-signzone.html,v 1.75 2008/06/07 01:12:03 tbox Exp $ -->
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<html>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<head>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<title>dnssec-signzone</title>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
899f7f9af527d3dfe8345dcc8210d7c23fc950afDavid Lawrence<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</head>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="navheader">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation header">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="left">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<th width="60%" align="center">Manual pages</th>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</table>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<hr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="refentry" lang="en">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="refnamediv">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<h2>Name</h2>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="refsynopsisdiv">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<h2>Synopsis</h2>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="refsect1" lang="en">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id2603985"></a><h2>DESCRIPTION</h2>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span><strong class="command">dnssec-signzone</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      signs a zone.  It generates
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      NSEC and RRSIG records and produces a signed version of the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      zone. The security status of delegations from the signed zone
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      (that is, whether the child zones are secure or not) is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      determined by the presence or absence of a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      <code class="filename">keyset</code> file for each child zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence    </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<div class="refsect1" lang="en">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id2604004"></a><h2>OPTIONS</h2>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="variablelist"><dl>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-a</span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            Verify all generated signatures.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            Specifies the DNS class of the zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            Treat specified key as a key signing key ignoring any
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            key flags.  This option may be specified multiple times.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<dd><p>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence            The domain is appended to the name of the records.
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            Look for <code class="filename">keyset</code> files in
d409ceeda41a256e8114423674d844d5f5035ee8Bob Halley            <code class="option">directory</code> as the directory
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-g</span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            Generate DS records for child zones from keyset files.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            Existing DS records will be removed.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            Specify the date and time when the generated RRSIG records
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            become valid.  This can be either an absolute or relative
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            time.  An absolute start time is indicated by a number
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            14:45:00 UTC on May 30th, 2000.  A relative start time is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            indicated by +N, which is N seconds from the current time.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            If no <code class="option">start-time</code> is specified, the current
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            time minus 1 hour (to allow for clock skew) is used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            Specify the date and time when the generated RRSIG records
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            expire.  As with <code class="option">start-time</code>, an absolute
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            to the start time is indicated with +N, which is N seconds from
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            the start time.  A time relative to the current time is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            indicated with now+N.  If no <code class="option">end-time</code> is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            specified, 30 days from the start time is used as a default.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            The name of the output file containing the signed zone.  The
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            default is to append <code class="filename">.signed</code> to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            input filename.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-h</span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            Prints a short summary of the options and arguments to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            <span><strong class="command">dnssec-signzone</strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            When a previously-signed zone is passed as input, records
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            may be resigned.  The <code class="option">interval</code> option
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            specifies the cycle interval as an offset from the current
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            time (in seconds).  If a RRSIG record expires after the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            cycle interval, it is retained.  Otherwise, it is considered
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            to be expiring soon, and it will be replaced.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            The default cycle interval is one quarter of the difference
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            between the signature end and start times.  So if neither
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            <code class="option">end-time</code> or <code class="option">start-time</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            are specified, <span><strong class="command">dnssec-signzone</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            generates
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            signatures that are valid for 30 days, with a cycle
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            interval of 7.5 days.  Therefore, if any existing RRSIG records
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            are due to expire in less than 7.5 days, they would be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            replaced.
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence          </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            The format of the input zone file.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence        Possible formats are <span><strong class="command">"text"</strong></span> (default)
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence        and <span><strong class="command">"raw"</strong></span>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence        This option is primarily intended to be used for dynamic
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            signed zones so that the dumped zone file in a non-text
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            format containing updates can be signed directly.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence        The use of this option does not make much sense for
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence        non-dynamic zones.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p></dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            When signing a zone with a fixed signature lifetime, all
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            RRSIG records issued at the time of signing expires
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            simultaneously.  If the zone is incrementally signed, i.e.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            a previously-signed zone is passed as input to the signer,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            all expired signatures have to be regenerated at about the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            same time.  The <code class="option">jitter</code> option specifies a
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            jitter window that will be used to randomize the signature
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            expire time, thus spreading incremental signature
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            regeneration over time.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            Signature lifetime jitter also to some extent benefits
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            validators and servers by spreading out cache expiration,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            i.e. if large numbers of RRSIGs don't expire at the same time
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            from all caches there will be less congestion than if all
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            validators need to refetch at mostly the same time.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence</dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd><p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            Specifies the number of threads to use.  By default, one
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            thread is started for each detected CPU.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p></dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            The SOA serial number format of the signed zone.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence        Possible formats are <span><strong class="command">"keep"</strong></span> (default),
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            <span><strong class="command">"increment"</strong></span> and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence        <span><strong class="command">"unixtime"</strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="variablelist"><dl>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>Do not modify the SOA serial number.</p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd><p>Increment the SOA serial number using RFC 1982
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence                      arithmetics.</p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>Set the SOA serial number to the number of seconds
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            since epoch.</p></dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence</dl></div>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence</dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            The zone origin.  If not specified, the name of the zone file
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            is assumed to be the origin.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence            The format of the output file containing the signed zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence        Possible formats are <span><strong class="command">"text"</strong></span> (default)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence        and <span><strong class="command">"raw"</strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<dt><span class="term">-p</span></dt>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<dd><p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            Use pseudo-random data when signing the zone.  This is faster,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            but less secure, than using real random data.  This option
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            may be useful when signing large zones or when the entropy
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            source is limited.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p></dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd><p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            Specifies the source of randomness.  If the operating
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            system does not provide a <code class="filename">/dev/random</code>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            or equivalent device, the default source of randomness
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            is keyboard input.  <code class="filename">randomdev</code>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            specifies
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence            the name of a character device or file containing random
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence            data to be used instead of the default.  The special value
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence            <code class="filename">keyboard</code> indicates that keyboard
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            input should be used.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p></dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-t</span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd><p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            Print statistics at completion.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p></dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd><p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            Sets the debugging level.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p></dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-z</span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd><p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            Ignore KSK flag on key when determining what to sign.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p></dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">zonefile</span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd><p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence            The file containing the zone to be signed.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence          </p></dd>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">key</span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dd><p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence        Specify which keys should be used to sign the zone.  If
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence        no keys are specified, then the zone will be examined
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence        for DNSKEY records at the zone apex.  If these are found and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence        there are matching private keys, in the current directory,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence        then these will be used for signing.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence          </p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</dl></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="refsect1" lang="en">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id2657528"></a><h2>EXAMPLE</h2>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      The following command signs the <strong class="userinput"><code>example.com</code></strong>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      (Kexample.com.+003+17247).  The zone's keys must be in the master
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      file (<code class="filename">db.example.com</code>).  This invocation looks
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      for <code class="filename">keyset</code> files, in the current directory,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence    </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
fc80027fb54b501cdd88461bf879d078259e0226David LawrenceKexample.com.+003+17247
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrencedb.example.com.signed
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence%</pre>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence      the file <code class="filename">db.example.com.signed</code>.  This
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence      file should be referenced in a zone statement in a
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence      <code class="filename">named.conf</code> file.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence    </p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence      This example re-signs a previously signed zone with default parameters.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence      The private keys are assumed to be in the current directory.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence    </p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<pre class="programlisting">% cp db.example.com.signed db.example.com
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence% dnssec-signzone -o example.com db.example.com
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrencedb.example.com.signed
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence%</pre>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence</div>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<div class="refsect1" lang="en">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<a name="id2657737"></a><h2>SEE ALSO</h2>
0bd4e3591ac1a729c7ec8f811844119473350975David Lawrence<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence      <em class="citetitle">RFC 2535</em>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence    </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="refsect1" lang="en">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id2657762"></a><h2>AUTHOR</h2>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="corpauthor">Internet Systems Consortium</span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence    </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="navfooter">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<hr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation footer">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="40%" align="left">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</tr>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<tr>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<td width="40%" align="left" valign="top">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<span class="application">dnssec-keygen</span>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</table>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</body>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</html>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence