man.dnssec-signzone.html revision 575e15fed997a3ad1cb35c5b9ef34ab24ce47e72
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync - Permission to use, copy, modify, and/or distribute this software for any
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - purpose with or without fee is hereby granted, provided that the above
c7814cf6e1240a519cbec0441e033d0e2470ed00vboxsync - copyright notice and this permission notice appear in all copies.
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync - PERFORMANCE OF THIS SOFTWARE.
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync<!-- $Id: man.dnssec-signzone.html,v 1.143 2009/10/28 01:14:38 tbox Exp $ -->
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
8d43244aa3d322f7807a4b0488f1038dd2595dc1vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
8d43244aa3d322f7807a4b0488f1038dd2595dc1vboxsync<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
8d43244aa3d322f7807a4b0488f1038dd2595dc1vboxsync<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
43747b1f0bc8302a238fb35e55857a5e9aa1933dvboxsync<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
71e78bc7cd31385955b5684085e43f9d1d051d5avboxsync<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
a6f2803982b3fa4eec55742215258591f8d7e6bfvboxsync<p><span><strong class="command">dnssec-signzone</strong></span>
a6f2803982b3fa4eec55742215258591f8d7e6bfvboxsync signs a zone. It generates
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync NSEC and RRSIG records and produces a signed version of the
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync zone. The security status of delegations from the signed zone
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync (that is, whether the child zones are secure or not) is
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync determined by the presence or absence of a
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <code class="filename">keyset</code> file for each child zone.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Verify all generated signatures.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Specifies the DNS class of the zone.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Compatibility mode: Generate a
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync file in addition to
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync when signing a zone, for use by older versions of
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <span><strong class="command">dnssec-signzone</strong></span>.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <code class="filename">keyset-</code> files in <code class="option">directory</code>.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Uses a crypto hardware (OpenSSL engine) for the crypto operations
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync it supports, for instance signing with private keys from
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync a secure key store. When compiled with PKCS#11 support
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync it defaults to pcks11, the empty name resets it to no engine.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Generate DS records for child zones from
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync file. Existing DS records will be removed.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Key repository: Specify a directory to search for DNSSEC keys.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync If not specified, defaults to the current directory.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Treat specified key as a key signing key ignoring any
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync key flags. This option may be specified multiple times.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Generate a DLV set in addition to the key (DNSKEY) and DS sets.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The domain is appended to the name of the records.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Specify the date and time when the generated RRSIG records
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync become valid. This can be either an absolute or relative
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync time. An absolute start time is indicated by a number
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync in YYYYMMDDHHMMSS notation; 20000530144500 denotes
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync 14:45:00 UTC on May 30th, 2000. A relative start time is
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync indicated by +N, which is N seconds from the current time.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync If no <code class="option">start-time</code> is specified, the current
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync time minus 1 hour (to allow for clock skew) is used.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Specify the date and time when the generated RRSIG records
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync expire. As with <code class="option">start-time</code>, an absolute
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync time is indicated in YYYYMMDDHHMMSS notation. A time relative
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync to the start time is indicated with +N, which is N seconds from
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync the start time. A time relative to the current time is
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync indicated with now+N. If no <code class="option">end-time</code> is
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync specified, 30 days from the start time is used as a default.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <code class="option">end-time</code> must be later than
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The name of the output file containing the signed zone. The
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync default is to append <code class="filename">.signed</code> to
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync input filename.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Prints a short summary of the options and arguments to
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <span><strong class="command">dnssec-signzone</strong></span>.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync When a previously-signed zone is passed as input, records
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync may be resigned. The <code class="option">interval</code> option
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync specifies the cycle interval as an offset from the current
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync time (in seconds). If a RRSIG record expires after the
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync cycle interval, it is retained. Otherwise, it is considered
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync to be expiring soon, and it will be replaced.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The default cycle interval is one quarter of the difference
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync between the signature end and start times. So if neither
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <code class="option">end-time</code> or <code class="option">start-time</code>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync are specified, <span><strong class="command">dnssec-signzone</strong></span>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync signatures that are valid for 30 days, with a cycle
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync interval of 7.5 days. Therefore, if any existing RRSIG records
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync are due to expire in less than 7.5 days, they would be
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The format of the input zone file.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Possible formats are <span><strong class="command">"text"</strong></span> (default)
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync and <span><strong class="command">"raw"</strong></span>.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync This option is primarily intended to be used for dynamic
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync signed zones so that the dumped zone file in a non-text
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync format containing updates can be signed directly.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The use of this option does not make much sense for
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync non-dynamic zones.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync When signing a zone with a fixed signature lifetime, all
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync RRSIG records issued at the time of signing expires
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync simultaneously. If the zone is incrementally signed, i.e.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync a previously-signed zone is passed as input to the signer,
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync all expired signatures have to be regenerated at about the
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync same time. The <code class="option">jitter</code> option specifies a
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync jitter window that will be used to randomize the signature
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync expire time, thus spreading incremental signature
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync regeneration over time.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Signature lifetime jitter also to some extent benefits
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync validators and servers by spreading out cache expiration,
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync i.e. if large numbers of RRSIGs don't expire at the same time
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync from all caches there will be less congestion than if all
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync validators need to refetch at mostly the same time.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Specifies the number of threads to use. By default, one
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync thread is started for each detected CPU.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The SOA serial number format of the signed zone.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Possible formats are <span><strong class="command">"keep"</strong></span> (default),
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <span><strong class="command">"increment"</strong></span> and
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <span><strong class="command">"unixtime"</strong></span>.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dd><p>Do not modify the SOA serial number.</p></dd>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dd><p>Increment the SOA serial number using RFC 1982
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dd><p>Set the SOA serial number to the number of seconds
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The zone origin. If not specified, the name of the zone file
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync is assumed to be the origin.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The format of the output file containing the signed zone.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Possible formats are <span><strong class="command">"text"</strong></span> (default)
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync and <span><strong class="command">"raw"</strong></span>.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Use pseudo-random data when signing the zone. This is faster,
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync but less secure, than using real random data. This option
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync may be useful when signing large zones or when the entropy
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync source is limited.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Disable post sign verification tests.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The post sign verification test ensures that for each algorithm
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync in use there is at least one non revoked self signed KSK key,
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync that all revoked KSK keys are self signed, and that all records
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync in the zone are signed by the algorithm.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync This option skips these tests.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Specifies the source of randomness. If the operating
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync system does not provide a <code class="filename">/dev/random</code>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync or equivalent device, the default source of randomness
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync is keyboard input. <code class="filename">randomdev</code>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync the name of a character device or file containing random
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync data to be used instead of the default. The special value
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <code class="filename">keyboard</code> indicates that keyboard
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync input should be used.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync search the key repository for keys that match the zone being
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync signed, and to include them in the zone if appropriate.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync When a key is found, its timing metadata is examined to
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync determine how it should be used, according to the following
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync rules. Each successive rule takes priority over the prior
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync If no timing metadata has been set for the key, the key is
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync published in the zone and used to sign the zone.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync If the key's publication date is set and is in the past, the
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync key is published in the zone.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync If the key's activation date is set and in the past, the
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync key is published (regardless of publication date) and
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync used to sign the zone.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync If the key's revocation date is set and in the past, and the
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync key is published, then the key is revoked, and the revoked key
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync is used to sign the zone.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync If either of the key's unpublication or deletion dates are set
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync and in the past, the key is NOT published or used to sign the
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync zone, regardless of any other metadata.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Specifies the TTL to be used for new DNSKEY records imported
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync into the zone from the key repository. If not specified,
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync the default is the minimum TTL value from the zone's SOA
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync record. This option is ignored when signing without
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <code class="option">-S</code>, since DNSKEY records are not imported
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync from the key repository in that case. It is also ignored if
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync there are any pre-existing DNSKEY records at the zone apex,
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync in which case new records' TTL values will be set to match
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Print statistics at completion.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Update NSEC/NSEC3 chain when re-signing a previously signed
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync zone. With this option, a zone signed with NSEC can be
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync switched to NSEC3, or a zone signed with NSEC3 can
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync be switch to NSEC or to NSEC3 with different parameters.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync retain the existing chain when re-signing.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Sets the debugging level.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Only sign the DNSKEY RRset with key-signing keys, and omit
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync signatures from zone-signing keys. (This is similar to the
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <span><strong class="command">dnskey-ksk-only yes;</strong></span> zone option in
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <span><strong class="command">named</strong></span>.)
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Ignore KSK flag on key when determining what to sign. This
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync causes KSK-flagged keys to sign all records, not just the
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync DNSKEY RRset. (This is similar to the
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <span><strong class="command">update-check-ksk no;</strong></span> zone option in
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync <span><strong class="command">named</strong></span>.)
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync Generate an NSEC3 chain with the given hex encoded salt.
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync A dash (<em class="replaceable"><code>salt</code></em>) can
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync be used to indicate that no salt is to be used when generating the NSEC3 chain.
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync When generating an NSEC3 chain, use this many interations. The
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync default is 10.
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync When generating an NSEC3 chain set the OPTOUT flag on all
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync NSEC3 records and do not generate NSEC3 records for insecure
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync delegations.
111c5fc39f11d448ea7c37f036c7f65449f6d9a0vboxsync Using this option twice (i.e., <code class="option">-AA</code>)
8bdb8c44962bec0ed79eba247f4b67addf9a0bedvboxsync turns the OPTOUT flag off for all records. This is useful
8bdb8c44962bec0ed79eba247f4b67addf9a0bedvboxsync when using the <code class="option">-u</code> option to modify an NSEC3
8bdb8c44962bec0ed79eba247f4b67addf9a0bedvboxsync chain which previously had OPTOUT set.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The file containing the zone to be signed.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync Specify which keys should be used to sign the zone. If
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync no keys are specified, then the zone will be examined
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync for DNSKEY records at the zone apex. If these are found and
111c5fc39f11d448ea7c37f036c7f65449f6d9a0vboxsync there are matching private keys, in the current directory,
111c5fc39f11d448ea7c37f036c7f65449f6d9a0vboxsync then these will be used for signing.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The following command signs the <strong class="userinput"><code>example.com</code></strong>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync is not being used, the zone's keys must be in the master file
461f4154c063beaa72c1428fd685dc69a14af7efvboxsync (<code class="filename">db.example.com</code>). This invocation looks
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync for <code class="filename">dsset</code> files, in the current directory,
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync the file <code class="filename">db.example.com.signed</code>. This
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync file should be referenced in a zone statement in a
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync This example re-signs a previously signed zone with default parameters.
0f70ed40798198e1d9099c6ae3bdb239d2b8cf0dvboxsync The private keys are assumed to be in the current directory.
111c5fc39f11d448ea7c37f036c7f65449f6d9a0vboxsync<pre class="programlisting">% cp db.example.com.signed db.example.com
2305bc3992bdea24236ad2d12fed48144eaa6db5vboxsync<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
88b7935c7a9d5156b439570abcea19c121ecf60bvboxsync<p><span class="corpauthor">Internet Systems Consortium</span>
02a63fc0bac1e0b462a8295391715bfc6fb9ed82vboxsync<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
02a63fc0bac1e0b462a8295391715bfc6fb9ed82vboxsync<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
02a63fc0bac1e0b462a8295391715bfc6fb9ed82vboxsync<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
02a63fc0bac1e0b462a8295391715bfc6fb9ed82vboxsync<span class="application">dnssec-settime</span>�</td>
02a63fc0bac1e0b462a8295391715bfc6fb9ed82vboxsync<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
02a63fc0bac1e0b462a8295391715bfc6fb9ed82vboxsync<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>