man.dnssec-signzone.html revision 795a316ec568b2470aab18b9481443966047652e
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem - Copyright (C) 2000-2003 Internet Software Consortium.
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic - Permission to use, copy, modify, and/or distribute this software for any
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic - purpose with or without fee is hereby granted, provided that the above
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic - copyright notice and this permission notice appear in all copies.
4da61833a1cbbca94094f9653fd970582b97a72etrawick - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
4da61833a1cbbca94094f9653fd970582b97a72etrawick - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
4da61833a1cbbca94094f9653fd970582b97a72etrawick - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
4da61833a1cbbca94094f9653fd970582b97a72etrawick - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
4789804be088bcd86ae637a29cdb7fda25169521jailletc - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
4789804be088bcd86ae637a29cdb7fda25169521jailletc - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
4789804be088bcd86ae637a29cdb7fda25169521jailletc - PERFORMANCE OF THIS SOFTWARE.
e50c3026198fd496f183cda4c32a202925476778covener<!-- $Id: man.dnssec-signzone.html,v 1.186 2011/03/28 01:14:35 tbox Exp $ -->
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
69301145375a889e7e37caf7cc7321ac0f91801erpluem<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
506bfe33206b2fece40ef25f695af39dd4130facjkaluza<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
506bfe33206b2fece40ef25f695af39dd4130facjkaluza<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavic<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic<p><span><strong class="command">dnssec-signzone</strong></span>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic signs a zone. It generates
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic NSEC and RRSIG records and produces a signed version of the
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic zone. The security status of delegations from the signed zone
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic (that is, whether the child zones are secure or not) is
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener determined by the presence or absence of a
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener <code class="filename">keyset</code> file for each child zone.
5d1ba75b8794925e67591c209085a49279791de9covener Verify all generated signatures.
5d1ba75b8794925e67591c209085a49279791de9covener<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand Specifies the DNS class of the zone.
caad2986f81ab263f7af41467dd622dc9add17f3ylavic Compatibility mode: Generate a
caad2986f81ab263f7af41467dd622dc9add17f3ylavic <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
caad2986f81ab263f7af41467dd622dc9add17f3ylavic file in addition to
45a10d38e6051fd7bdf9d742aaae633d97ff02abjailletc <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
f7317ff316c2b141feea31bddb74d5d3fa1584edjorton when signing a zone, for use by older versions of
f7317ff316c2b141feea31bddb74d5d3fa1584edjorton <span><strong class="command">dnssec-signzone</strong></span>.
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
1e2d421a36999d292042a5539971070d54aa6c63ylavic <code class="filename">keyset-</code> files in <code class="option">directory</code>.
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh Output only those record types automatically managed by
0b67eb8568cd58bb77082703951679b42cf098actrawick <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
0b67eb8568cd58bb77082703951679b42cf098actrawick NSEC3 and NSEC3PARAM records. If smart signing
0b67eb8568cd58bb77082703951679b42cf098actrawick (<code class="option">-S</code>) is used, DNSKEY records are also
0b67eb8568cd58bb77082703951679b42cf098actrawick included. The resulting file can be included in the original
5ef3c61605a3a021ff71f488983cb0065f8e1a79covener zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
fb1985a97912b25ec6564c73e610a31e5fc6e25fcovener cannot be combined with <code class="option">-O raw</code> or serial
09c87c777bed1655621bb20e1c46cb6b1a63279dcovener number updating.
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic Uses a crypto hardware (OpenSSL engine) for the crypto operations
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic it supports, for instance signing with private keys from
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic a secure key store. When compiled with PKCS#11 support
e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc it defaults to pkcs11; the empty name resets it to no engine.
457468b82e59d01eba00dd9d0817309c8f5e414ejim Generate DS records for child zones from
457468b82e59d01eba00dd9d0817309c8f5e414ejim <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
457468b82e59d01eba00dd9d0817309c8f5e414ejim file. Existing DS records will be removed.
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
15660979a30d251681463de2e0584853890082accovener Key repository: Specify a directory to search for DNSSEC keys.
15660979a30d251681463de2e0584853890082accovener If not specified, defaults to the current directory.
49dacedb6c387b786b7911082ff35121a45f414bcovener<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
cfd9415521847b2f9394fad04fb701cfb955f503rjung Treat specified key as a key signing key ignoring any
cfd9415521847b2f9394fad04fb701cfb955f503rjung key flags. This option may be specified multiple times.
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe Generate a DLV set in addition to the key (DNSKEY) and DS sets.
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe The domain is appended to the name of the records.
63b9f1f5880391261705f696d7d65507bbe9ace3covener<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
63b9f1f5880391261705f696d7d65507bbe9ace3covener Specify the date and time when the generated RRSIG records
49dacedb6c387b786b7911082ff35121a45f414bcovener become valid. This can be either an absolute or relative
49dacedb6c387b786b7911082ff35121a45f414bcovener time. An absolute start time is indicated by a number
49dacedb6c387b786b7911082ff35121a45f414bcovener in YYYYMMDDHHMMSS notation; 20000530144500 denotes
49dacedb6c387b786b7911082ff35121a45f414bcovener 14:45:00 UTC on May 30th, 2000. A relative start time is
3c990331fc6702119e4f5b8ba9eae3021aea5265jim indicated by +N, which is N seconds from the current time.
3c990331fc6702119e4f5b8ba9eae3021aea5265jim If no <code class="option">start-time</code> is specified, the current
3c990331fc6702119e4f5b8ba9eae3021aea5265jim time minus 1 hour (to allow for clock skew) is used.
fc42512879dd0504532f52fe5d0d0383dda96a1eniq<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
fc42512879dd0504532f52fe5d0d0383dda96a1eniq Specify the date and time when the generated RRSIG records
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq expire. As with <code class="option">start-time</code>, an absolute
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq time is indicated in YYYYMMDDHHMMSS notation. A time relative
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq to the start time is indicated with +N, which is N seconds from
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc the start time. A time relative to the current time is
983528026996668ea295be95aedb9c7a346af470ylavic indicated with now+N. If no <code class="option">end-time</code> is
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc specified, 30 days from the start time is used as a default.
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc <code class="option">end-time</code> must be later than
06b8f183140c8e02e0974e938a05078b511d1603covener<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
259878293a997ff49f5ddfc53d3739cbdc25444ecovener Specify the date and time when the generated RRSIG records
259878293a997ff49f5ddfc53d3739cbdc25444ecovener for the DNSKEY RRset will expire. This is to be used in cases
259878293a997ff49f5ddfc53d3739cbdc25444ecovener when the DNSKEY signatures need to persist longer than
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem signatures on other records; e.g., when the private component
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin of the KSK is kept offline and the KSK signature is to be
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin refreshed manually.
65967d05f839dbf27cf91d91fa79585eeae19660minfrin As with <code class="option">start-time</code>, an absolute
65967d05f839dbf27cf91d91fa79585eeae19660minfrin time is indicated in YYYYMMDDHHMMSS notation. A time relative
65967d05f839dbf27cf91d91fa79585eeae19660minfrin to the start time is indicated with +N, which is N seconds from
8152945ae46857b170cb227e79bb799f4fc7710dminfrin the start time. A time relative to the current time is
8152945ae46857b170cb227e79bb799f4fc7710dminfrin indicated with now+N. If no <code class="option">extended end-time</code> is
8152945ae46857b170cb227e79bb799f4fc7710dminfrin specified, the value of <code class="option">end-time</code> is used as
8152945ae46857b170cb227e79bb799f4fc7710dminfrin the default. (<code class="option">end-time</code>, in turn, defaults to
75f5c2db254c0167a0e396254460de09b775d203trawick 30 days from the start time.) <code class="option">extended end-time</code>
75f5c2db254c0167a0e396254460de09b775d203trawick must be later than <code class="option">start-time</code>.
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick The name of the output file containing the signed zone. The
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick default is to append <code class="filename">.signed</code> to
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick input filename.
54d750a84a175d8e338880514d440773eb986b50covener Prints a short summary of the options and arguments to
54d750a84a175d8e338880514d440773eb986b50covener <span><strong class="command">dnssec-signzone</strong></span>.
54d750a84a175d8e338880514d440773eb986b50covener<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
54d750a84a175d8e338880514d440773eb986b50covener When a previously-signed zone is passed as input, records
54d750a84a175d8e338880514d440773eb986b50covener may be resigned. The <code class="option">interval</code> option
83b50288fa7d306324bba68832011ea08f5c7832covener specifies the cycle interval as an offset from the current
4e30ef014533a7e93c92d88306291f5e49c9692ftrawick time (in seconds). If a RRSIG record expires after the
83b50288fa7d306324bba68832011ea08f5c7832covener cycle interval, it is retained. Otherwise, it is considered
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick to be expiring soon, and it will be replaced.
2e15620d724fb8e3a5be183b917359a2fd6e9468covener The default cycle interval is one quarter of the difference
2e15620d724fb8e3a5be183b917359a2fd6e9468covener between the signature end and start times. So if neither
2e15620d724fb8e3a5be183b917359a2fd6e9468covener <code class="option">end-time</code> or <code class="option">start-time</code>
2e15620d724fb8e3a5be183b917359a2fd6e9468covener are specified, <span><strong class="command">dnssec-signzone</strong></span>
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener signatures that are valid for 30 days, with a cycle
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener interval of 7.5 days. Therefore, if any existing RRSIG records
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener are due to expire in less than 7.5 days, they would be
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd The format of the input zone file.
179565be4043d7e5f9161aa75271fa0a001866d9covener Possible formats are <span><strong class="command">"text"</strong></span> (default)
179565be4043d7e5f9161aa75271fa0a001866d9covener and <span><strong class="command">"raw"</strong></span>.
179565be4043d7e5f9161aa75271fa0a001866d9covener This option is primarily intended to be used for dynamic
111436a32ba1254291e4883292fb116d15fe8f64covener signed zones so that the dumped zone file in a non-text
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener format containing updates can be signed directly.
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener The use of this option does not make much sense for
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener non-dynamic zones.
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz When signing a zone with a fixed signature lifetime, all
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz RRSIG records issued at the time of signing expires
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz simultaneously. If the zone is incrementally signed, i.e.
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza a previously-signed zone is passed as input to the signer,
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza all expired signatures have to be regenerated at about the
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza same time. The <code class="option">jitter</code> option specifies a
efe780dcf13b2b95effabf897d694d8f23feac74trawick jitter window that will be used to randomize the signature
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin expire time, thus spreading incremental signature
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin regeneration over time.
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza Signature lifetime jitter also to some extent benefits
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza validators and servers by spreading out cache expiration,
ba050a6f942b9fa0e81ed73437588005c569655ccovener i.e. if large numbers of RRSIGs don't expire at the same time
ba050a6f942b9fa0e81ed73437588005c569655ccovener from all caches there will be less congestion than if all
ba050a6f942b9fa0e81ed73437588005c569655ccovener validators need to refetch at mostly the same time.
135ddda3a989215d2bedbcf1529bfb269c3eda23niq<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh Specifies the number of threads to use. By default, one
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh thread is started for each detected CPU.
efe780dcf13b2b95effabf897d694d8f23feac74trawick<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener The SOA serial number format of the signed zone.
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener Possible formats are <span><strong class="command">"keep"</strong></span> (default),
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener <span><strong class="command">"increment"</strong></span> and
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza <span><strong class="command">"unixtime"</strong></span>.
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
56589be3d7a3e9343370df240010c6928cc78b39jkaluza<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
56589be3d7a3e9343370df240010c6928cc78b39jkaluza<dd><p>Increment the SOA serial number using RFC 1982
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc<dd><p>Set the SOA serial number to the number of seconds
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
4d12805e6c18253040223ea637acd6b3b3c18f60jorton The zone origin. If not specified, the name of the zone file
4d12805e6c18253040223ea637acd6b3b3c18f60jorton is assumed to be the origin.
85eacfc96a04547ef25aabbc06440039715084c2jorton<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener The format of the output file containing the signed zone.
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener Possible formats are <span><strong class="command">"text"</strong></span> (default)
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener and <span><strong class="command">"raw"</strong></span>.
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener Use pseudo-random data when signing the zone. This is faster,
1c2cab00d988fc48cbe59032cf76cc0bab20d6f7covener but less secure, than using real random data. This option
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener may be useful when signing large zones or when the entropy
75a230a728338d84dcfe81edd375352f34de22d0covener source is limited.
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener Disable post sign verification tests.
63a5ea80bddcc84a462e40f402b4f330e0e05411covener The post sign verification test ensures that for each algorithm
63a5ea80bddcc84a462e40f402b4f330e0e05411covener in use there is at least one non revoked self signed KSK key,
65a4e663b82f8bce28ac22ab2edfd7502de36998sf that all revoked KSK keys are self signed, and that all records
65a4e663b82f8bce28ac22ab2edfd7502de36998sf in the zone are signed by the algorithm.
65a4e663b82f8bce28ac22ab2edfd7502de36998sf This option skips these tests.
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin Remove signatures from keys that no longer exist.
a511a29faf2ff7ead3b67680154a624effb31aafminfrin Normally, when a previously-signed zone is passed as input
a511a29faf2ff7ead3b67680154a624effb31aafminfrin to the signer, and a DNSKEY record has been removed and
a511a29faf2ff7ead3b67680154a624effb31aafminfrin replaced with a new one, signatures from the old key
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin that are still within their validity period are retained.
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin This allows the zone to continue to validate with cached
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin copies of the old DNSKEY RRset. The <code class="option">-R</code> forces
deec48c67d4786bc77112ffbf3a4e70b931097edminfrin <span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin signatures.
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener Specifies the source of randomness. If the operating
5c43d2fb853f84497b5ece2d414ef9484aa87e5fsf system does not provide a <code class="filename">/dev/random</code>
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes or equivalent device, the default source of randomness
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes is keyboard input. <code class="filename">randomdev</code>
26c5829347f6a355c00f1ba0301d575056b69536niq the name of a character device or file containing random
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq data to be used instead of the default. The special value
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq <code class="filename">keyboard</code> indicates that keyboard
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq input should be used.
c12917da693bae4028a1d5a5e8224bceed8c739dsf Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
c12917da693bae4028a1d5a5e8224bceed8c739dsf search the key repository for keys that match the zone being
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf signed, and to include them in the zone if appropriate.
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf When a key is found, its timing metadata is examined to
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf determine how it should be used, according to the following
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf rules. Each successive rule takes priority over the prior
9811aed12bbc71783d2e544ccb5fecd193843eadsf If no timing metadata has been set for the key, the key is
9811aed12bbc71783d2e544ccb5fecd193843eadsf published in the zone and used to sign the zone.
bd3f5647b96d378d9c75c954e3f13582af32c643sf If the key's publication date is set and is in the past, the
bd3f5647b96d378d9c75c954e3f13582af32c643sf key is published in the zone.
2a7beea91d46beb41f043a84eaad060047ee04aafabien If the key's activation date is set and in the past, the
2a7beea91d46beb41f043a84eaad060047ee04aafabien key is published (regardless of publication date) and
2a7beea91d46beb41f043a84eaad060047ee04aafabien used to sign the zone.
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf If the key's revocation date is set and in the past, and the
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf key is published, then the key is revoked, and the revoked key
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf is used to sign the zone.
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf If either of the key's unpublication or deletion dates are set
132ee6ac1c26d6e8953836316ba50734eefab47bsf and in the past, the key is NOT published or used to sign the
132ee6ac1c26d6e8953836316ba50734eefab47bsf zone, regardless of any other metadata.
85eacfc96a04547ef25aabbc06440039715084c2jorton<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick Specifies a TTL to be used for new DNSKEY records imported
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick into the zone from the key repository. If not
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick specified, the default is the TTL value from the zone's SOA
79c5787b92ac5f0e1cc82393816c77a006399316trawick record. This option is ignored when signing without
79c5787b92ac5f0e1cc82393816c77a006399316trawick <code class="option">-S</code>, since DNSKEY records are not imported
79c5787b92ac5f0e1cc82393816c77a006399316trawick from the key repository in that case. It is also ignored if
79c5787b92ac5f0e1cc82393816c77a006399316trawick there are any pre-existing DNSKEY records at the zone apex,
c967bf3bc89e8aa60dbd30d9da388e448ddc1cc4trawick in which case new records' TTL values will be set to match
79c5787b92ac5f0e1cc82393816c77a006399316trawick them, or if any of the imported DNSKEY records had a default
79c5787b92ac5f0e1cc82393816c77a006399316trawick TTL value. In the event of a a conflict between TTL values in
79c5787b92ac5f0e1cc82393816c77a006399316trawick imported keys, the shortest one is used.
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton Print statistics at completion.
536e48c08d674acac5d44929318f2ad928edc361jorton Update NSEC/NSEC3 chain when re-signing a previously signed
e81785da447b469da66f218b3f0244aab507958djorton zone. With this option, a zone signed with NSEC can be
e81785da447b469da66f218b3f0244aab507958djorton switched to NSEC3, or a zone signed with NSEC3 can
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton be switch to NSEC or to NSEC3 with different parameters.
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton retain the existing chain when re-signing.
53e9b27aba029b18be814df40bcf6f0428771d1efuankg<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
53e9b27aba029b18be814df40bcf6f0428771d1efuankg Sets the debugging level.
ca61ccd0c306c2c72df153688ba1b49f3eceed80sf Only sign the DNSKEY RRset with key-signing keys, and omit
6bb524f1895f30265a1431afc460977d391cb36bsf signatures from zone-signing keys. (This is similar to the
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <span><strong class="command">named</strong></span>.)
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin Ignore KSK flag on key when determining what to sign. This
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin causes KSK-flagged keys to sign all records, not just the
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin DNSKEY RRset. (This is similar to the
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung <span><strong class="command">update-check-ksk no;</strong></span> zone option in
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung Generate an NSEC3 chain with the given hex encoded salt.
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung A dash (<em class="replaceable"><code>salt</code></em>) can
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung be used to indicate that no salt is to be used when generating the NSEC3 chain.
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick When generating an NSEC3 chain, use this many interations. The
ae600ca541efc686b34f8b1f21bd3d0741d37674covener default is 10.
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim When generating an NSEC3 chain set the OPTOUT flag on all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NSEC3 records and do not generate NSEC3 records for insecure
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim delegations.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Using this option twice (i.e., <code class="option">-AA</code>)
Kexample.com.+003+17247