man.dnssec-signzone.html revision 8e16b3078757ba3010c24aef805e9e29ed19518b
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - Copyright (C) 2000-2003 Internet Software Consortium.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - Permission to use, copy, modify, and/or distribute this software for any
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - purpose with or without fee is hereby granted, provided that the above
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - copyright notice and this permission notice appear in all copies.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza - PERFORMANCE OF THIS SOFTWARE.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<!-- $Id$ -->
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
6f269e977ae7318d374676a38d516ed59c43135eMark J. Nelson<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<p><span><strong class="command">dnssec-signzone</strong></span>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza signs a zone. It generates
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza NSEC and RRSIG records and produces a signed version of the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza zone. The security status of delegations from the signed zone
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza (that is, whether the child zones are secure or not) is
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza determined by the presence or absence of a
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="filename">keyset</code> file for each child zone.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Verify all generated signatures.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Specifies the DNS class of the zone.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Compatibility mode: Generate a
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza file in addition to
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza when signing a zone, for use by older versions of
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">dnssec-signzone</strong></span>.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Look for <code class="filename">dsset-</code> or
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="filename">keyset-</code> files in <code class="option">directory</code>.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Output only those record types automatically managed by
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza NSEC3 and NSEC3PARAM records. If smart signing
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza (<code class="option">-S</code>) is used, DNSKEY records are also
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza included. The resulting file can be included in the original
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza cannot be combined with <code class="option">-O raw</code>,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="option">-O map</code>, or serial number updating.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza When applicable, specifies the hardware to use for
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza cryptographic operations, such as a secure key store used
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza for signing.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza When BIND is built with OpenSSL PKCS#11 support, this defaults
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza to the string "pkcs11", which identifies an OpenSSL engine
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza that can drive a cryptographic accelerator or hardware service
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza module. When BIND is built with native PKCS#11 cryptography
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza (--enable-native-pkcs11), it defaults to the path of the PKCS#11
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza provider library specified via "--with-pkcs11".
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Generate DS records for child zones from
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza file. Existing DS records will be removed.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Key repository: Specify a directory to search for DNSSEC keys.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza If not specified, defaults to the current directory.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Treat specified key as a key signing key ignoring any
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza key flags. This option may be specified multiple times.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Generate a DLV set in addition to the key (DNSKEY) and DS sets.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The domain is appended to the name of the records.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Sets the maximum TTL for the signed zone.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza in the output. This provides certainty as to the largest
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza possible TTL in the signed zone, which is useful to know when
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza rolling keys because it is the longest possible time before
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza signatures that have been retrieved by resolvers will expire
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza from resolver caches. Zones that are signed with this
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza option should be configured to use a matching
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza (Note: This option is incompatible with <code class="option">-D</code>,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza because it modifies non-DNSSEC data in the output zone.)
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Specify the date and time when the generated RRSIG records
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza become valid. This can be either an absolute or relative
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza time. An absolute start time is indicated by a number
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza in YYYYMMDDHHMMSS notation; 20000530144500 denotes
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza 14:45:00 UTC on May 30th, 2000. A relative start time is
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza indicated by +N, which is N seconds from the current time.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza If no <code class="option">start-time</code> is specified, the current
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza time minus 1 hour (to allow for clock skew) is used.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Specify the date and time when the generated RRSIG records
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza expire. As with <code class="option">start-time</code>, an absolute
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza time is indicated in YYYYMMDDHHMMSS notation. A time relative
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza to the start time is indicated with +N, which is N seconds from
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza the start time. A time relative to the current time is
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza indicated with now+N. If no <code class="option">end-time</code> is
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza specified, 30 days from the start time is used as a default.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="option">end-time</code> must be later than
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Specify the date and time when the generated RRSIG records
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza for the DNSKEY RRset will expire. This is to be used in cases
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza when the DNSKEY signatures need to persist longer than
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza signatures on other records; e.g., when the private component
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza of the KSK is kept offline and the KSK signature is to be
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza refreshed manually.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza As with <code class="option">start-time</code>, an absolute
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza time is indicated in YYYYMMDDHHMMSS notation. A time relative
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza to the start time is indicated with +N, which is N seconds from
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza the start time. A time relative to the current time is
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza indicated with now+N. If no <code class="option">extended end-time</code> is
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza specified, the value of <code class="option">end-time</code> is used as
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza the default. (<code class="option">end-time</code>, in turn, defaults to
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza 30 days from the start time.) <code class="option">extended end-time</code>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza must be later than <code class="option">start-time</code>.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The name of the output file containing the signed zone. The
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza default is to append <code class="filename">.signed</code> to
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza the input filename. If <code class="option">output-file</code> is
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza set to <code class="literal">"-"</code>, then the signed zone is
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza written to the standard output, with a default output
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza format of "full".
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Prints a short summary of the options and arguments to
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">dnssec-signzone</strong></span>.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza When a previously-signed zone is passed as input, records
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza may be resigned. The <code class="option">interval</code> option
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza specifies the cycle interval as an offset from the current
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza time (in seconds). If a RRSIG record expires after the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza cycle interval, it is retained. Otherwise, it is considered
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza to be expiring soon, and it will be replaced.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The default cycle interval is one quarter of the difference
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza between the signature end and start times. So if neither
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="option">end-time</code> or <code class="option">start-time</code>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza are specified, <span><strong class="command">dnssec-signzone</strong></span>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza signatures that are valid for 30 days, with a cycle
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza interval of 7.5 days. Therefore, if any existing RRSIG records
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza are due to expire in less than 7.5 days, they would be
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The format of the input zone file.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Possible formats are <span><strong class="command">"text"</strong></span> (default),
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza This option is primarily intended to be used for dynamic
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza signed zones so that the dumped zone file in a non-text
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza format containing updates can be signed directly.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The use of this option does not make much sense for
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza non-dynamic zones.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza When signing a zone with a fixed signature lifetime, all
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza RRSIG records issued at the time of signing expires
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza simultaneously. If the zone is incrementally signed, i.e.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza a previously-signed zone is passed as input to the signer,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza all expired signatures have to be regenerated at about the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza same time. The <code class="option">jitter</code> option specifies a
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza jitter window that will be used to randomize the signature
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza expire time, thus spreading incremental signature
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza regeneration over time.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Signature lifetime jitter also to some extent benefits
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza validators and servers by spreading out cache expiration,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza i.e. if large numbers of RRSIGs don't expire at the same time
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza from all caches there will be less congestion than if all
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza validators need to refetch at mostly the same time.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza When writing a signed zone to "raw" or "map" format, set the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza "source serial" value in the header to the specified serial
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza number. (This is expected to be used primarily for testing
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Specifies the number of threads to use. By default, one
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza thread is started for each detected CPU.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The SOA serial number format of the signed zone.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Possible formats are <span><strong class="command">"keep"</strong></span> (default),
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">"increment"</strong></span>, <span><strong class="command">"unixtime"</strong></span>,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza and <span><strong class="command">"date"</strong></span>.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dd><p>Do not modify the SOA serial number.</p></dd>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dd><p>Increment the SOA serial number using RFC 1982
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dd><p>Set the SOA serial number to the number of seconds
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term"><span><strong class="command">"date"</strong></span></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dd><p>Set the SOA serial number to today's date in
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The zone origin. If not specified, the name of the zone file
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza is assumed to be the origin.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The format of the output file containing the signed zone.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Possible formats are <span><strong class="command">"text"</strong></span> (default),
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza which is the standard textual representation of the zone;
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">"full"</strong></span>, which is text output in a
0ea64585698b885134cf212069f5ff7ebda376a6Liane Praza format suitable for processing by external scripts;
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza binary formats for rapid loading by <span><strong class="command">named</strong></span>.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">"raw=N"</strong></span> specifies the format version of
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza the raw zone file: if N is 0, the raw file can be read by
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza any version of <span><strong class="command">named</strong></span>; if N is 1, the file
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza can be read by release 9.9.0 or higher; the default is 1.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Use pseudo-random data when signing the zone. This is faster,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza but less secure, than using real random data. This option
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza may be useful when signing large zones or when the entropy
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza source is limited.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Disable post sign verification tests.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The post sign verification test ensures that for each algorithm
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza in use there is at least one non revoked self signed KSK key,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza that all revoked KSK keys are self signed, and that all records
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza in the zone are signed by the algorithm.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza This option skips these tests.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Remove signatures from keys that are no longer active.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Normally, when a previously-signed zone is passed as input
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza to the signer, and a DNSKEY record has been removed and
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza replaced with a new one, signatures from the old key
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza that are still within their validity period are retained.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza This allows the zone to continue to validate with cached
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza copies of the old DNSKEY RRset. The <code class="option">-Q</code>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza forces <span><strong class="command">dnssec-signzone</strong></span> to remove
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza signatures from keys that are no longer active. This
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza enables ZSK rollover using the procedure described in
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Remove signatures from keys that are no longer published.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza This option is similar to <code class="option">-Q</code>, except it
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza keys that are no longer published. This enables ZSK rollover
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza using the procedure described in RFC 4641, section 4.2.1.2
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza ("Double Signature Zone Signing Key Rollover").
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Specifies the source of randomness. If the operating
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza system does not provide a <code class="filename">/dev/random</code>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza or equivalent device, the default source of randomness
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza is keyboard input. <code class="filename">randomdev</code>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza the name of a character device or file containing random
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza data to be used instead of the default. The special value
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="filename">keyboard</code> indicates that keyboard
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza input should be used.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza search the key repository for keys that match the zone being
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza signed, and to include them in the zone if appropriate.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza When a key is found, its timing metadata is examined to
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza determine how it should be used, according to the following
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza rules. Each successive rule takes priority over the prior
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza If no timing metadata has been set for the key, the key is
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza published in the zone and used to sign the zone.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza If the key's publication date is set and is in the past, the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza key is published in the zone.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza If the key's activation date is set and in the past, the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza key is published (regardless of publication date) and
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza used to sign the zone.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza If the key's revocation date is set and in the past, and the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza key is published, then the key is revoked, and the revoked key
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza is used to sign the zone.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza If either of the key's unpublication or deletion dates are set
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza and in the past, the key is NOT published or used to sign the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza zone, regardless of any other metadata.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Specifies a TTL to be used for new DNSKEY records imported
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza into the zone from the key repository. If not
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza specified, the default is the TTL value from the zone's SOA
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza record. This option is ignored when signing without
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <code class="option">-S</code>, since DNSKEY records are not imported
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza from the key repository in that case. It is also ignored if
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza there are any pre-existing DNSKEY records at the zone apex,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza in which case new records' TTL values will be set to match
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza them, or if any of the imported DNSKEY records had a default
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza TTL value. In the event of a a conflict between TTL values in
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza imported keys, the shortest one is used.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Print statistics at completion.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Update NSEC/NSEC3 chain when re-signing a previously signed
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza zone. With this option, a zone signed with NSEC can be
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza switched to NSEC3, or a zone signed with NSEC3 can
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza be switch to NSEC or to NSEC3 with different parameters.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza retain the existing chain when re-signing.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Sets the debugging level.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Only sign the DNSKEY RRset with key-signing keys, and omit
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza signatures from zone-signing keys. (This is similar to the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">named</strong></span>.)
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Ignore KSK flag on key when determining what to sign. This
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza causes KSK-flagged keys to sign all records, not just the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza DNSKEY RRset. (This is similar to the
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">update-check-ksk no;</strong></span> zone option in
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <span><strong class="command">named</strong></span>.)
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Generate an NSEC3 chain with the given hex encoded salt.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza A dash (<em class="replaceable"><code>salt</code></em>) can
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza be used to indicate that no salt is to be used when generating the NSEC3 chain.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza When generating an NSEC3 chain, use this many iterations. The
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza default is 10.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza When generating an NSEC3 chain set the OPTOUT flag on all
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza NSEC3 records and do not generate NSEC3 records for insecure
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza delegations.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Using this option twice (i.e., <code class="option">-AA</code>)
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza turns the OPTOUT flag off for all records. This is useful
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza when using the <code class="option">-u</code> option to modify an NSEC3
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza chain which previously had OPTOUT set.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The file containing the zone to be signed.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza Specify which keys should be used to sign the zone. If
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza no keys are specified, then the zone will be examined
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza for DNSKEY records at the zone apex. If these are found and
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza there are matching private keys, in the current directory,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza then these will be used for signing.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The following command signs the <strong class="userinput"><code>example.com</code></strong>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza is not being used, the zone's keys must be in the master file
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza (<code class="filename">db.example.com</code>). This invocation looks
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza for <code class="filename">dsset</code> files, in the current directory,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza the file <code class="filename">db.example.com.signed</code>. This
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza file should be referenced in a zone statement in a
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza This example re-signs a previously signed zone with default parameters.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza The private keys are assumed to be in the current directory.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<pre class="programlisting">% cp db.example.com.signed db.example.com
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<p><span class="corpauthor">Internet Systems Consortium</span>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<span class="application">dnssec-settime</span>�</td>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
ead1f93ee620d7580f7e53350fe5a884fc4f158aLiane Praza<td width="40%" align="right" valign="top">�<span class="application">dnssec-verify</span>