man.dnssec-signzone.html revision 92554adb458c7b336e5390c5c9fbf2fcc1276524
6736c640e65e06990ef33af71ee81fac4df4ff5fjim - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
6736c640e65e06990ef33af71ee81fac4df4ff5fjim - Copyright (C) 2000-2003 Internet Software Consortium.
415bb21f281e9b4f905d5893fede9165bdf1491bjim - Permission to use, copy, modify, and distribute this software for any
415bb21f281e9b4f905d5893fede9165bdf1491bjim - purpose with or without fee is hereby granted, provided that the above
f743002678eb67b99bbc29fee116b65d9530fec0wrowe - copyright notice and this permission notice appear in all copies.
f743002678eb67b99bbc29fee116b65d9530fec0wrowe - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
f743002678eb67b99bbc29fee116b65d9530fec0wrowe - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2cd2891cea784de97020bcada4e834e224428d0ccovener - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2cd2891cea784de97020bcada4e834e224428d0ccovener - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2cd2891cea784de97020bcada4e834e224428d0ccovener - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2cd2891cea784de97020bcada4e834e224428d0ccovener - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
1f9c3dc1ba4b56b2c14f40db86f532114504b5cfwrowe - PERFORMANCE OF THIS SOFTWARE.
2cd2891cea784de97020bcada4e834e224428d0ccovener<!-- $Id: man.dnssec-signzone.html,v 1.58 2007/11/26 01:35:18 marka Exp $ -->
c60018e9cf43220afed53c8f50f42e71cec7e70esf<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fb333f30ae01a1f14b2afaa8a92c99192abf883erjung<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
fb333f30ae01a1f14b2afaa8a92c99192abf883erjung<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fb333f30ae01a1f14b2afaa8a92c99192abf883erjung<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
69a4ff202d78f0a69cd87cb0edc9964b2db4946csf<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
69a4ff202d78f0a69cd87cb0edc9964b2db4946csf<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
fec106c7688e279dfde4403bc3c935fec97c1d62sf<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
4872f2c13be21115687dedcdf2515980fde93b70covener<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
be918ac21416c363014aca09383937579ca01db5covener<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
be918ac21416c363014aca09383937579ca01db5covener<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
789f46cb4d4c3e32f6550f17f74ea4a054095901covener<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
789f46cb4d4c3e32f6550f17f74ea4a054095901covener<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
c07f5b18040b0d39b077666ad6fbbd28fe0eb5f1sf<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
c07f5b18040b0d39b077666ad6fbbd28fe0eb5f1sf<p><span><strong class="command">dnssec-signzone</strong></span>
c07f5b18040b0d39b077666ad6fbbd28fe0eb5f1sf signs a zone. It generates
94bc56b747dda8afb8806d04e08164ea99e4c21dsf NSEC and RRSIG records and produces a signed version of the
94bc56b747dda8afb8806d04e08164ea99e4c21dsf zone. The security status of delegations from the signed zone
5fcf1d4211ba64b1e9c7647fcc615a9e850c6c88covener (that is, whether the child zones are secure or not) is
5fcf1d4211ba64b1e9c7647fcc615a9e850c6c88covener determined by the presence or absence of a
5fcf1d4211ba64b1e9c7647fcc615a9e850c6c88covener <code class="filename">keyset</code> file for each child zone.
cda2a8c4fe289419f62e8b9607cafe4812974840sf Verify all generated signatures.
3bb96836b77f718d914dbcdbe3d9bf3ca22859a5minfrin<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
3bb96836b77f718d914dbcdbe3d9bf3ca22859a5minfrin Specifies the DNS class of the zone.
79821ac529d05349274b7ed2421077afffbc0c08sf<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
6e3c52ed5ba88bb05d3535c6257a61faeec22388minfrin Treat specified key as a key signing key ignoring any
6e3c52ed5ba88bb05d3535c6257a61faeec22388minfrin key flags. This option may be specified multiple times.
aa8ce00557e35b6042be4afa1684b2322def4520covener<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
aa8ce00557e35b6042be4afa1684b2322def4520covener Generate a DLV set in addition to the key (DNSKEY) and DS sets.
b80324fbe463460d1c847b88ffe2132f92ce5587sf The domain is appended to the name of the records.
b80324fbe463460d1c847b88ffe2132f92ce5587sf<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
5fb413c5191ff4ca01e1f6a9ad09ea8bbb2759a7wrowe Look for <code class="filename">keyset</code> files in
5fb413c5191ff4ca01e1f6a9ad09ea8bbb2759a7wrowe <code class="option">directory</code> as the directory
e9356fde2e4fff8dab7eb6006ed1c476973796c5sf Generate DS records for child zones from keyset files.
e9356fde2e4fff8dab7eb6006ed1c476973796c5sf Existing DS records will be removed.
e9356fde2e4fff8dab7eb6006ed1c476973796c5sf<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
aaea51ff28093213376b9b8f63de07db53436223sf Specify the date and time when the generated RRSIG records
aaea51ff28093213376b9b8f63de07db53436223sf become valid. This can be either an absolute or relative
aaea51ff28093213376b9b8f63de07db53436223sf time. An absolute start time is indicated by a number
276fc07643ddb8c178a35b79ae4fe27596f37739sf in YYYYMMDDHHMMSS notation; 20000530144500 denotes
276fc07643ddb8c178a35b79ae4fe27596f37739sf 14:45:00 UTC on May 30th, 2000. A relative start time is
276fc07643ddb8c178a35b79ae4fe27596f37739sf indicated by +N, which is N seconds from the current time.
67746e0d18eeceb247fc940148c9b4d358929643sf If no <code class="option">start-time</code> is specified, the current
67746e0d18eeceb247fc940148c9b4d358929643sf time minus 1 hour (to allow for clock skew) is used.
67746e0d18eeceb247fc940148c9b4d358929643sf<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
17aeaeb2e4c4cde18ebc5231d959197e3e35e821sf Specify the date and time when the generated RRSIG records
17aeaeb2e4c4cde18ebc5231d959197e3e35e821sf expire. As with <code class="option">start-time</code>, an absolute
17aeaeb2e4c4cde18ebc5231d959197e3e35e821sf time is indicated in YYYYMMDDHHMMSS notation. A time relative
79acb56fc63b66848d0f6f35fc272a938b819f8dtrawick to the start time is indicated with +N, which is N seconds from
675e4332325dd31c8188c23608828f69d30e9906sf the start time. A time relative to the current time is
675e4332325dd31c8188c23608828f69d30e9906sf indicated with now+N. If no <code class="option">end-time</code> is
fa8e640eeec5c0b3db42e13f1df0bafd0d89d56fsf specified, 30 days from the start time is used as a default.
fa8e640eeec5c0b3db42e13f1df0bafd0d89d56fsf<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
65dec0561786621bd67f57e8054dcf80923b6cb1jorton The name of the output file containing the signed zone. The
9fb3d1792a78003c60a8f0fdbef30a372b39452esf default is to append <code class="filename">.signed</code> to
2c238b83c08ac2d040d9057b1ba83ba7f71138b7kbrand input filename.
067fc2710958d8d2a276cd8e54284a178d232a8bsf Prints a short summary of the options and arguments to
067fc2710958d8d2a276cd8e54284a178d232a8bsf <span><strong class="command">dnssec-signzone</strong></span>.
40a9ce7a0e17b10b08693f98ed4f64e456ef69a1kbrand<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
3a59bb90be3bc6246632384c3d885b875ae507d5sf When a previously-signed zone is passed as input, records
3a59bb90be3bc6246632384c3d885b875ae507d5sf may be resigned. The <code class="option">interval</code> option
3a59bb90be3bc6246632384c3d885b875ae507d5sf specifies the cycle interval as an offset from the current
3a59bb90be3bc6246632384c3d885b875ae507d5sf time (in seconds). If a RRSIG record expires after the
c9d1b78375e7ce7c2ccd7162d48da0eb84631bd3covener cycle interval, it is retained. Otherwise, it is considered
c9d1b78375e7ce7c2ccd7162d48da0eb84631bd3covener to be expiring soon, and it will be replaced.
f7407ba6bea5ed1151cfcefcfa774b531c26eecdrpluem The default cycle interval is one quarter of the difference
f7407ba6bea5ed1151cfcefcfa774b531c26eecdrpluem between the signature end and start times. So if neither
f7407ba6bea5ed1151cfcefcfa774b531c26eecdrpluem <code class="option">end-time</code> or <code class="option">start-time</code>
650d8321b62cccd1830684935bb5362b4c495b17sf are specified, <span><strong class="command">dnssec-signzone</strong></span>
650d8321b62cccd1830684935bb5362b4c495b17sf signatures that are valid for 30 days, with a cycle
7bf4eb9638a127fbfbc402d2c0e4ec0085934cf0sf interval of 7.5 days. Therefore, if any existing RRSIG records
7bf4eb9638a127fbfbc402d2c0e4ec0085934cf0sf are due to expire in less than 7.5 days, they would be
f7acc4b00a8bf92fea10fce6ac09aa57eafec0ecjim<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
03944c8577b204701c849fce01f3fcb423a615f1covener The format of the input zone file.
03944c8577b204701c849fce01f3fcb423a615f1covener Possible formats are <span><strong class="command">"text"</strong></span> (default)
03944c8577b204701c849fce01f3fcb423a615f1covener and <span><strong class="command">"raw"</strong></span>.
03944c8577b204701c849fce01f3fcb423a615f1covener This option is primarily intended to be used for dynamic
f97e1288a50b3da1022b515d84bc57a5091f2fefcovener signed zones so that the dumped zone file in a non-text
f97e1288a50b3da1022b515d84bc57a5091f2fefcovener format containing updates can be signed directly.
f97e1288a50b3da1022b515d84bc57a5091f2fefcovener The use of this option does not make much sense for
f97e1288a50b3da1022b515d84bc57a5091f2fefcovener non-dynamic zones.
7a975d0413ba303546b7619e4785cb641f7f09fdcovener<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
77504f17963a8dd941a921d9ddfa25ddb0f348d6kbrand When signing a zone with a fixed signature lifetime, all
77504f17963a8dd941a921d9ddfa25ddb0f348d6kbrand RRSIG records issued at the time of signing expires
77504f17963a8dd941a921d9ddfa25ddb0f348d6kbrand simultaneously. If the zone is incrementally signed, i.e.
77504f17963a8dd941a921d9ddfa25ddb0f348d6kbrand a previously-signed zone is passed as input to the signer,
77504f17963a8dd941a921d9ddfa25ddb0f348d6kbrand all expired signatures have to be regenerated at about the
75c2b964ca7ebfb32ad08c68c9db3bca5ecced55covener same time. The <code class="option">jitter</code> option specifies a
f7acc4b00a8bf92fea10fce6ac09aa57eafec0ecjim jitter window that will be used to randomize the signature
75c2b964ca7ebfb32ad08c68c9db3bca5ecced55covener expire time, thus spreading incremental signature
75c2b964ca7ebfb32ad08c68c9db3bca5ecced55covener regeneration over time.
5ab58649d9a4b3af01a4141920613fbf74ced7fdminfrin Signature lifetime jitter also to some extent benefits
97f293b98fc6777e5baa836c30293f433f3c12e1minfrin validators and servers by spreading out cache expiration,
97f293b98fc6777e5baa836c30293f433f3c12e1minfrin i.e. if large numbers of RRSIGs don't expire at the same time
97f293b98fc6777e5baa836c30293f433f3c12e1minfrin from all caches there will be less congestion than if all
97f293b98fc6777e5baa836c30293f433f3c12e1minfrin validators need to refetch at mostly the same time.
fa0316cc0d5c0e80d275877df428fd8061c0a79dsf<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
fa0316cc0d5c0e80d275877df428fd8061c0a79dsf Specifies the number of threads to use. By default, one
fa0316cc0d5c0e80d275877df428fd8061c0a79dsf thread is started for each detected CPU.
fa0316cc0d5c0e80d275877df428fd8061c0a79dsf<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
97cd2f98ad4abe68aaaba96b5bfc9ebf7109a2c1covener The SOA serial number format of the signed zone.
97cd2f98ad4abe68aaaba96b5bfc9ebf7109a2c1covener Possible formats are <span><strong class="command">"keep"</strong></span> (default),
97cd2f98ad4abe68aaaba96b5bfc9ebf7109a2c1covener <span><strong class="command">"increment"</strong></span> and
97cd2f98ad4abe68aaaba96b5bfc9ebf7109a2c1covener <span><strong class="command">"unixtime"</strong></span>.
60d81cab99dccfbb0c8d378cf6aa7338be0fdb74covener<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
22ce742224c6aeadcb31b381c203232f578fc507covener<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
22ce742224c6aeadcb31b381c203232f578fc507covener<dd><p>Increment the SOA serial number using RFC 1982
54e36aed6866e09e1a572dc84996e93cdb487b7bsf<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
7fc2cdc3683b47fcf5f39a094eddefa7b22dbfc0covener<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
292707b9868335763d6f2bb74a263134eeeb8cadkbrand The zone origin. If not specified, the name of the zone file
292707b9868335763d6f2bb74a263134eeeb8cadkbrand is assumed to be the origin.
070235bcb25af37efebf6405b082413144968289kbrand<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
4281cf6a722c99ae21394dc2000bd48efcebdb3akbrand The format of the output file containing the signed zone.
4281cf6a722c99ae21394dc2000bd48efcebdb3akbrand Possible formats are <span><strong class="command">"text"</strong></span> (default)
f7acc4b00a8bf92fea10fce6ac09aa57eafec0ecjim and <span><strong class="command">"raw"</strong></span>.
c7715b8cd6f5b5f4a27b12d816c6f48c522715f5covener Use pseudo-random data when signing the zone. This is faster,
df58c3a1c000d76859808ca4746a41623b432c81sf but less secure, than using real random data. This option
df58c3a1c000d76859808ca4746a41623b432c81sf may be useful when signing large zones or when the entropy
df58c3a1c000d76859808ca4746a41623b432c81sf source is limited.
65f6e321663b3fd0f93d8b47b4df05f189de6cf1sf<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
bcb2c4ef861e8f8260284631b6753e1088643c8asf Specifies the source of randomness. If the operating
bcb2c4ef861e8f8260284631b6753e1088643c8asf system does not provide a <code class="filename">/dev/random</code>
bcb2c4ef861e8f8260284631b6753e1088643c8asf or equivalent device, the default source of randomness
6defa5d20691765eb0b98daf5db4b1004353222esf is keyboard input. <code class="filename">randomdev</code>
415bb21f281e9b4f905d5893fede9165bdf1491bjim the name of a character device or file containing random
5b0a925d0d2cfe3defeb45cd0d29126ef3603bb4niq data to be used instead of the default. The special value
5b0a925d0d2cfe3defeb45cd0d29126ef3603bb4niq <code class="filename">keyboard</code> indicates that keyboard
5b0a925d0d2cfe3defeb45cd0d29126ef3603bb4niq input should be used.
caa47b19a81edcfc44b79583a0e386e326cf6492niq Print statistics at completion.
caa47b19a81edcfc44b79583a0e386e326cf6492niq<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
caa47b19a81edcfc44b79583a0e386e326cf6492niq Sets the debugging level.
3e13c3c3e6517a04c8c20ffb8e62aadb3b13f8dfrjung Ignore KSK flag on key when determining what to sign.
b8c9229249804470a885a1a43f7f2dad15fb06a3rjung The file containing the zone to be signed.
ef3e19a9a27ca055dd20e971d5578f5510308023niq Specify which keys should be used to sign the zone. If
099d298d417b68b3d11fb5934c404c60f518d69csf no keys are specified, then the zone will be examined
099d298d417b68b3d11fb5934c404c60f518d69csf for DNSKEY records at the zone apex. If these are found and
099d298d417b68b3d11fb5934c404c60f518d69csf there are matching private keys, in the current directory,
0d54de55e9fec3d9ac5989a5fe016f349b82ed05sf then these will be used for signing.
3f5968bf1059aebe846e121a6f3748dd03471ce4sf The following command signs the <strong class="userinput"><code>example.com</code></strong>
3f5968bf1059aebe846e121a6f3748dd03471ce4sf zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
3f5968bf1059aebe846e121a6f3748dd03471ce4sf (Kexample.com.+003+17247). The zone's keys must be in the master
3f5968bf1059aebe846e121a6f3748dd03471ce4sf file (<code class="filename">db.example.com</code>). This invocation looks
3f5968bf1059aebe846e121a6f3748dd03471ce4sf for <code class="filename">keyset</code> files, in the current directory,
3f5968bf1059aebe846e121a6f3748dd03471ce4sf so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
ab86c68ce36c715e93f403dde41d0b9c1522c8b0sf<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
7c6f514f2ef9b98f58b8f8a5f534eb78a75f29f2jorton In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
3e520e9f095fbbcaa3c216c8ea56e89bd6fd58b4sf the file <code class="filename">db.example.com.signed</code>. This
3e520e9f095fbbcaa3c216c8ea56e89bd6fd58b4sf file should be referenced in a zone statement in a
93d757f10e0823af718075b34363970c4af0e6cdsf This example re-signs a previously signed zone with default parameters.
93d757f10e0823af718075b34363970c4af0e6cdsf The private keys are assumed to be in the current directory.
533d85911f7e4914ee5f9d5c99a2421f4ab4208asf<pre class="programlisting">% cp db.example.com.signed db.example.com
78b046ee9f769d9609ea1157177d5467e4700c89covener<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
78b046ee9f769d9609ea1157177d5467e4700c89covener <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
00f8426677a7975dc809e4ccb11241c543ec8a0esf<p><span class="corpauthor">Internet Systems Consortium</span>
f82baabbe731507742af2f7ba41463dbbc7911e9sf<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
f82baabbe731507742af2f7ba41463dbbc7911e9sf<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
26d07dbe57cb2c8f49df541329a1653635988dbbsf<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
eda40bb2debf78c913552346127358797665cf7frjung<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
eda40bb2debf78c913552346127358797665cf7frjung<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>