man.dnssec-signzone.html revision a8a5c3eb62ea3256fd015fffd12a8a7552331df9
431a83fb29482c5170b3e4026e59bb14849a6707Tinderbox User - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
1ccbfca64ae86ace521053773001cb995352f96fBob Halley - purpose with or without fee is hereby granted, provided that the above
1ccbfca64ae86ace521053773001cb995352f96fBob Halley - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
1ccbfca64ae86ace521053773001cb995352f96fBob Halley<!-- $Id$ -->
1b90a27c4dc5dc630041d0863d45a796a87d861dBob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
1b90a27c4dc5dc630041d0863d45a796a87d861dBob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
1b90a27c4dc5dc630041d0863d45a796a87d861dBob Halley<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
537266cadc821135741f6569b3e68aaaed4c2899Mark Andrews<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
86ec04712be3a67ae4b613751a4a15e4b822237fMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
86ec04712be3a67ae4b613751a4a15e4b822237fMark Andrews<table width="100%" summary="Navigation header">
86ec04712be3a67ae4b613751a4a15e4b822237fMark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
a76b380643a22f23a67a9df284e86cd7ef7608c1Mark Andrews<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
03b5d2689df73fa9a50ff684511fa9d81f317e6cEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
63ca494e7e9aba8dc6740443fdab69620c7a7523Brian Wellington<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
261a6a1f7d95eaf0cd882f3123dcfd775517a54fMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
d0eb2cc33c5db3366a16b1cb0abcca6ec7c8ee3cTatuya JINMEI 神明達哉<a name="id2643401"></a><h2>DESCRIPTION</h2>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb<p><span><strong class="command">dnssec-signzone</strong></span>
1b90a27c4dc5dc630041d0863d45a796a87d861dBob Halley signs a zone. It generates
1b90a27c4dc5dc630041d0863d45a796a87d861dBob Halley NSEC and RRSIG records and produces a signed version of the
a03848252fa85734ca75beae3d0b01bb503c0a8bMark Andrews zone. The security status of delegations from the signed zone
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrence (that is, whether the child zones are secure or not) is
261a6a1f7d95eaf0cd882f3123dcfd775517a54fMark Andrews determined by the presence or absence of a
85e80b5b698233316c7ba325a17dcbdaa19637e1David Lawrence <code class="filename">keyset</code> file for each child zone.
b7ff8128f0366d02ef9b0eb8fbba0b17ea7dbe60Bob Halley Verify all generated signatures.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews Specifies the DNS class of the zone.
18d110413cf6416eb339c169b99159d09f690da1Brian Wellington Compatibility mode: Generate a
1ccbfca64ae86ace521053773001cb995352f96fBob Halley <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
166c4c6c5bafd25283b797979f77d780856fef30Evan Hunt file in addition to
7829fad4093f2c1985b1efb7cea00287ff015d2bckb <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
166c4c6c5bafd25283b797979f77d780856fef30Evan Hunt when signing a zone, for use by older versions of
166c4c6c5bafd25283b797979f77d780856fef30Evan Hunt <span><strong class="command">dnssec-signzone</strong></span>.
166c4c6c5bafd25283b797979f77d780856fef30Evan Hunt<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb <code class="filename">keyset-</code> files in <code class="option">directory</code>.
1ccbfca64ae86ace521053773001cb995352f96fBob Halley Output only those record types automatically managed by
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
1ccbfca64ae86ace521053773001cb995352f96fBob Halley NSEC3 and NSEC3PARAM records. If smart signing
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley (<code class="option">-S</code>) is used, DNSKEY records are also
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff included. The resulting file can be included in the original
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff cannot be combined with <code class="option">-O raw</code>,
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley <code class="option">-O map</code>, or serial number updating.
7829fad4093f2c1985b1efb7cea00287ff015d2bckb<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb When applicable, specifies the hardware to use for
7829fad4093f2c1985b1efb7cea00287ff015d2bckb cryptographic operations, such as a secure key store used
7829fad4093f2c1985b1efb7cea00287ff015d2bckb for signing.
7829fad4093f2c1985b1efb7cea00287ff015d2bckb When BIND is built with OpenSSL PKCS#11 support, this defaults
7829fad4093f2c1985b1efb7cea00287ff015d2bckb to the string "pkcs11", which identifies an OpenSSL engine
7829fad4093f2c1985b1efb7cea00287ff015d2bckb that can drive a cryptographic accelerator or hardware service
7829fad4093f2c1985b1efb7cea00287ff015d2bckb module. When BIND is built with native PKCS#11 cryptography
7829fad4093f2c1985b1efb7cea00287ff015d2bckb (--enable-native-pkcs11), it defaults to the path of the PKCS#11
7829fad4093f2c1985b1efb7cea00287ff015d2bckb provider library specified via "--with-pkcs11".
7829fad4093f2c1985b1efb7cea00287ff015d2bckb Generate DS records for child zones from
7829fad4093f2c1985b1efb7cea00287ff015d2bckb <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb file. Existing DS records will be removed.
7829fad4093f2c1985b1efb7cea00287ff015d2bckb<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb Key repository: Specify a directory to search for DNSSEC keys.
7829fad4093f2c1985b1efb7cea00287ff015d2bckb If not specified, defaults to the current directory.
7829fad4093f2c1985b1efb7cea00287ff015d2bckb<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb Treat specified key as a key signing key ignoring any
7829fad4093f2c1985b1efb7cea00287ff015d2bckb key flags. This option may be specified multiple times.
163e27991b3f01bc427d8d6a10e46703b3346236David Lawrence<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
163e27991b3f01bc427d8d6a10e46703b3346236David Lawrence Generate a DLV set in addition to the key (DNSKEY) and DS sets.
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff The domain is appended to the name of the records.
1ccbfca64ae86ace521053773001cb995352f96fBob Halley<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff Sets the maximum TTL for the signed zone.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
2bb3d8bdfefd3f551621297ad439409332f5e779Mark Andrews input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
2bb3d8bdfefd3f551621297ad439409332f5e779Mark Andrews in the output. This provides certainty as to the largest
2bb3d8bdfefd3f551621297ad439409332f5e779Mark Andrews possible TTL in the signed zone, which is useful to know when
2bb3d8bdfefd3f551621297ad439409332f5e779Mark Andrews rolling keys because it is the longest possible time before
2bb3d8bdfefd3f551621297ad439409332f5e779Mark Andrews signatures that have been retrieved by resolvers will expire
2bb3d8bdfefd3f551621297ad439409332f5e779Mark Andrews from resolver caches. Zones that are signed with this
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley option should be configured to use a matching
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley (Note: This option is incompatible with <code class="option">-D</code>,
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley because it modifies non-DNSSEC data in the output zone.)
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff Specify the date and time when the generated RRSIG records
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews become valid. This can be either an absolute or relative
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley time. An absolute start time is indicated by a number
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews in YYYYMMDDHHMMSS notation; 20000530144500 denotes
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater 14:45:00 UTC on May 30th, 2000. A relative start time is
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews indicated by +N, which is N seconds from the current time.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews If no <code class="option">start-time</code> is specified, the current
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley time minus 1 hour (to allow for clock skew) is used.
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
f4b5a0f43481026ea27bd96e3584ca0e92542f0dBob Halley Specify the date and time when the generated RRSIG records
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater expire. As with <code class="option">start-time</code>, an absolute
a0c1fa2a8f6710d8c490643c3d04014f907e1a23Mark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative
a0c1fa2a8f6710d8c490643c3d04014f907e1a23Mark Andrews to the start time is indicated with +N, which is N seconds from
421e4cf66e4cba0b0751a34a9c027e39fe0474f9Mark Andrews the start time. A time relative to the current time is
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater indicated with now+N. If no <code class="option">end-time</code> is
732e0731dec1922747bb3b3147cf2c3d16b22eaaBob Halley specified, 30 days from the start time is used as a default.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 <code class="option">end-time</code> must be later than
a5b66bf342440688739d7207e437bf743e8b7ac0Mark Andrews<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 Specify the date and time when the generated RRSIG records
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 for the DNSKEY RRset will expire. This is to be used in cases
a5b66bf342440688739d7207e437bf743e8b7ac0Mark Andrews when the DNSKEY signatures need to persist longer than
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 signatures on other records; e.g., when the private component
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 of the KSK is kept offline and the KSK signature is to be
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 refreshed manually.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 As with <code class="option">start-time</code>, an absolute
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff time is indicated in YYYYMMDDHHMMSS notation. A time relative
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff to the start time is indicated with +N, which is N seconds from
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff the start time. A time relative to the current time is
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff indicated with now+N. If no <code class="option">extended end-time</code> is
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 specified, the value of <code class="option">end-time</code> is used as
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff the default. (<code class="option">end-time</code>, in turn, defaults to
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff 30 days from the start time.) <code class="option">extended end-time</code>
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff must be later than <code class="option">start-time</code>.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 The name of the output file containing the signed zone. The
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 default is to append <code class="filename">.signed</code> to
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 the input filename. If <code class="option">output-file</code> is
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 set to <code class="literal">"-"</code>, then the signed zone is
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 written to the standard output, with a default output
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 format of "full".
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 Prints a short summary of the options and arguments to
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 <span><strong class="command">dnssec-signzone</strong></span>.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 Prints version information.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 When a previously-signed zone is passed as input, records
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 may be resigned. The <code class="option">interval</code> option
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff specifies the cycle interval as an offset from the current
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff time (in seconds). If a RRSIG record expires after the
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff cycle interval, it is retained. Otherwise, it is considered
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff to be expiring soon, and it will be replaced.
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff The default cycle interval is one quarter of the difference
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff between the signature end and start times. So if neither
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff <code class="option">end-time</code> or <code class="option">start-time</code>
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff are specified, <span><strong class="command">dnssec-signzone</strong></span>
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 signatures that are valid for 30 days, with a cycle
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 interval of 7.5 days. Therefore, if any existing RRSIG records
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 are due to expire in less than 7.5 days, they would be
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff The format of the input zone file.
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff Possible formats are <span><strong class="command">"text"</strong></span> (default),
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff This option is primarily intended to be used for dynamic
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff signed zones so that the dumped zone file in a non-text
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff format containing updates can be signed directly.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 The use of this option does not make much sense for
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 non-dynamic zones.
c82bb6a709abe89c051485b49403ef5bad1b756cTatuya JINMEI 神明達哉<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
c82bb6a709abe89c051485b49403ef5bad1b756cTatuya JINMEI 神明達哉 When signing a zone with a fixed signature lifetime, all
c82bb6a709abe89c051485b49403ef5bad1b756cTatuya JINMEI 神明達哉 RRSIG records issued at the time of signing expires
c82bb6a709abe89c051485b49403ef5bad1b756cTatuya JINMEI 神明達哉 simultaneously. If the zone is incrementally signed, i.e.
c82bb6a709abe89c051485b49403ef5bad1b756cTatuya JINMEI 神明達哉 a previously-signed zone is passed as input to the signer,
c82bb6a709abe89c051485b49403ef5bad1b756cTatuya JINMEI 神明達哉 all expired signatures have to be regenerated at about the
2b3e34f03675d6c71a654fe2094f3b9c063a70eaMark Andrews same time. The <code class="option">jitter</code> option specifies a
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff jitter window that will be used to randomize the signature
2b3e34f03675d6c71a654fe2094f3b9c063a70eaMark Andrews expire time, thus spreading incremental signature
2b3e34f03675d6c71a654fe2094f3b9c063a70eaMark Andrews regeneration over time.
35541328a8c18ba1f984300dfe30ec8713c90031Mark Andrews Signature lifetime jitter also to some extent benefits
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews validators and servers by spreading out cache expiration,
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews i.e. if large numbers of RRSIGs don't expire at the same time
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews from all caches there will be less congestion than if all
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews validators need to refetch at mostly the same time.
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
4dfbac743493fc56a1ae391130b27f9517acb803Bob Halley When writing a signed zone to "raw" or "map" format, set the
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater "source serial" value in the header to the specified serial
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater number. (This is expected to be used primarily for testing
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater Specifies the number of threads to use. By default, one
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater thread is started for each detected CPU.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb The SOA serial number format of the signed zone.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater Possible formats are <span><strong class="command">"keep"</strong></span> (default),
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater <span><strong class="command">"increment"</strong></span>, <span><strong class="command">"unixtime"</strong></span>,
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater and <span><strong class="command">"date"</strong></span>.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dd><p>Do not modify the SOA serial number.</p></dd>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dd><p>Increment the SOA serial number using RFC 1982
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dd><p>Set the SOA serial number to the number of seconds
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dt><span class="term"><span><strong class="command">"date"</strong></span></span></dt>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dd><p>Set the SOA serial number to today's date in
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater The zone origin. If not specified, the name of the zone file
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater is assumed to be the origin.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater The format of the output file containing the signed zone.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater Possible formats are <span><strong class="command">"text"</strong></span> (default),
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater which is the standard textual representation of the zone;
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater <span><strong class="command">"full"</strong></span>, which is text output in a
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater format suitable for processing by external scripts;
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater binary formats for rapid loading by <span><strong class="command">named</strong></span>.
c36ba263d6318740da965f5351fe09e74f1d8aa2Evan Hunt <span><strong class="command">"raw=N"</strong></span> specifies the format version of
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater the raw zone file: if N is 0, the raw file can be read by
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater any version of <span><strong class="command">named</strong></span>; if N is 1, the file
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater can be read by release 9.9.0 or higher; the default is 1.
4dfbac743493fc56a1ae391130b27f9517acb803Bob Halley Use pseudo-random data when signing the zone. This is faster,
4dfbac743493fc56a1ae391130b27f9517acb803Bob Halley but less secure, than using real random data. This option
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff may be useful when signing large zones or when the entropy
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff source is limited.
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff Disable post sign verification tests.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews The post sign verification test ensures that for each algorithm
fb756ba3047770957173ba546257ca43af7ba3e4Mark Andrews in use there is at least one non revoked self signed KSK key,
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt that all revoked KSK keys are self signed, and that all records
fb756ba3047770957173ba546257ca43af7ba3e4Mark Andrews in the zone are signed by the algorithm.
1911100e64f1b8a6655d7f36f9fdc05b3d6bcd96Michael Graff This option skips these tests.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater Remove signatures from keys that are no longer active.
d0eb2cc33c5db3366a16b1cb0abcca6ec7c8ee3cTatuya JINMEI 神明達哉 Normally, when a previously-signed zone is passed as input
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater to the signer, and a DNSKEY record has been removed and
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater replaced with a new one, signatures from the old key
d0eb2cc33c5db3366a16b1cb0abcca6ec7c8ee3cTatuya JINMEI 神明達哉 that are still within their validity period are retained.
d0eb2cc33c5db3366a16b1cb0abcca6ec7c8ee3cTatuya JINMEI 神明達哉 This allows the zone to continue to validate with cached
1911100e64f1b8a6655d7f36f9fdc05b3d6bcd96Michael Graff copies of the old DNSKEY RRset. The <code class="option">-Q</code>
1911100e64f1b8a6655d7f36f9fdc05b3d6bcd96Michael Graff forces <span><strong class="command">dnssec-signzone</strong></span> to remove
1911100e64f1b8a6655d7f36f9fdc05b3d6bcd96Michael Graff signatures from keys that are no longer active. This
1911100e64f1b8a6655d7f36f9fdc05b3d6bcd96Michael Graff enables ZSK rollover using the procedure described in
1911100e64f1b8a6655d7f36f9fdc05b3d6bcd96Michael Graff RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
c95819d75d6ac0e5cc9cb5848445c727eec869dbBob Halley Remove signatures from keys that are no longer published.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater This option is similar to <code class="option">-Q</code>, except it
c95819d75d6ac0e5cc9cb5848445c727eec869dbBob Halley forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater keys that are no longer published. This enables ZSK rollover
1911100e64f1b8a6655d7f36f9fdc05b3d6bcd96Michael Graff using the procedure described in RFC 4641, section 4.2.1.2
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater ("Double Signature Zone Signing Key Rollover").
a76b380643a22f23a67a9df284e86cd7ef7608c1Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Specifies the source of randomness. If the operating
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews system does not provide a <code class="filename">/dev/random</code>
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt or equivalent device, the default source of randomness
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt is keyboard input. <code class="filename">randomdev</code>
fb756ba3047770957173ba546257ca43af7ba3e4Mark Andrews the name of a character device or file containing random
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley data to be used instead of the default. The special value
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff <code class="filename">keyboard</code> indicates that keyboard
86ee7433b38bb023912a73d842bdcef3d4871a90Mark Andrews input should be used.
86ee7433b38bb023912a73d842bdcef3d4871a90Mark Andrews Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
86ee7433b38bb023912a73d842bdcef3d4871a90Mark Andrews search the key repository for keys that match the zone being
86ee7433b38bb023912a73d842bdcef3d4871a90Mark Andrews signed, and to include them in the zone if appropriate.
86ee7433b38bb023912a73d842bdcef3d4871a90Mark Andrews When a key is found, its timing metadata is examined to
86ee7433b38bb023912a73d842bdcef3d4871a90Mark Andrews determine how it should be used, according to the following
86ee7433b38bb023912a73d842bdcef3d4871a90Mark Andrews rules. Each successive rule takes priority over the prior
86ee7433b38bb023912a73d842bdcef3d4871a90Mark Andrews If no timing metadata has been set for the key, the key is
86ee7433b38bb023912a73d842bdcef3d4871a90Mark Andrews published in the zone and used to sign the zone.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater If the key's publication date is set and is in the past, the
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater key is published in the zone.
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley If the key's activation date is set and in the past, the
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley key is published (regardless of publication date) and
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater used to sign the zone.
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley If the key's revocation date is set and in the past, and the
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff key is published, then the key is revoked, and the revoked key
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley is used to sign the zone.
4ac81dfb3020f0581f52cae2039560bd7fd8089dMark Andrews If either of the key's unpublication or deletion dates are set
4ac81dfb3020f0581f52cae2039560bd7fd8089dMark Andrews and in the past, the key is NOT published or used to sign the
4ac81dfb3020f0581f52cae2039560bd7fd8089dMark Andrews zone, regardless of any other metadata.
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt Specifies a TTL to be used for new DNSKEY records imported
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt into the zone from the key repository. If not
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt specified, the default is the TTL value from the zone's SOA
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt record. This option is ignored when signing without
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley <code class="option">-S</code>, since DNSKEY records are not imported
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater from the key repository in that case. It is also ignored if
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater there are any pre-existing DNSKEY records at the zone apex,
af850c4120c5bee9462de4def85d0b4c1b583963Mark Andrews in which case new records' TTL values will be set to match
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater them, or if any of the imported DNSKEY records had a default
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater TTL value. In the event of a a conflict between TTL values in
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater imported keys, the shortest one is used.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater Print statistics at completion.
a76b380643a22f23a67a9df284e86cd7ef7608c1Mark Andrews Update NSEC/NSEC3 chain when re-signing a previously signed
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater zone. With this option, a zone signed with NSEC can be
4ac81dfb3020f0581f52cae2039560bd7fd8089dMark Andrews switched to NSEC3, or a zone signed with NSEC3 can
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews be switch to NSEC or to NSEC3 with different parameters.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews retain the existing chain when re-signing.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
246c504f90f42e5633dfd5e85bd57b01064961feEvan Hunt Sets the debugging level.
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff Only sign the DNSKEY RRset with key-signing keys, and omit
af850c4120c5bee9462de4def85d0b4c1b583963Mark Andrews signatures from zone-signing keys. (This is similar to the
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater <span><strong class="command">named</strong></span>.)
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 Ignore KSK flag on key when determining what to sign. This
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater causes KSK-flagged keys to sign all records, not just the
b239c8294a5653d21876d084e0c5b029f6b9fc5dMichael Graff DNSKEY RRset. (This is similar to the
b32e391602b3655c90c2ded10376dbfa4ec8a074Evan Hunt <span><strong class="command">update-check-ksk no;</strong></span> zone option in
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater <span><strong class="command">named</strong></span>.)
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater Generate an NSEC3 chain with the given hex encoded salt.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews A dash (<em class="replaceable"><code>salt</code></em>) can
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt be used to indicate that no salt is to be used when generating the NSEC3 chain.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater When generating an NSEC3 chain, use this many iterations. The
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater default is 10.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater When generating an NSEC3 chain set the OPTOUT flag on all
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater NSEC3 records and do not generate NSEC3 records for insecure
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater Using this option twice (i.e., <code class="option">-AA</code>)
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater turns the OPTOUT flag off for all records. This is useful
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater when using the <code class="option">-u</code> option to modify an NSEC3
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater chain which previously had OPTOUT set.
8b90c4fdad05fc2881b1b26934078ac5e2ed2b2dAutomatic Updater The file containing the zone to be signed.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater Specify which keys should be used to sign the zone. If
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater no keys are specified, then the zone will be examined
70c7f4fb4fc589b04a68d67479d34eecd99c1991Evan Hunt for DNSKEY records at the zone apex. If these are found and
70c7f4fb4fc589b04a68d67479d34eecd99c1991Evan Hunt there are matching private keys, in the current directory,
70c7f4fb4fc589b04a68d67479d34eecd99c1991Evan Hunt then these will be used for signing.
7829fad4093f2c1985b1efb7cea00287ff015d2bckb The following command signs the <strong class="userinput"><code>example.com</code></strong>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
31707708c585c53b61ca1edb2e224e6bb1b985a5Evan Hunt is not being used, the zone's keys must be in the master file
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater (<code class="filename">db.example.com</code>). This invocation looks
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater for <code class="filename">dsset</code> files, in the current directory,
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater the file <code class="filename">db.example.com.signed</code>. This
af850c4120c5bee9462de4def85d0b4c1b583963Mark Andrews file should be referenced in a zone statement in a
e371b7a70f36949aa7885d554bf40e4ae89cc541Bob Halley This example re-signs a previously signed zone with default parameters.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein The private keys are assumed to be in the current directory.
1b90a27c4dc5dc630041d0863d45a796a87d861dBob Halley<pre class="programlisting">% cp db.example.com.signed db.example.com
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
da1e0ac742415d3ef944d2b28d5ca2e5a0a94e33Automatic Updater<p><span class="corpauthor">Internet Systems Consortium</span>
0b1f55d73f2561cbfedf096c7986d204593bda2fBob Halley<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
0b1f55d73f2561cbfedf096c7986d204593bda2fBob Halley<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
7829fad4093f2c1985b1efb7cea00287ff015d2bckb<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
1c724c986de1449e3b2f1eeae4c724dc0d97603cBob Halley<span class="application">dnssec-settime</span>�</td>
7837d146219db7a85a4b444a9cdf6602254a4f75Bob Halley<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
35541328a8c18ba1f984300dfe30ec8713c90031Mark Andrews<td width="40%" align="right" valign="top">�<span class="application">dnssec-verify</span>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews<p style="text-align: center;">BIND Version 9.11</p>