man.dnssec-signzone.html revision a8fa482d0cc0134e2373509f8d3ac92c9f36d99a
ca41b452ede6feaa9d8739ec3cae19389a7b0d03Bob Halley - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - Permission to use, copy, modify, and/or distribute this software for any
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - purpose with or without fee is hereby granted, provided that the above
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - copyright notice and this permission notice appear in all copies.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - PERFORMANCE OF THIS SOFTWARE.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
899f7f9af527d3dfe8345dcc8210d7c23fc950afDavid Lawrence<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation header">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<th width="60%" align="center">Manual pages</th>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span><strong class="command">dnssec-signzone</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence signs a zone. It generates
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence NSEC and RRSIG records and produces a signed version of the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone. The security status of delegations from the signed zone
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (that is, whether the child zones are secure or not) is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence determined by the presence or absence of a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">keyset</code> file for each child zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Verify all generated signatures.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies the DNS class of the zone.
d409ceeda41a256e8114423674d844d5f5035ee8Bob Halley Compatibility mode: Generate a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson file in addition to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence when signing a zone, for use by older versions of
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson <span><strong class="command">dnssec-signzone</strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Look for <code class="filename">dsset-</code> or
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson <code class="filename">keyset-</code> files in <code class="option">directory</code>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Output only those record types automatically managed by
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence NSEC3 and NSEC3PARAM records. If smart signing
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (<code class="option">-S</code>) is used, DNSKEY records are also
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence included. The resulting file can be included in the original
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence cannot be combined with <code class="option">-O raw</code>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">-O map</code>, or serial number updating.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When applicable, specifies the hardware to use for
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence cryptographic operations, such as a secure key store used
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When BIND is built with OpenSSL PKCS#11 support, this defaults
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to the string "pkcs11", which identifies an OpenSSL engine
61e9c1cdbe29683bb2db388e4fc6a6fd59315cefDavid Lawrence that can drive a cryptographic accelerator or hardware service
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence module. When BIND is built with native PKCS#11 cryptography
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (--enable-native-pkcs11), it defaults to the path of the PKCS#11
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence provider library specified via "--with-pkcs11".
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Generate DS records for child zones from
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence file. Existing DS records will be removed.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Key repository: Specify a directory to search for DNSSEC keys.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If not specified, defaults to the current directory.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Treat specified key as a key signing key ignoring any
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence key flags. This option may be specified multiple times.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
5fe5a0c02634eaadfcbc3528bf2c184557110a3bAndreas Gustafsson Generate a DLV set in addition to the key (DNSKEY) and DS sets.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The domain is appended to the name of the records.
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the maximum TTL for the signed zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence in the output. This provides certainty as to the largest
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence possible TTL in the signed zone, which is useful to know when
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence rolling keys because it is the longest possible time before
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence signatures that have been retrieved by resolvers will expire
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence from resolver caches. Zones that are signed with this
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence option should be configured to use a matching
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence (Note: This option is incompatible with <code class="option">-D</code>,
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence because it modifies non-DNSSEC data in the output zone.)
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Specify the date and time when the generated RRSIG records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence become valid. This can be either an absolute or relative
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence time. An absolute start time is indicated by a number
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence in YYYYMMDDHHMMSS notation; 20000530144500 denotes
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence 14:45:00 UTC on May 30th, 2000. A relative start time is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence indicated by +N, which is N seconds from the current time.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence If no <code class="option">start-time</code> is specified, the current
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence time minus 1 hour (to allow for clock skew) is used.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Specify the date and time when the generated RRSIG records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence expire. As with <code class="option">start-time</code>, an absolute
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence time is indicated in YYYYMMDDHHMMSS notation. A time relative
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence to the start time is indicated with +N, which is N seconds from
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence the start time. A time relative to the current time is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence indicated with now+N. If no <code class="option">end-time</code> is
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence specified, 30 days from the start time is used as a default.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <code class="option">end-time</code> must be later than
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Specify the date and time when the generated RRSIG records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence for the DNSKEY RRset will expire. This is to be used in cases
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence when the DNSKEY signatures need to persist longer than
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence signatures on other records; e.g., when the private component
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence of the KSK is kept offline and the KSK signature is to be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence refreshed manually.
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence As with <code class="option">start-time</code>, an absolute
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence time is indicated in YYYYMMDDHHMMSS notation. A time relative
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence to the start time is indicated with +N, which is N seconds from
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the start time. A time relative to the current time is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence indicated with now+N. If no <code class="option">extended end-time</code> is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence specified, the value of <code class="option">end-time</code> is used as
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the default. (<code class="option">end-time</code>, in turn, defaults to
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence 30 days from the start time.) <code class="option">extended end-time</code>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence must be later than <code class="option">start-time</code>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence The name of the output file containing the signed zone. The
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence default is to append <code class="filename">.signed</code> to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the input filename. If <code class="option">output-file</code> is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence set to <code class="literal">"-"</code>, then the signed zone is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence written to the standard output, with a default output
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence format of "full".
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Prints a short summary of the options and arguments to
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span><strong class="command">dnssec-signzone</strong></span>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Prints version information.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence When a previously-signed zone is passed as input, records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence may be resigned. The <code class="option">interval</code> option
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence specifies the cycle interval as an offset from the current
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence time (in seconds). If a RRSIG record expires after the
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence cycle interval, it is retained. Otherwise, it is considered
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence to be expiring soon, and it will be replaced.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence The default cycle interval is one quarter of the difference
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence between the signature end and start times. So if neither
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <code class="option">end-time</code> or <code class="option">start-time</code>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence are specified, <span><strong class="command">dnssec-signzone</strong></span>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence signatures that are valid for 30 days, with a cycle
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence interval of 7.5 days. Therefore, if any existing RRSIG records
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence are due to expire in less than 7.5 days, they would be
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence The format of the input zone file.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Possible formats are <span><strong class="command">"text"</strong></span> (default),
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence This option is primarily intended to be used for dynamic
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence signed zones so that the dumped zone file in a non-text
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence format containing updates can be signed directly.
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence The use of this option does not make much sense for
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence non-dynamic zones.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When signing a zone with a fixed signature lifetime, all
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence RRSIG records issued at the time of signing expires
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence simultaneously. If the zone is incrementally signed, i.e.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence a previously-signed zone is passed as input to the signer,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence all expired signatures have to be regenerated at about the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence same time. The <code class="option">jitter</code> option specifies a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence jitter window that will be used to randomize the signature
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence expire time, thus spreading incremental signature
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence regeneration over time.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Signature lifetime jitter also to some extent benefits
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence validators and servers by spreading out cache expiration,
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence i.e. if large numbers of RRSIGs don't expire at the same time
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence from all caches there will be less congestion than if all
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence validators need to refetch at mostly the same time.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence When writing a signed zone to "raw" or "map" format, set the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence "source serial" value in the header to the specified serial
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence number. (This is expected to be used primarily for testing
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Specifies the number of threads to use. By default, one
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence thread is started for each detected CPU.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The SOA serial number format of the signed zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Possible formats are <span><strong class="command">"keep"</strong></span> (default),
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">"increment"</strong></span>, <span><strong class="command">"unixtime"</strong></span>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and <span><strong class="command">"date"</strong></span>.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence<dd><p>Do not modify the SOA serial number.</p></dd>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>Increment the SOA serial number using RFC 1982
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dd><p>Set the SOA serial number to the number of seconds
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence<dt><span class="term"><span><strong class="command">"date"</strong></span></span></dt>
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence<dd><p>Set the SOA serial number to today's date in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence The zone origin. If not specified, the name of the zone file
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence is assumed to be the origin.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence The format of the output file containing the signed zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Possible formats are <span><strong class="command">"text"</strong></span> (default),
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence which is the standard textual representation of the zone;
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">"full"</strong></span>, which is text output in a
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence format suitable for processing by external scripts;
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence binary formats for rapid loading by <span><strong class="command">named</strong></span>.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span><strong class="command">"raw=N"</strong></span> specifies the format version of
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the raw zone file: if N is 0, the raw file can be read by
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence any version of <span><strong class="command">named</strong></span>; if N is 1, the file
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence can be read by release 9.9.0 or higher; the default is 1.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Use pseudo-random data when signing the zone. This is faster,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence but less secure, than using real random data. This option
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence may be useful when signing large zones or when the entropy
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence source is limited.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Disable post sign verification tests.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence The post sign verification test ensures that for each algorithm
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence in use there is at least one non revoked self signed KSK key,
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence that all revoked KSK keys are self signed, and that all records
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in the zone are signed by the algorithm.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence This option skips these tests.
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence Remove signatures from keys that are no longer active.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Normally, when a previously-signed zone is passed as input
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to the signer, and a DNSKEY record has been removed and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence replaced with a new one, signatures from the old key
ff30a206ecc63b6681716322ed7f017e3f51ea7fDavid Lawrence that are still within their validity period are retained.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence This allows the zone to continue to validate with cached
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence copies of the old DNSKEY RRset. The <code class="option">-Q</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence forces <span><strong class="command">dnssec-signzone</strong></span> to remove
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence signatures from keys that are no longer active. This
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence enables ZSK rollover using the procedure described in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Remove signatures from keys that are no longer published.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence This option is similar to <code class="option">-Q</code>, except it
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence keys that are no longer published. This enables ZSK rollover
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence using the procedure described in RFC 4641, section 4.2.1.2
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ("Double Signature Zone Signing Key Rollover").
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies the source of randomness. If the operating
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence system does not provide a <code class="filename">/dev/random</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence or equivalent device, the default source of randomness
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is keyboard input. <code class="filename">randomdev</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the name of a character device or file containing random
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence data to be used instead of the default. The special value
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">keyboard</code> indicates that keyboard
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence input should be used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence search the key repository for keys that match the zone being
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence signed, and to include them in the zone if appropriate.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence When a key is found, its timing metadata is examined to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence determine how it should be used, according to the following
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence rules. Each successive rule takes priority over the prior
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If no timing metadata has been set for the key, the key is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence published in the zone and used to sign the zone.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence If the key's publication date is set and is in the past, the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence key is published in the zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If the key's activation date is set and in the past, the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence key is published (regardless of publication date) and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence used to sign the zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If the key's revocation date is set and in the past, and the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence key is published, then the key is revoked, and the revoked key
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is used to sign the zone.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence If either of the key's unpublication or deletion dates are set
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and in the past, the key is NOT published or used to sign the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone, regardless of any other metadata.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies a TTL to be used for new DNSKEY records imported
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence into the zone from the key repository. If not
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence specified, the default is the TTL value from the zone's SOA
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence record. This option is ignored when signing without
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">-S</code>, since DNSKEY records are not imported
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence from the key repository in that case. It is also ignored if
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence there are any pre-existing DNSKEY records at the zone apex,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in which case new records' TTL values will be set to match
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence them, or if any of the imported DNSKEY records had a default
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence TTL value. In the event of a a conflict between TTL values in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence imported keys, the shortest one is used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Print statistics at completion.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Update NSEC/NSEC3 chain when re-signing a previously signed
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone. With this option, a zone signed with NSEC can be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence switched to NSEC3, or a zone signed with NSEC3 can
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence be switch to NSEC or to NSEC3 with different parameters.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence retain the existing chain when re-signing.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the debugging level.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Only sign the DNSKEY RRset with key-signing keys, and omit
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence signatures from zone-signing keys. (This is similar to the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">named</strong></span>.)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Ignore KSK flag on key when determining what to sign. This
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence causes KSK-flagged keys to sign all records, not just the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence DNSKEY RRset. (This is similar to the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">update-check-ksk no;</strong></span> zone option in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">named</strong></span>.)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Generate an NSEC3 chain with the given hex encoded salt.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence A dash (<em class="replaceable"><code>salt</code></em>) can
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence be used to indicate that no salt is to be used when generating the NSEC3 chain.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When generating an NSEC3 chain, use this many iterations. The
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence default is 10.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When generating an NSEC3 chain set the OPTOUT flag on all
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence NSEC3 records and do not generate NSEC3 records for insecure
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Using this option twice (i.e., <code class="option">-AA</code>)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence turns the OPTOUT flag off for all records. This is useful
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence when using the <code class="option">-u</code> option to modify an NSEC3
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence chain which previously had OPTOUT set.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The file containing the zone to be signed.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specify which keys should be used to sign the zone. If
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence no keys are specified, then the zone will be examined
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence for DNSKEY records at the zone apex. If these are found and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence there are matching private keys, in the current directory,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence then these will be used for signing.
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence The following command signs the <strong class="userinput"><code>example.com</code></strong>
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence is not being used, the zone's keys must be in the master file
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence (<code class="filename">db.example.com</code>). This invocation looks
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence for <code class="filename">dsset</code> files, in the current directory,
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence the file <code class="filename">db.example.com.signed</code>. This
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence file should be referenced in a zone statement in a
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence <code class="filename">named.conf</code> file.
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence This example re-signs a previously signed zone with default parameters.
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence The private keys are assumed to be in the current directory.
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence<pre class="programlisting">% cp db.example.com.signed db.example.com
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence% dnssec-signzone -o example.com db.example.com
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
00a1623a59b1540c28781e8ccd8341c8114dbc75David Lawrence <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="corpauthor">Internet Systems Consortium</span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation footer">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence<span class="application">dnssec-settime</span>�</td>
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence<td width="40%" align="right" valign="top">�<span class="application">dnssec-verify</span>
1b038dbf0659fce246485562601ee851a9841ba1David Lawrence<p style="text-align: center;">BIND 9.11.0pre-alpha</p>