man.dnssec-signzone.html revision b49958b502ee45022010a0b1bed3968f598895a4
1fb011b1db93ca25396756ec5e3621d75b39812dTinderbox User - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
689023771c563d8660e45d439a207e06e96de28fMark Andrews - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: man.dnssec-signzone.html,v 1.85 2008/10/03 01:11:33 tbox Exp $ -->
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-signzone</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signs a zone. It generates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein NSEC and RRSIG records and produces a signed version of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone. The security status of delegations from the signed zone
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User (that is, whether the child zones are secure or not) is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User determined by the presence or absence of a
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="filename">keyset</code> file for each child zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Verify all generated signatures.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the DNS class of the zone.
00124ad0406365d39f4b2d1011ef6a76706e9df0Mark Andrews<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
88a2182a1ad4fc7af07272af6b05b74db7f28e52Tinderbox User Treat specified key as a key signing key ignoring any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein key flags. This option may be specified multiple times.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a DLV set in addition to the key (DNSKEY) and DS sets.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The domain is appended to the name of the records.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Look for <code class="filename">keyset</code> files in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">directory</code> as the directory
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Generate DS records for child zones from keyset files.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Existing DS records will be removed.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the date and time when the generated RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein become valid. This can be either an absolute or relative
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User time. An absolute start time is indicated by a number
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User in YYYYMMDDHHMMSS notation; 20000530144500 denotes
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 14:45:00 UTC on May 30th, 2000. A relative start time is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User indicated by +N, which is N seconds from the current time.
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater If no <code class="option">start-time</code> is specified, the current
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User time minus 1 hour (to allow for clock skew) is used.
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Specify the date and time when the generated RRSIG records
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User expire. As with <code class="option">start-time</code>, an absolute
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User time is indicated in YYYYMMDDHHMMSS notation. A time relative
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the start time is indicated with +N, which is N seconds from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the start time. A time relative to the current time is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein indicated with now+N. If no <code class="option">end-time</code> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified, 30 days from the start time is used as a default.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The name of the output file containing the signed zone. The
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User default is to append <code class="filename">.signed</code> to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User input filename.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Prints a short summary of the options and arguments to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dnssec-signzone</strong></span>.
4f6469885c3d66367e3f8fb94e1f3c66115990b0Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When a previously-signed zone is passed as input, records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may be resigned. The <code class="option">interval</code> option
4f6469885c3d66367e3f8fb94e1f3c66115990b0Mark Andrews specifies the cycle interval as an offset from the current
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time (in seconds). If a RRSIG record expires after the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cycle interval, it is retained. Otherwise, it is considered
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to be expiring soon, and it will be replaced.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The default cycle interval is one quarter of the difference
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User between the signature end and start times. So if neither
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">end-time</code> or <code class="option">start-time</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are specified, <span><strong class="command">dnssec-signzone</strong></span>
4f6469885c3d66367e3f8fb94e1f3c66115990b0Mark Andrews signatures that are valid for 30 days, with a cycle
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein interval of 7.5 days. Therefore, if any existing RRSIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are due to expire in less than 7.5 days, they would be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The format of the input zone file.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User and <span><strong class="command">"raw"</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User This option is primarily intended to be used for dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signed zones so that the dumped zone file in a non-text
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein format containing updates can be signed directly.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The use of this option does not make much sense for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein non-dynamic zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When signing a zone with a fixed signature lifetime, all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RRSIG records issued at the time of signing expires
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein simultaneously. If the zone is incrementally signed, i.e.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a previously-signed zone is passed as input to the signer,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein all expired signatures have to be regenerated at about the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein same time. The <code class="option">jitter</code> option specifies a
d9184858dd5d7677050a813d444c281c56f697aaTinderbox User jitter window that will be used to randomize the signature
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein expire time, thus spreading incremental signature
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein regeneration over time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Signature lifetime jitter also to some extent benefits
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein validators and servers by spreading out cache expiration,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein i.e. if large numbers of RRSIGs don't expire at the same time
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from all caches there will be less congestion than if all
4a71c59d2bf32585c5dd18f4630d5f10e56a1ab3Automatic Updater validators need to refetch at mostly the same time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the number of threads to use. By default, one
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein thread is started for each detected CPU.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The SOA serial number format of the signed zone.
517ae3de96aaf870049c52f1224e38a85fe7f21aAutomatic Updater Possible formats are <span><strong class="command">"keep"</strong></span> (default),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">"increment"</strong></span> and
a179cbdf652095d00e7774320592f25eab0210d8Tinderbox User <span><strong class="command">"unixtime"</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>Do not modify the SOA serial number.</p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews<dd><p>Increment the SOA serial number using RFC 1982
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>Set the SOA serial number to the number of seconds
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The zone origin. If not specified, the name of the zone file
689023771c563d8660e45d439a207e06e96de28fMark Andrews is assumed to be the origin.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The format of the output file containing the signed zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Possible formats are <span><strong class="command">"text"</strong></span> (default)
47012ae6dbf18a2503d7b33c1c9583dc38625cb7Mark Andrews and <span><strong class="command">"raw"</strong></span>.
89bc48260b64a8859ae717e9e5bae380e275fef4Mark Andrews Use pseudo-random data when signing the zone. This is faster,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein but less secure, than using real random data. This option
79cf9524b15ca65f55fd6913e6cf01b5581c588aAutomatic Updater may be useful when signing large zones or when the entropy
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source is limited.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the source of randomness. If the operating
276e28f813ffef042d5a6e9f3373ef4e2ad37996Mark Andrews system does not provide a <code class="filename">/dev/random</code>
276e28f813ffef042d5a6e9f3373ef4e2ad37996Mark Andrews or equivalent device, the default source of randomness
538a83db7509d598da95a93bd7b74ef3112123a4Mark Andrews is keyboard input. <code class="filename">randomdev</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the name of a character device or file containing random
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein data to be used instead of the default. The special value
3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews <code class="filename">keyboard</code> indicates that keyboard
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews input should be used.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User Print statistics at completion.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User Sets the debugging level.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User Ignore KSK flag on key when determining what to sign.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a NSEC3 chain with the given hex encoded salt.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A dash (<em class="replaceable"><code>salt</code></em>) can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be used to indicate that no salt is to be used when generating the NSEC3 chain.
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews When generating a NSEC3 chain use this many interations. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default is 100.
f051d76c87e055c6ea3879e0c97a76609df915ccMark Andrews When generating a NSEC3 chain set the OPTOUT flag on all
36da16fa31fa2a582afe67010ba449a57177fd2fAutomatic Updater NSEC3 records and do not generate NSEC3 records for insecure
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein delegations.
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater<dt><span class="term">zonefile</span></dt>
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater The file containing the zone to be signed.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User Specify which keys should be used to sign the zone. If
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater no keys are specified, then the zone will be examined
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater for DNSKEY records at the zone apex. If these are found and
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater there are matching private keys, in the current directory,
65ad89971ee9973074cd11c207af92bf5440df01Automatic Updater then these will be used for signing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The following command signs the <strong class="userinput"><code>example.com</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (Kexample.com.+003+17247). The zone's keys must be in the master
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file (<code class="filename">db.example.com</code>). This invocation looks
68b30890ebd441a6a1ae3fdf71744d07d02cd030Mark Andrews for <code class="filename">keyset</code> files, in the current directory,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
43b94483957d3168796a816ed86cf097518817dcTinderbox User the file <code class="filename">db.example.com.signed</code>. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file should be referenced in a zone statement in a
7526edc7677371c366232de5f39a678b7dcda747Mark Andrews This example re-signs a previously signed zone with default parameters.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The private keys are assumed to be in the current directory.
d9c707589ade5d69fb59b6837555adc4cd24d34fAutomatic Updater<pre class="programlisting">% cp db.example.com.signed db.example.com
4f6469885c3d66367e3f8fb94e1f3c66115990b0Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="corpauthor">Internet Systems Consortium</span>
aeb7938001b22e811a910e1b36cdf452f9193865Automatic Updater<table width="100%" summary="Navigation footer">
aeb7938001b22e811a910e1b36cdf452f9193865Automatic Updater<a accesskey="p" href="man.dnssec-keygen.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<span class="application">dnssec-keygen</span>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>