man.dnssec-signzone.html revision c986916269e0d9ca0a31efb62ff5ac06938815db
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - purpose with or without fee is hereby granted, provided that the above
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User - copyright notice and this permission notice appear in all copies.
137fdbc214e99c4cbe57551e9e14f2015c2e42aeTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
02b47c5d62e1e827743684c28a08e871da454a2dMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e20309353e6246485c521278131d3fced73d7957Tinderbox User - PERFORMANCE OF THIS SOFTWARE.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id$ -->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
df4ebd8217d02dafc12145b55c4d93d0255d1ec7Tinderbox User<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<table width="100%" summary="Navigation header">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<a name="id2623139"></a><h2>DESCRIPTION</h2>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<p><span><strong class="command">dnssec-signzone</strong></span>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater signs a zone. It generates
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews NSEC and RRSIG records and produces a signed version of the
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews zone. The security status of delegations from the signed zone
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews (that is, whether the child zones are secure or not) is
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User determined by the presence or absence of a
e20309353e6246485c521278131d3fced73d7957Tinderbox User <code class="filename">keyset</code> file for each child zone.
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater Verify all generated signatures.
ec7751119a08c6a7250f3187beed69a8b836d349Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
114f7780384371121918624ae2c80ecfce545683Tinderbox User Specifies the DNS class of the zone.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Compatibility mode: Generate a
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater file in addition to
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater when signing a zone, for use by older versions of
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <span><strong class="command">dnssec-signzone</strong></span>.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Look for <code class="filename">dsset-</code> or
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User <code class="filename">keyset-</code> files in <code class="option">directory</code>.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User Output only those record types automatically managed by
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont NSEC3 and NSEC3PARAM records. If smart signing
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User (<code class="option">-S</code>) is used, DNSKEY records are also
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User included. The resulting file can be included in the original
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews cannot be combined with <code class="option">-O raw</code>,
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User <code class="option">-O map</code>, or serial number updating.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews Uses a crypto hardware (OpenSSL engine) for the crypto operations
24bf1e02f03577db0feb50b80238c4150c96d05dAutomatic Updater it supports, for instance signing with private keys from
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews a secure key store. When compiled with PKCS#11 support
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews it defaults to pkcs11; the empty name resets it to no engine.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Generate DS records for child zones from
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews file. Existing DS records will be removed.
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews Key repository: Specify a directory to search for DNSSEC keys.
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews If not specified, defaults to the current directory.
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater Treat specified key as a key signing key ignoring any
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater key flags. This option may be specified multiple times.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater Generate a DLV set in addition to the key (DNSKEY) and DS sets.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater The domain is appended to the name of the records.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Specify the date and time when the generated RRSIG records
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson become valid. This can be either an absolute or relative
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater time. An absolute start time is indicated by a number
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater in YYYYMMDDHHMMSS notation; 20000530144500 denotes
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater 14:45:00 UTC on May 30th, 2000. A relative start time is
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater indicated by +N, which is N seconds from the current time.
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater If no <code class="option">start-time</code> is specified, the current
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater time minus 1 hour (to allow for clock skew) is used.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User Specify the date and time when the generated RRSIG records
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews expire. As with <code class="option">start-time</code>, an absolute
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User time is indicated in YYYYMMDDHHMMSS notation. A time relative
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User to the start time is indicated with +N, which is N seconds from
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User the start time. A time relative to the current time is
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User indicated with now+N. If no <code class="option">end-time</code> is
f132a836c4e386b1af045dd8fe7106ae61b90bffAutomatic Updater specified, 30 days from the start time is used as a default.
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews <code class="option">end-time</code> must be later than
5f33078b538b3d317917deb962bd057b2a888db1Tinderbox User<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User Specify the date and time when the generated RRSIG records
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater for the DNSKEY RRset will expire. This is to be used in cases
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater when the DNSKEY signatures need to persist longer than
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews signatures on other records; e.g., when the private component
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews of the KSK is kept offline and the KSK signature is to be
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater refreshed manually.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews As with <code class="option">start-time</code>, an absolute
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews time is indicated in YYYYMMDDHHMMSS notation. A time relative
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater to the start time is indicated with +N, which is N seconds from
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the start time. A time relative to the current time is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater indicated with now+N. If no <code class="option">extended end-time</code> is
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater specified, the value of <code class="option">end-time</code> is used as
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the default. (<code class="option">end-time</code>, in turn, defaults to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 30 days from the start time.) <code class="option">extended end-time</code>
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater must be later than <code class="option">start-time</code>.
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The name of the output file containing the signed zone. The
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater default is to append <code class="filename">.signed</code> to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the input filename. If <code class="option">output-file</code> is
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater set to <code class="literal">"-"</code>, then the signed zone is
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater written to the standard output, with a default output
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater format of "full".
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Prints a short summary of the options and arguments to
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User <span><strong class="command">dnssec-signzone</strong></span>.
7262eb86f2b465822206122921e2f357218f0cfdAutomatic Updater<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater When a previously-signed zone is passed as input, records
bbb069be941f649228760edcc241122933c066d2Automatic Updater may be resigned. The <code class="option">interval</code> option
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater specifies the cycle interval as an offset from the current
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater time (in seconds). If a RRSIG record expires after the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews cycle interval, it is retained. Otherwise, it is considered
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews to be expiring soon, and it will be replaced.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The default cycle interval is one quarter of the difference
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User between the signature end and start times. So if neither
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="option">end-time</code> or <code class="option">start-time</code>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews are specified, <span><strong class="command">dnssec-signzone</strong></span>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews signatures that are valid for 30 days, with a cycle
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews are due to expire in less than 7.5 days, they would be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User The format of the input zone file.
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default),
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User This option is primarily intended to be used for dynamic
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater signed zones so that the dumped zone file in a non-text
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater format containing updates can be signed directly.
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews The use of this option does not make much sense for
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User non-dynamic zones.
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater When signing a zone with a fixed signature lifetime, all
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater RRSIG records issued at the time of signing expires
a382ca49c874d38ad3ac8995b49f9f27128e4ca9Automatic Updater simultaneously. If the zone is incrementally signed, i.e.
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User a previously-signed zone is passed as input to the signer,
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User all expired signatures have to be regenerated at about the
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User same time. The <code class="option">jitter</code> option specifies a
e20309353e6246485c521278131d3fced73d7957Tinderbox User jitter window that will be used to randomize the signature
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews expire time, thus spreading incremental signature
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews regeneration over time.
9174e44c14b1cb91a651fa1dc29470438c246ab9Automatic Updater Signature lifetime jitter also to some extent benefits
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson validators and servers by spreading out cache expiration,
e2caa7536302de34de6cc04025abcd53dc3a499aAutomatic Updater i.e. if large numbers of RRSIGs don't expire at the same time
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User from all caches there will be less congestion than if all
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews validators need to refetch at mostly the same time.
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User When writing a signed zone to "raw" or "map" format, set the
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User "source serial" value in the header to the specified serial
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews number. (This is expected to be used primarily for testing
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews Specifies the number of threads to use. By default, one
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater thread is started for each detected CPU.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews The SOA serial number format of the signed zone.
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews Possible formats are <span><strong class="command">"keep"</strong></span> (default),
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater <span><strong class="command">"increment"</strong></span> and
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews <span><strong class="command">"unixtime"</strong></span>.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<dd><p>Do not modify the SOA serial number.</p></dd>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<dd><p>Increment the SOA serial number using RFC 1982
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<dd><p>Set the SOA serial number to the number of seconds
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews The zone origin. If not specified, the name of the zone file
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User is assumed to be the origin.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews The format of the output file containing the signed zone.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default),
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User which is the standard textual representation of the zone;
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater <span><strong class="command">"full"</strong></span>, which is text output in a
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews format suitable for processing by external scripts;
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews binary formats for rapid loading by <span><strong class="command">named</strong></span>.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <span><strong class="command">"raw=N"</strong></span> specifies the format version of
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the raw zone file: if N is 0, the raw file can be read by
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User any version of <span><strong class="command">named</strong></span>; if N is 1, the file
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews can be read by release 9.9.0 or higher; the default is 1.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Use pseudo-random data when signing the zone. This is faster,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater but less secure, than using real random data. This option
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews may be useful when signing large zones or when the entropy
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews source is limited.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Disable post sign verification tests.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The post sign verification test ensures that for each algorithm
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User in use there is at least one non revoked self signed KSK key,
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater that all revoked KSK keys are self signed, and that all records
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User in the zone are signed by the algorithm.
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User This option skips these tests.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Remove signatures from keys that no longer exist.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Normally, when a previously-signed zone is passed as input
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to the signer, and a DNSKEY record has been removed and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington replaced with a new one, signatures from the old key
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that are still within their validity period are retained.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This allows the zone to continue to validate with cached
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington copies of the old DNSKEY RRset. The <code class="option">-R</code> forces
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Specifies the source of randomness. If the operating
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington system does not provide a <code class="filename">/dev/random</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or equivalent device, the default source of randomness
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is keyboard input. <code class="filename">randomdev</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the name of a character device or file containing random
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington data to be used instead of the default. The special value
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">keyboard</code> indicates that keyboard
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington input should be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington search the key repository for keys that match the zone being
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signed, and to include them in the zone if appropriate.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When a key is found, its timing metadata is examined to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington determine how it should be used, according to the following
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington rules. Each successive rule takes priority over the prior
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If no timing metadata has been set for the key, the key is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington published in the zone and used to sign the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If the key's publication date is set and is in the past, the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington key is published in the zone.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater If the key's activation date is set and in the past, the
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater key is published (regardless of publication date) and
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater used to sign the zone.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater If the key's revocation date is set and in the past, and the
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater key is published, then the key is revoked, and the revoked key
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater is used to sign the zone.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater If either of the key's unpublication or deletion dates are set
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater and in the past, the key is NOT published or used to sign the
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews zone, regardless of any other metadata.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Specifies a TTL to be used for new DNSKEY records imported
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User into the zone from the key repository. If not
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User specified, the default is the TTL value from the zone's SOA
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User record. This option is ignored when signing without
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <code class="option">-S</code>, since DNSKEY records are not imported
02b47c5d62e1e827743684c28a08e871da454a2dMark Andrews from the key repository in that case. It is also ignored if
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User there are any pre-existing DNSKEY records at the zone apex,
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User in which case new records' TTL values will be set to match
099b86fb8136a7dff81df85cf395978c16eb254cAutomatic Updater them, or if any of the imported DNSKEY records had a default
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User TTL value. In the event of a a conflict between TTL values in
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User imported keys, the shortest one is used.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Print statistics at completion.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Update NSEC/NSEC3 chain when re-signing a previously signed
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone. With this option, a zone signed with NSEC can be
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User switched to NSEC3, or a zone signed with NSEC3 can
e01f44b37ba11c9d34f4a8394f950efae5c07f33Automatic Updater be switch to NSEC or to NSEC3 with different parameters.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
c01dec514a81ecf8c17ca3ef8c3ba95e437295ebAutomatic Updater retain the existing chain when re-signing.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
3de6db3208d51de1e138b63b9670430c03f99694Automatic Updater Sets the debugging level.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Only sign the DNSKEY RRset with key-signing keys, and omit
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington signatures from zone-signing keys. (This is similar to the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">named</strong></span>.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Ignore KSK flag on key when determining what to sign. This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington causes KSK-flagged keys to sign all records, not just the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington DNSKEY RRset. (This is similar to the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">update-check-ksk no;</strong></span> zone option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">named</strong></span>.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Generate an NSEC3 chain with the given hex encoded salt.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A dash (<em class="replaceable"><code>salt</code></em>) can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be used to indicate that no salt is to be used when generating the NSEC3 chain.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When generating an NSEC3 chain, use this many interations. The
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington default is 10.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When generating an NSEC3 chain set the OPTOUT flag on all
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater NSEC3 records and do not generate NSEC3 records for insecure
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Using this option twice (i.e., <code class="option">-AA</code>)
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews turns the OPTOUT flag off for all records. This is useful
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington when using the <code class="option">-u</code> option to modify an NSEC3
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington chain which previously had OPTOUT set.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The file containing the zone to be signed.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Specify which keys should be used to sign the zone. If
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington no keys are specified, then the zone will be examined
409ba95e573b40cf36acf97dd62ee7e9c7775851Tinderbox User for DNSKEY records at the zone apex. If these are found and
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews there are matching private keys, in the current directory,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington then these will be used for signing.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The following command signs the <strong class="userinput"><code>example.com</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is not being used, the zone's keys must be in the master file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (<code class="filename">db.example.com</code>). This invocation looks
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for <code class="filename">dsset</code> files, in the current directory,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the file <code class="filename">db.example.com.signed</code>. This
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater file should be referenced in a zone statement in a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">named.conf</code> file.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This example re-signs a previously signed zone with default parameters.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The private keys are assumed to be in the current directory.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">% cp db.example.com.signed db.example.com
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p><span class="corpauthor">Internet Systems Consortium</span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<table width="100%" summary="Navigation footer">
89623368b8f662d458d9964b923050f33c5f75b0Tinderbox User<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<span class="application">dnssec-settime</span>�</td>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User<td width="40%" align="right" valign="top">�<span class="application">dnssec-verify</span>