doc/arm/man.dnssec-signzone.html

	man.dnssec-signzone.html revision ea94d370123a5892f6c47a97f21d1b28d44bb168
280a8a0544b4aeb52414d20e8c6e6c5b1108562eTinderbox User<!--
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User -
19558a04decde0e7261d489d92d04ad88104217bTinderbox User - Permission to use, copy, modify, and/or distribute this software for any
2fee8782a6fd57d86a67949092ab9197111af390Evan Hunt - purpose with or without fee is hereby granted, provided that the above
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - copyright notice and this permission notice appear in all copies.
969eaf7df8ac651946f76b6631ff5db568c11ef6Tinderbox User -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f4ee48be3994797a8332b86c101db4d7b54799ceTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - PERFORMANCE OF THIS SOFTWARE.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User-->
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<!-- $Id$ -->
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<html>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<head>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews<title>dnssec-signzone</title>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews</head>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="navheader">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<table width="100%" summary="Navigation header">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<tr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="left">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<th width="60%" align="center">Manual pages</th>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt</td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</tr>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User</table>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<hr>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User</div>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="refentry" lang="en">
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="refnamediv">
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<h2>Name</h2>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="refsynopsisdiv">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<h2>Synopsis</h2>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="refsect1" lang="en">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<a name="id2618964"></a><h2>DESCRIPTION</h2>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<p><span><strong class="command">dnssec-signzone</strong></span>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews      signs a zone.  It generates
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews      NSEC and RRSIG records and produces a signed version of the
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt      zone. The security status of delegations from the signed zone
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews      (that is, whether the child zones are secure or not) is
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews      determined by the presence or absence of a
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews      <code class="filename">keyset</code> file for each child zone.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews    </p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</div>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<div class="refsect1" lang="en">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="id2619666"></a><h2>OPTIONS</h2>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<div class="variablelist"><dl>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-a</span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dd><p>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater            Verify all generated signatures.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          </p></dd>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dd><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            Specifies the DNS class of the zone.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p></dd>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-C</span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dd><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            Compatibility mode: Generate a
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt            file in addition to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User            when signing a zone, for use by older versions of
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            <span><strong class="command">dnssec-signzone</strong></span>.
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews          </p></dd>
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews<dd><p>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews            Look for <code class="filename">dsset-</code> or
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt          </p></dd>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="term">-D</span></dt>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dd><p>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt        Output only those record types automatically managed by
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt        <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User        NSEC3 and NSEC3PARAM records. If smart signing
e76dfff967cfbe00f4d1540434832e4499a9cd83Tinderbox User        (<code class="option">-S</code>) is used, DNSKEY records are also
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews        included. The resulting file can be included in the original
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User        zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User        cannot be combined with <code class="option">-O raw</code> or serial
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews        number updating.
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User          </p></dd>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
8f4e6ea383aa9a953c0adb5be6c4d8dc8dbd5c4aWitold Krecicki<dd><p>
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User            Uses a crypto hardware (OpenSSL engine) for the crypto operations
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            it supports, for instance signing with private keys from
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews            a secure key store. When compiled with PKCS#11 support
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            it defaults to pkcs11; the empty name resets it to no engine.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p></dd>
aef6cf0f147a5014d4891c9689b9f463399e16e7Tinderbox User<dt><span class="term">-g</span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dd><p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            Generate DS records for child zones from
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            file.  Existing DS records will be removed.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews          </p></dd>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dd><p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            Key repository: Specify a directory to search for DNSSEC keys.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews            If not specified, defaults to the current directory.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews          </p></dd>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dd><p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            Treat specified key as a key signing key ignoring any
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            key flags.  This option may be specified multiple times.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          </p></dd>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dd><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            The domain is appended to the name of the records.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          </p></dd>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dd><p>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt            Specify the date and time when the generated RRSIG records
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            become valid.  This can be either an absolute or relative
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews            time.  An absolute start time is indicated by a number
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            14:45:00 UTC on May 30th, 2000.  A relative start time is
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            indicated by +N, which is N seconds from the current time.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            If no <code class="option">start-time</code> is specified, the current
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            time minus 1 hour (to allow for clock skew) is used.
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews          </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews            Specify the date and time when the generated RRSIG records
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont            expire.  As with <code class="option">start-time</code>, an absolute
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            to the start time is indicated with +N, which is N seconds from
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont            the start time.  A time relative to the current time is
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            indicated with now+N.  If no <code class="option">end-time</code> is
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            specified, 30 days from the start time is used as a default.
8f4e6ea383aa9a953c0adb5be6c4d8dc8dbd5c4aWitold Krecicki            <code class="option">end-time</code> must be later than
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            <code class="option">start-time</code>.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews          </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            Specify the date and time when the generated RRSIG records
7f9e2fff07b9c17e0d7a0ea7abc9304ce9d01b61Tinderbox User            for the DNSKEY RRset will expire.  This is to be used in cases
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            when the DNSKEY signatures need to persist longer than
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            signatures on other records; e.g., when the private component
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            of the KSK is kept offline and the KSK signature is to be
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User            refreshed manually.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews            As with <code class="option">start-time</code>, an absolute
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            to the start time is indicated with +N, which is N seconds from
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews            the start time.  A time relative to the current time is
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User            indicated with now+N.  If no <code class="option">extended end-time</code> is
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            specified, the value of <code class="option">end-time</code> is used as
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            the default.  (<code class="option">end-time</code>, in turn, defaults to
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater            30 days from the start time.) <code class="option">extended end-time</code>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews            must be later than <code class="option">start-time</code>.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt          </p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</dd>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater<dd><p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            The name of the output file containing the signed zone.  The
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews            default is to append <code class="filename">.signed</code> to
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt            the input filename.  If <code class="option">output-file</code> is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            set to <code class="literal">"-"</code>, then the signed zone is
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            written to the standard output, with a default output
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User            format of "full".
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          </p></dd>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt><span class="term">-h</span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dd><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            Prints a short summary of the options and arguments to
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            <span><strong class="command">dnssec-signzone</strong></span>.
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater          </p></dd>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dd>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            When a previously-signed zone is passed as input, records
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            may be resigned.  The <code class="option">interval</code> option
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            specifies the cycle interval as an offset from the current
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            time (in seconds).  If a RRSIG record expires after the
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews            cycle interval, it is retained.  Otherwise, it is considered
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt            to be expiring soon, and it will be replaced.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          </p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater            The default cycle interval is one quarter of the difference
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            between the signature end and start times.  So if neither
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews            <code class="option">end-time</code> or <code class="option">start-time</code>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt            are specified, <span><strong class="command">dnssec-signzone</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            generates
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            signatures that are valid for 30 days, with a cycle
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater            interval of 7.5 days.  Therefore, if any existing RRSIG records
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            are due to expire in less than 7.5 days, they would be
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews            replaced.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt          </p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</dd>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dd><p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            The format of the input zone file.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews        Possible formats are <span><strong class="command">"text"</strong></span> (default)
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt        and <span><strong class="command">"raw"</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        This option is primarily intended to be used for dynamic
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            signed zones so that the dumped zone file in a non-text
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User            format containing updates can be signed directly.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User        The use of this option does not make much sense for
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews        non-dynamic zones.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt          </p></dd>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<dd>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User<p>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User            When signing a zone with a fixed signature lifetime, all
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User            RRSIG records issued at the time of signing expires
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            simultaneously.  If the zone is incrementally signed, i.e.
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User            a previously-signed zone is passed as input to the signer,
34d1f3b65324f8fcf358fa2f47891441d4b1d2f0Tinderbox User            all expired signatures have to be regenerated at about the
1fce11b1d3f2d461d261156b8cdc64ab864f06a9Tinderbox User            same time.  The <code class="option">jitter</code> option specifies a
fab54780409846f7c71f6026d665f18c77c649efTinderbox User            jitter window that will be used to randomize the signature
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            expire time, thus spreading incremental signature
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User            regeneration over time.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            Signature lifetime jitter also to some extent benefits
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            validators and servers by spreading out cache expiration,
689fb19ba11ed40363cbc031d0396befdb409b89Tinderbox User            i.e. if large numbers of RRSIGs don't expire at the same time
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt            from all caches there will be less congestion than if all
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews            validators need to refetch at mostly the same time.
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User          </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</dd>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            When writing a signed zone to 'raw' format, set the "source serial"
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            value in the header to the specified serial number.  (This is
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            expected to be used primarily for testing purposes.)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            Specifies the number of threads to use.  By default, one
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User            thread is started for each detected CPU.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
cdf1c3d486ec082ef6c92297d22d54a67cca0c90Tinderbox User            The SOA serial number format of the signed zone.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews        Possible formats are <span><strong class="command">"keep"</strong></span> (default),
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            <span><strong class="command">"increment"</strong></span> and
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews        <span><strong class="command">"unixtime"</strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="variablelist"><dl>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>Do not modify the SOA serial number.</p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>Increment the SOA serial number using RFC 1982
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews                      arithmetics.</p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>Set the SOA serial number to the number of seconds
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            since epoch.</p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</dl></div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            The zone origin.  If not specified, the name of the zone file
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            is assumed to be the origin.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            The format of the output file containing the signed zone.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews        Possible formats are <span><strong class="command">"text"</strong></span> (default)
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User        <span><strong class="command">"full"</strong></span>, which is text output in a
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            format suitable for processing by external scripts,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
7d638dd31ecb633aaefca994b60b70c58b5def03Tinderbox User            which store the zone in a binary format for rapid loading
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            by <span><strong class="command">named</strong></span>.  <span><strong class="command">"raw=N"</strong></span>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            specifies the format version of the raw zone file: if N
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            is 0, the raw file can be read by any version of
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            <span><strong class="command">named</strong></span>; if N is 1, the file can be
76408aae412cda298c5e43da0eebb23c875a4426Tinderbox User            read by release 9.9.0 or higher.  The default is 1.
7f9e2fff07b9c17e0d7a0ea7abc9304ce9d01b61Tinderbox User          </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-p</span></dt>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User<dd><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            Use pseudo-random data when signing the zone.  This is faster,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            but less secure, than using real random data.  This option
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            may be useful when signing large zones or when the entropy
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            source is limited.
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User          </p></dd>
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User<dt><span class="term">-P</span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews        Disable post sign verification tests.
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User          </p>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User<p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson        The post sign verification test ensures that for each algorithm
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User        in use there is at least one non revoked self signed KSK key,
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User        that all revoked KSK keys are self signed, and that all records
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User        in the zone are signed by the algorithm.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        This option skips these tests.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p>
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User</dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-R</span></dt>
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt<dd>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews        Remove signatures from keys that no longer exist.
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews          </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            Normally, when a previously-signed zone is passed as input
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            to the signer, and a DNSKEY record has been removed and
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            replaced with a new one, signatures from the old key
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            that are still within their validity period are retained.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User        This allows the zone to continue to validate with cached
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews        copies of the old DNSKEY RRset.  The <code class="option">-R</code> forces
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt            <span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            signatures.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User          </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</dd>
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont<dd><p>
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont            Specifies the source of randomness.  If the operating
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User            system does not provide a <code class="filename">/dev/random</code>
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User            or equivalent device, the default source of randomness
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            is keyboard input.  <code class="filename">randomdev</code>
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont            specifies
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            the name of a character device or file containing random
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            data to be used instead of the default.  The special value
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            <code class="filename">keyboard</code> indicates that keyboard
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont            input should be used.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p></dd>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="term">-S</span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dd>
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt<p>
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            search the key repository for keys that match the zone being
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews            signed, and to include them in the zone if appropriate.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews            When a key is found, its timing metadata is examined to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews            determine how it should be used, according to the following
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater            rules.  Each successive rule takes priority over the prior
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews            ones:
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews          </p>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<div class="variablelist"><dl>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt></dt>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<dd><p>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater                  If no timing metadata has been set for the key, the key is
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews                  published in the zone and used to sign the zone.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews                </p></dd>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dd><p>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews                  If the key's publication date is set and is in the past, the
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater                  key is published in the zone.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews                </p></dd>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dd><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews                  If the key's activation date is set and in the past, the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews                  key is published (regardless of publication date) and
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews                  used to sign the zone.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews                </p></dd>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dd><p>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews                  If the key's revocation date is set and in the past, and the
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews                  key is published, then the key is revoked, and the revoked key
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews                  is used to sign the zone.
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews                </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt></dt>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<dd><p>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt                  If either of the key's unpublication or deletion dates are set
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews                  and in the past, the key is NOT published or used to sign the
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews                  zone, regardless of any other metadata.
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews                </p></dd>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt</dl></div>
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User</dd>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User<dd><p>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt            Specifies a TTL to be used for new DNSKEY records imported
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews            into the zone from the key repository.  If not
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews            specified, the default is the TTL value from the zone's SOA
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews            record.  This option is ignored when signing without
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews            <code class="option">-S</code>, since DNSKEY records are not imported
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews            from the key repository in that case.  It is also ignored if
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews            there are any pre-existing DNSKEY records at the zone apex,
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews            in which case new records' TTL values will be set to match
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews            them, or if any of the imported DNSKEY records had a default
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews            TTL value.  In the event of a a conflict between TTL values in
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews            imported keys, the shortest one is used.
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews          </p></dd>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews<dt><span class="term">-t</span></dt>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews<dd><p>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews            Print statistics at completion.
bcfc5188be220e1334218dfe638dffce4744e792Tinderbox User          </p></dd>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews<dt><span class="term">-u</span></dt>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews<dd><p>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews            Update NSEC/NSEC3 chain when re-signing a previously signed
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews            zone.  With this option, a zone signed with NSEC can be
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews            switched to NSEC3, or a zone signed with NSEC3 can
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews            be switch to NSEC or to NSEC3 with different parameters.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews            Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews            retain the existing chain when re-signing.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews          </p></dd>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User<dd><p>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User            Sets the debugging level.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-x</span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dd><p>
fab54780409846f7c71f6026d665f18c77c649efTinderbox User            Only sign the DNSKEY RRset with key-signing keys, and omit
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            signatures from zone-signing keys.  (This is similar to the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            <span><strong class="command">named</strong></span>.)
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          </p></dd>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews<dt><span class="term">-z</span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dd><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            Ignore KSK flag on key when determining what to sign.  This
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews            causes KSK-flagged keys to sign all records, not just the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            DNSKEY RRset.  (This is similar to the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson            <span><strong class="command">update-check-ksk no;</strong></span> zone option in
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            <span><strong class="command">named</strong></span>.)
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews          </p></dd>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dd><p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            Generate an NSEC3 chain with the given hex encoded salt.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews        A dash (<em class="replaceable"><code>salt</code></em>) can
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews        be used to indicate that no salt is to be used when generating          the NSEC3 chain.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt          </p></dd>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User<dd><p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        When generating an NSEC3 chain, use this many interations.  The
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        default is 10.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-A</span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        When generating an NSEC3 chain set the OPTOUT flag on all
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        NSEC3 records and do not generate NSEC3 records for insecure
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        delegations.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews          </p>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        Using this option twice (i.e., <code class="option">-AA</code>)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews        turns the OPTOUT flag off for all records.  This is useful
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews        when using the <code class="option">-u</code> option to modify an NSEC3
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews        chain which previously had OPTOUT set.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews</dd>
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews<dt><span class="term">zonefile</span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews            The file containing the zone to be signed.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews          </p></dd>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">key</span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dd><p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews        Specify which keys should be used to sign the zone.  If
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        no keys are specified, then the zone will be examined
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        for DNSKEY records at the zone apex.  If these are found and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        there are matching private keys, in the current directory,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington        then these will be used for signing.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington          </p></dd>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</dl></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="refsect1" lang="en">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2672637"></a><h2>EXAMPLE</h2>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      The following command signs the <strong class="userinput"><code>example.com</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      (Kexample.com.+003+17247).  Because the <span><strong class="command">-S</strong></span> option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      is not being used, the zone's keys must be in the master file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      (<code class="filename">db.example.com</code>).  This invocation looks
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      for <code class="filename">dsset</code> files, in the current directory,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington    </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonKexample.com.+003+17247
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtondb.example.com.signed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington%</pre>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      the file <code class="filename">db.example.com.signed</code>.  This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      file should be referenced in a zone statement in a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      <code class="filename">named.conf</code> file.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington    </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      This example re-signs a previously signed zone with default parameters.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      The private keys are assumed to be in the current directory.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington    </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">% cp db.example.com.signed db.example.com
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington% dnssec-signzone -o example.com db.example.com
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtondb.example.com.signed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington%</pre>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="refsect1" lang="en">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2672716"></a><h2>SEE ALSO</h2>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington      <em class="citetitle">RFC 4033</em>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington    </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="refsect1" lang="en">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2672741"></a><h2>AUTHOR</h2>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p><span class="corpauthor">Internet Systems Consortium</span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington    </p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington</div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="navfooter">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<hr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<table width="100%" summary="Navigation footer">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<tr>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<td width="40%" align="left">
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater</td>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater</tr>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<tr>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<td width="40%" align="left" valign="top">
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<span class="application">dnssec-settime</span>�</td>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater</td>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater</tr>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater</table>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater</div>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater</body>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater</html>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater