man.dnssec-signzone.html revision ef8014e56f35bb36daa5fd2c313f5e7963e97aa1
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User<!--
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User -
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - purpose with or without fee is hereby granted, provided that the above
8c225507766814e78e168b17a24b8a47ca7f8c37Tinderbox User - copyright notice and this permission notice appear in all copies.
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User -
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User - PERFORMANCE OF THIS SOFTWARE.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User-->
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User<!-- $Id$ -->
0b89eee6167201843c9a46b7e7c63cb1e4e09ba3Tinderbox User<html>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<head>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<title>dnssec-signzone</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User</head>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="navheader">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<table width="100%" summary="Navigation header">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="left">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<th width="60%" align="center">Manual pages</th>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</table>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<hr>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="refentry" lang="en">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refnamediv">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<h2>Name</h2>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User</div>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="refsynopsisdiv">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<h2>Synopsis</h2>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User</div>
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User<div class="refsect1" lang="en">
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User<a name="id2644668"></a><h2>DESCRIPTION</h2>
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User<p><span><strong class="command">dnssec-signzone</strong></span>
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User signs a zone. It generates
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User NSEC and RRSIG records and produces a signed version of the
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User zone. The security status of delegations from the signed zone
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User (that is, whether the child zones are secure or not) is
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User determined by the presence or absence of a
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User <code class="filename">keyset</code> file for each child zone.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User </p>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User</div>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="refsect1" lang="en">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<a name="id2644688"></a><h2>OPTIONS</h2>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="variablelist"><dl>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="term">-a</span></dt>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dd><p>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Verify all generated signatures.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User </p></dd>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dd><p>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Specifies the DNS class of the zone.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User </p></dd>
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User<dt><span class="term">-C</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd><p>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User Compatibility mode: Generate a
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User file in addition to
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User when signing a zone, for use by older versions of
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <span><strong class="command">dnssec-signzone</strong></span>.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User </p></dd>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User<dd><p>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User Look for <code class="filename">dsset-</code> or
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <code class="filename">keyset-</code> files in <code class="option">directory</code>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p></dd>
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User<dt><span class="term">-D</span></dt>
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User<dd><p>
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User Output only those record types automatically managed by
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User NSEC3 and NSEC3PARAM records. If smart signing
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User (<code class="option">-S</code>) is used, DNSKEY records are also
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User included. The resulting file can be included in the original
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User cannot be combined with <code class="option">-O raw</code>,
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <code class="option">-O map</code>, or serial number updating.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User </p></dd>
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User When applicable, specifies the hardware to use for
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User cryptographic operations, such as a secure key store used
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User for signing.
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User </p>
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User<p>
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User that can drive a cryptographic accelerator or hardware service
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User module. When BIND is built with native PKCS#11 cryptography
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User provider library specified via "--with-pkcs11".
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dd>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User<dt><span class="term">-g</span></dt>
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User<dd><p>
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User Generate DS records for child zones from
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User file. Existing DS records will be removed.
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User </p></dd>
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User<dd><p>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User Key repository: Specify a directory to search for DNSSEC keys.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User If not specified, defaults to the current directory.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User </p></dd>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User<dd><p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Treat specified key as a key signing key ignoring any
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User key flags. This option may be specified multiple times.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User </p></dd>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User<dd><p>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User Generate a DLV set in addition to the key (DNSKEY) and DS sets.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User The domain is appended to the name of the records.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User </p></dd>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User<dd><p>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User Sets the maximum TTL for the signed zone.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User in the output. This provides certainty as to the largest
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt possible TTL in the signed zone, which is useful to know when
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User rolling keys because it is the longest possible time before
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User signatures that have been retrieved by resolvers will expire
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User from resolver caches. Zones that are signed with this
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User option should be configured to use a matching
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User (Note: This option is incompatible with <code class="option">-D</code>,
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User because it modifies non-DNSSEC data in the output zone.)
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User </p></dd>
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User<dd><p>
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User Specify the date and time when the generated RRSIG records
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User become valid. This can be either an absolute or relative
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User time. An absolute start time is indicated by a number
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User in YYYYMMDDHHMMSS notation; 20000530144500 denotes
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User 14:45:00 UTC on May 30th, 2000. A relative start time is
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User indicated by +N, which is N seconds from the current time.
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User If no <code class="option">start-time</code> is specified, the current
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User time minus 1 hour (to allow for clock skew) is used.
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p></dd>
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User<dd><p>
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Specify the date and time when the generated RRSIG records
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User expire. As with <code class="option">start-time</code>, an absolute
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User time is indicated in YYYYMMDDHHMMSS notation. A time relative
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User to the start time is indicated with +N, which is N seconds from
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User the start time. A time relative to the current time is
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User indicated with now+N. If no <code class="option">end-time</code> is
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User specified, 30 days from the start time is used as a default.
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User <code class="option">end-time</code> must be later than
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User <code class="option">start-time</code>.
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User </p></dd>
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User<dd>
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User<p>
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User Specify the date and time when the generated RRSIG records
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User for the DNSKEY RRset will expire. This is to be used in cases
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User when the DNSKEY signatures need to persist longer than
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User signatures on other records; e.g., when the private component
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User of the KSK is kept offline and the KSK signature is to be
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User refreshed manually.
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User </p>
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User<p>
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User As with <code class="option">start-time</code>, an absolute
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User time is indicated in YYYYMMDDHHMMSS notation. A time relative
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User to the start time is indicated with +N, which is N seconds from
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the start time. A time relative to the current time is
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User indicated with now+N. If no <code class="option">extended end-time</code> is
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User specified, the value of <code class="option">end-time</code> is used as
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User the default. (<code class="option">end-time</code>, in turn, defaults to
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User 30 days from the start time.) <code class="option">extended end-time</code>
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User must be later than <code class="option">start-time</code>.
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User </p>
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User</dd>
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User<dd><p>
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User The name of the output file containing the signed zone. The
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User default is to append <code class="filename">.signed</code> to
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User the input filename. If <code class="option">output-file</code> is
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User set to <code class="literal">"-"</code>, then the signed zone is
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User written to the standard output, with a default output
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User format of "full".
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User </p></dd>
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User<dt><span class="term">-h</span></dt>
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User<dd><p>
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User Prints a short summary of the options and arguments to
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User <span><strong class="command">dnssec-signzone</strong></span>.
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User </p></dd>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User<dt><span class="term">-V</span></dt>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User<dd><p>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User Prints version information.
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User </p></dd>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User<dd>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User<p>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User When a previously-signed zone is passed as input, records
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User may be resigned. The <code class="option">interval</code> option
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User specifies the cycle interval as an offset from the current
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User time (in seconds). If a RRSIG record expires after the
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User cycle interval, it is retained. Otherwise, it is considered
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User to be expiring soon, and it will be replaced.
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User </p>
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User<p>
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User The default cycle interval is one quarter of the difference
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User between the signature end and start times. So if neither
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">end-time</code> or <code class="option">start-time</code>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User are specified, <span><strong class="command">dnssec-signzone</strong></span>
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User generates
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User signatures that are valid for 30 days, with a cycle
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User interval of 7.5 days. Therefore, if any existing RRSIG records
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User are due to expire in less than 7.5 days, they would be
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User replaced.
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User </p>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User</dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd><p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The format of the input zone file.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Possible formats are <span><strong class="command">"text"</strong></span> (default),
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>.
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User This option is primarily intended to be used for dynamic
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User signed zones so that the dumped zone file in a non-text
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User format containing updates can be signed directly.
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User The use of this option does not make much sense for
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User non-dynamic zones.
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User </p></dd>
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User<dd>
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User<p>
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User When signing a zone with a fixed signature lifetime, all
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User RRSIG records issued at the time of signing expires
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User simultaneously. If the zone is incrementally signed, i.e.
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User a previously-signed zone is passed as input to the signer,
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User all expired signatures have to be regenerated at about the
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User same time. The <code class="option">jitter</code> option specifies a
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User jitter window that will be used to randomize the signature
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User expire time, thus spreading incremental signature
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User regeneration over time.
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User </p>
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User<p>
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User Signature lifetime jitter also to some extent benefits
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User validators and servers by spreading out cache expiration,
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User i.e. if large numbers of RRSIGs don't expire at the same time
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User from all caches there will be less congestion than if all
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User validators need to refetch at mostly the same time.
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User </p>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User</dd>
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User<dd><p>
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User When writing a signed zone to "raw" or "map" format, set the
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User "source serial" value in the header to the specified serial
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User number. (This is expected to be used primarily for testing
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User purposes.)
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User </p></dd>
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User<dd><p>
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User Specifies the number of threads to use. By default, one
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User thread is started for each detected CPU.
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User </p></dd>
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User<dd>
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User<p>
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User The SOA serial number format of the signed zone.
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User Possible formats are <span><strong class="command">"keep"</strong></span> (default),
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User <span><strong class="command">"increment"</strong></span>, <span><strong class="command">"unixtime"</strong></span>,
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User and <span><strong class="command">"date"</strong></span>.
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User </p>
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User<div class="variablelist"><dl>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dd><p>Do not modify the SOA serial number.</p></dd>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dd><p>Increment the SOA serial number using RFC 1982
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User arithmetics.</p></dd>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dd><p>Set the SOA serial number to the number of seconds
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User since epoch.</p></dd>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dt><span class="term"><span><strong class="command">"date"</strong></span></span></dt>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dd><p>Set the SOA serial number to today's date in
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User YYYYMMDDNN format.</p></dd>
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User</dl></div>
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User</dd>
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User<dd><p>
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User The zone origin. If not specified, the name of the zone file
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User is assumed to be the origin.
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User </p></dd>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User<dd><p>
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User The format of the output file containing the signed zone.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User Possible formats are <span><strong class="command">"text"</strong></span> (default),
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User which is the standard textual representation of the zone;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span><strong class="command">"full"</strong></span>, which is text output in a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User format suitable for processing by external scripts;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and <span><strong class="command">"raw=N"</strong></span>, which store the zone in
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User binary formats for rapid loading by <span><strong class="command">named</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span><strong class="command">"raw=N"</strong></span> specifies the format version of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User the raw zone file: if N is 0, the raw file can be read by
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User any version of <span><strong class="command">named</strong></span>; if N is 1, the file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt can be read by release 9.9.0 or higher; the default is 1.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </p></dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="term">-p</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Use pseudo-random data when signing the zone. This is faster,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt but less secure, than using real random data. This option
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt may be useful when signing large zones or when the entropy
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User source is limited.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </p></dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="term">-P</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p>
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User Disable post sign verification tests.
</p>
<p>
The post sign verification test ensures that for each algorithm
in use there is at least one non revoked self signed KSK key,
that all revoked KSK keys are self signed, and that all records
in the zone are signed by the algorithm.
This option skips these tests.
</p>
</dd>
<dt><span class="term">-Q</span></dt>
<dd>
<p>
Remove signatures from keys that are no longer active.
</p>
<p>
Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and
replaced with a new one, signatures from the old key
that are still within their validity period are retained.
This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <code class="option">-Q</code>
forces <span><strong class="command">dnssec-signzone</strong></span> to remove
signatures from keys that are no longer active. This
enables ZSK rollover using the procedure described in
RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
</p>
</dd>
<dt><span class="term">-R</span></dt>
<dd>
<p>
Remove signatures from keys that are no longer published.
</p>
<p>
This option is similar to <code class="option">-Q</code>, except it
forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
keys that are no longer published. This enables ZSK rollover
using the procedure described in RFC 4641, section 4.2.1.2
("Double Signature Zone Signing Key Rollover").
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-S</span></dt>
<dd>
<p>
Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
search the key repository for keys that match the zone being
signed, and to include them in the zone if appropriate.
</p>
<p>
When a key is found, its timing metadata is examined to
determine how it should be used, according to the following
rules. Each successive rule takes priority over the prior
ones:
</p>
<div class="variablelist"><dl>
<dt></dt>
<dd><p>
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>
If the key's publication date is set and is in the past, the
key is published in the zone.
</p></dd>
<dt></dt>
<dd><p>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>
If the key's revocation date is set and in the past, and the
key is published, then the key is revoked, and the revoked key
is used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>
If either of the key's unpublication or deletion dates are set
and in the past, the key is NOT published or used to sign the
zone, regardless of any other metadata.
</p></dd>
</dl></div>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Specifies a TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not
specified, the default is the TTL value from the zone's SOA
record. This option is ignored when signing without
<code class="option">-S</code>, since DNSKEY records are not imported
from the key repository in that case. It is also ignored if
there are any pre-existing DNSKEY records at the zone apex,
in which case new records' TTL values will be set to match
them, or if any of the imported DNSKEY records had a default
TTL value. In the event of a a conflict between TTL values in
imported keys, the shortest one is used.
</p></dd>
<dt><span class="term">-t</span></dt>
<dd><p>
Print statistics at completion.
</p></dd>
<dt><span class="term">-u</span></dt>
<dd><p>
Update NSEC/NSEC3 chain when re-signing a previously signed
zone. With this option, a zone signed with NSEC can be
switched to NSEC3, or a zone signed with NSEC3 can
be switch to NSEC or to NSEC3 with different parameters.
Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
retain the existing chain when re-signing.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-x</span></dt>
<dd><p>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
<span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
<span><strong class="command">named</strong></span>.)
</p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
DNSKEY RRset. (This is similar to the
<span><strong class="command">update-check-ksk no;</strong></span> zone option in
<span><strong class="command">named</strong></span>.)
</p></dd>
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
<dd><p>
Generate an NSEC3 chain with the given hex encoded salt.
A dash (<em class="replaceable"><code>salt</code></em>) can
be used to indicate that no salt is to be used when generating the NSEC3 chain.
</p></dd>
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
<dd><p>
When generating an NSEC3 chain, use this many iterations. The
default is 10.
</p></dd>
<dt><span class="term">-A</span></dt>
<dd>
<p>
When generating an NSEC3 chain set the OPTOUT flag on all
NSEC3 records and do not generate NSEC3 records for insecure
delegations.
</p>
<p>
Using this option twice (i.e., <code class="option">-AA</code>)
turns the OPTOUT flag off for all records. This is useful
when using the <code class="option">-u</code> option to modify an NSEC3
chain which previously had OPTOUT set.
</p>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
The file containing the zone to be signed.
</p></dd>
<dt><span class="term">key</span></dt>
<dd><p>
Specify which keys should be used to sign the zone. If
no keys are specified, then the zone will be examined
for DNSKEY records at the zone apex. If these are found and
there are matching private keys, in the current directory,
then these will be used for signing.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2676679"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
(Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
is not being used, the zone's keys must be in the master file
(<code class="filename">db.example.com</code>). This invocation looks
for <code class="filename">dsset</code> files, in the current directory,
so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
</p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</pre>
<p>
In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
the file <code class="filename">db.example.com.signed</code>. This
file should be referenced in a zone statement in a
<code class="filename">named.conf</code> file.
</p>
<p>
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
</p>
<pre class="programlisting">% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
<a name="id2676758"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2676786"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-settime</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">dnssec-verify</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>