man.dnssec-signzone.html revision fdd80e9a55c70b36a3bf3e409b86897301c44ff8
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - Permission to use, copy, modify, and/or distribute this software for any
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - purpose with or without fee is hereby granted, provided that the above
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - copyright notice and this permission notice appear in all copies.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync - PERFORMANCE OF THIS SOFTWARE.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<!-- $Id: man.dnssec-signzone.html,v 1.154 2010/01/08 01:14:07 tbox Exp $ -->
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<p><span><strong class="command">dnssec-signzone</strong></span>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync signs a zone. It generates
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync NSEC and RRSIG records and produces a signed version of the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync zone. The security status of delegations from the signed zone
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync (that is, whether the child zones are secure or not) is
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync determined by the presence or absence of a
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="filename">keyset</code> file for each child zone.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Verify all generated signatures.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Specifies the DNS class of the zone.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Compatibility mode: Generate a
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync file in addition to
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync when signing a zone, for use by older versions of
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span><strong class="command">dnssec-signzone</strong></span>.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="filename">keyset-</code> files in <code class="option">directory</code>.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Uses a crypto hardware (OpenSSL engine) for the crypto operations
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync it supports, for instance signing with private keys from
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync a secure key store. When compiled with PKCS#11 support
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync it defaults to pkcs11; the empty name resets it to no engine.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Generate DS records for child zones from
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync file. Existing DS records will be removed.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Key repository: Specify a directory to search for DNSSEC keys.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync If not specified, defaults to the current directory.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Treat specified key as a key signing key ignoring any
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync key flags. This option may be specified multiple times.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Generate a DLV set in addition to the key (DNSKEY) and DS sets.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync The domain is appended to the name of the records.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Specify the date and time when the generated RRSIG records
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync become valid. This can be either an absolute or relative
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync time. An absolute start time is indicated by a number
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync in YYYYMMDDHHMMSS notation; 20000530144500 denotes
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync 14:45:00 UTC on May 30th, 2000. A relative start time is
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync indicated by +N, which is N seconds from the current time.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync If no <code class="option">start-time</code> is specified, the current
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync time minus 1 hour (to allow for clock skew) is used.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Specify the date and time when the generated RRSIG records
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync expire. As with <code class="option">start-time</code>, an absolute
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync time is indicated in YYYYMMDDHHMMSS notation. A time relative
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync to the start time is indicated with +N, which is N seconds from
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync the start time. A time relative to the current time is
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync indicated with now+N. If no <code class="option">end-time</code> is
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync specified, 30 days from the start time is used as a default.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="option">end-time</code> must be later than
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync The name of the output file containing the signed zone. The
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync default is to append <code class="filename">.signed</code> to
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync input filename.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Prints a short summary of the options and arguments to
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span><strong class="command">dnssec-signzone</strong></span>.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync When a previously-signed zone is passed as input, records
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync may be resigned. The <code class="option">interval</code> option
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync specifies the cycle interval as an offset from the current
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync time (in seconds). If a RRSIG record expires after the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync cycle interval, it is retained. Otherwise, it is considered
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync to be expiring soon, and it will be replaced.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync The default cycle interval is one quarter of the difference
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync between the signature end and start times. So if neither
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <code class="option">end-time</code> or <code class="option">start-time</code>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync are specified, <span><strong class="command">dnssec-signzone</strong></span>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync signatures that are valid for 30 days, with a cycle
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync interval of 7.5 days. Therefore, if any existing RRSIG records
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync are due to expire in less than 7.5 days, they would be
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync The format of the input zone file.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Possible formats are <span><strong class="command">"text"</strong></span> (default)
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync and <span><strong class="command">"raw"</strong></span>.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync This option is primarily intended to be used for dynamic
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync signed zones so that the dumped zone file in a non-text
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync format containing updates can be signed directly.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync The use of this option does not make much sense for
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync non-dynamic zones.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync When signing a zone with a fixed signature lifetime, all
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync RRSIG records issued at the time of signing expires
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync simultaneously. If the zone is incrementally signed, i.e.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync a previously-signed zone is passed as input to the signer,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync all expired signatures have to be regenerated at about the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync same time. The <code class="option">jitter</code> option specifies a
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync jitter window that will be used to randomize the signature
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync expire time, thus spreading incremental signature
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync regeneration over time.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Signature lifetime jitter also to some extent benefits
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync validators and servers by spreading out cache expiration,
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync i.e. if large numbers of RRSIGs don't expire at the same time
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync from all caches there will be less congestion than if all
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync validators need to refetch at mostly the same time.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Specifies the number of threads to use. By default, one
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync thread is started for each detected CPU.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync The SOA serial number format of the signed zone.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync Possible formats are <span><strong class="command">"keep"</strong></span> (default),
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span><strong class="command">"increment"</strong></span> and
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync <span><strong class="command">"unixtime"</strong></span>.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dd><p>Do not modify the SOA serial number.</p></dd>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dd><p>Increment the SOA serial number using RFC 1982
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync<dd><p>Set the SOA serial number to the number of seconds
Kexample.com.+003+17247