dnssec-signzone.html 28.1 KB
Newer Older
1
<!--
Tinderbox User's avatar
Tinderbox User committed
2
 - Copyright (C) 2004-2009, 2011-2015 Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
regen  
Mark Andrews committed
3
 - Copyright (C) 2000-2003 Internet Software Consortium.
Rob Austein's avatar
regen  
Rob Austein committed
4
 - 
Automatic Updater's avatar
regen  
Automatic Updater committed
5
 - Permission to use, copy, modify, and/or distribute this software for any
6 7
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
Rob Austein's avatar
regen  
Rob Austein committed
8
 - 
Mark Andrews's avatar
Mark Andrews committed
9 10
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
Rob Austein's avatar
regen  
Rob Austein committed
11
 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
Mark Andrews's avatar
Mark Andrews committed
12 13 14 15
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
16
-->
Rob Austein's avatar
regen  
Rob Austein committed
17 18 19 20
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-signzone</title>
Tinderbox User's avatar
Tinderbox User committed
21
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Rob Austein's avatar
regen  
Rob Austein committed
22
</head>
Tinderbox User's avatar
Tinderbox User committed
23
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
Mark Andrews's avatar
gregen  
Mark Andrews committed
24
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
25
<div class="refnamediv">
Rob Austein's avatar
regen  
Rob Austein committed
26
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
27
<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
Rob Austein's avatar
regen  
Rob Austein committed
28
</div>
Tinderbox User's avatar
Tinderbox User committed
29
<div class="refsynopsisdiv">
Rob Austein's avatar
regen  
Rob Austein committed
30
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
31 32 33 34 35
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-Q</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-signzone</strong></span>
Rob Austein's avatar
regen  
Rob Austein committed
36 37 38 39 40 41 42
      signs a zone.  It generates
      NSEC and RRSIG records and produces a signed version of the
      zone. The security status of delegations from the signed zone
      (that is, whether the child zones are secure or not) is
      determined by the presence or absence of a
      <code class="filename">keyset</code> file for each child zone.
    </p>
Tinderbox User's avatar
Tinderbox User committed
43 44 45 46
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
Rob Austein's avatar
regen  
Rob Austein committed
47
<dt><span class="term">-a</span></dt>
Tinderbox User's avatar
Tinderbox User committed
48
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
49
            Verify all generated signatures.
Tinderbox User's avatar
Tinderbox User committed
50
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
51
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
52
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
53
            Specifies the DNS class of the zone.
Tinderbox User's avatar
Tinderbox User committed
54
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
55
<dt><span class="term">-C</span></dt>
Tinderbox User's avatar
Tinderbox User committed
56
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
57 58 59 60 61
            Compatibility mode: Generate a
            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
            file in addition to
            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
            when signing a zone, for use by older versions of
Tinderbox User's avatar
Tinderbox User committed
62
            <span class="command"><strong>dnssec-signzone</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
63
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
64
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
65
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
66 67
            Look for <code class="filename">dsset-</code> or
            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
Tinderbox User's avatar
Tinderbox User committed
68
          </p></dd>
Automatic Updater's avatar
Automatic Updater committed
69
<dt><span class="term">-D</span></dt>
Tinderbox User's avatar
Tinderbox User committed
70
<dd><p>
Automatic Updater's avatar
Automatic Updater committed
71
	    Output only those record types automatically managed by
Tinderbox User's avatar
Tinderbox User committed
72
	    <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
Automatic Updater's avatar
Automatic Updater committed
73 74 75
	    NSEC3 and NSEC3PARAM records. If smart signing
	    (<code class="option">-S</code>) is used, DNSKEY records are also
	    included. The resulting file can be included in the original
Tinderbox User's avatar
Tinderbox User committed
76
	    zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
Tinderbox User's avatar
Tinderbox User committed
77
	    cannot be combined with <code class="option">-O raw</code>,
Tinderbox User's avatar
Tinderbox User committed
78
            <code class="option">-O map</code>, or serial number updating.
Tinderbox User's avatar
Tinderbox User committed
79
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
80
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
81
<dd>
Tinderbox User's avatar
Tinderbox User committed
82
<p>
Tinderbox User's avatar
Tinderbox User committed
83 84 85 86
            When applicable, specifies the hardware to use for
            cryptographic operations, such as a secure key store used
            for signing.
          </p>
Tinderbox User's avatar
Tinderbox User committed
87
<p>
Tinderbox User's avatar
Tinderbox User committed
88 89 90 91 92 93 94
            When BIND is built with OpenSSL PKCS#11 support, this defaults
            to the string "pkcs11", which identifies an OpenSSL engine
            that can drive a cryptographic accelerator or hardware service
            module.  When BIND is built with native PKCS#11 cryptography
            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
            provider library specified via "--with-pkcs11".
          </p>
Tinderbox User's avatar
Tinderbox User committed
95
</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
96
<dt><span class="term">-g</span></dt>
Tinderbox User's avatar
Tinderbox User committed
97
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
98 99 100
            Generate DS records for child zones from
            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
            file.  Existing DS records will be removed.
Tinderbox User's avatar
Tinderbox User committed
101
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
102
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
103
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
104 105
            Key repository: Specify a directory to search for DNSSEC keys.
            If not specified, defaults to the current directory.
Tinderbox User's avatar
Tinderbox User committed
106
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
107
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
108
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
109 110
            Treat specified key as a key signing key ignoring any
            key flags.  This option may be specified multiple times.
Tinderbox User's avatar
Tinderbox User committed
111
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
112
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
113
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
114 115
            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
            The domain is appended to the name of the records.
Tinderbox User's avatar
Tinderbox User committed
116
          </p></dd>
Tinderbox User's avatar
Tinderbox User committed
117
<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
118
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
119 120 121 122 123 124 125 126 127 128 129 130
            Sets the maximum TTL for the signed zone.
            Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
            input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
            in the output. This provides certainty as to the largest
            possible TTL in the signed zone, which is useful to know when
            rolling keys because it is the longest possible time before
            signatures that have been retrieved by resolvers will expire
            from resolver caches.  Zones that are signed with this
            option should be configured to use a matching
            <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
            (Note: This option is incompatible with <code class="option">-D</code>,
            because it modifies non-DNSSEC data in the output zone.)
Tinderbox User's avatar
Tinderbox User committed
131
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
132
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
133
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
134 135 136 137 138 139 140 141
            Specify the date and time when the generated RRSIG records
            become valid.  This can be either an absolute or relative
            time.  An absolute start time is indicated by a number
            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
            14:45:00 UTC on May 30th, 2000.  A relative start time is
            indicated by +N, which is N seconds from the current time.
            If no <code class="option">start-time</code> is specified, the current
            time minus 1 hour (to allow for clock skew) is used.
Tinderbox User's avatar
Tinderbox User committed
142
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
143
<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
144
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
145 146 147 148 149 150 151
            Specify the date and time when the generated RRSIG records
            expire.  As with <code class="option">start-time</code>, an absolute
            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
            to the start time is indicated with +N, which is N seconds from
            the start time.  A time relative to the current time is
            indicated with now+N.  If no <code class="option">end-time</code> is
            specified, 30 days from the start time is used as a default.
Automatic Updater's avatar
regen  
Automatic Updater committed
152 153
            <code class="option">end-time</code> must be later than
            <code class="option">start-time</code>.
Tinderbox User's avatar
Tinderbox User committed
154
          </p></dd>
Automatic Updater's avatar
Automatic Updater committed
155 156
<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
157
<p>
Automatic Updater's avatar
Automatic Updater committed
158 159 160 161 162 163 164
            Specify the date and time when the generated RRSIG records
            for the DNSKEY RRset will expire.  This is to be used in cases
            when the DNSKEY signatures need to persist longer than
            signatures on other records; e.g., when the private component
            of the KSK is kept offline and the KSK signature is to be
            refreshed manually.
          </p>
Tinderbox User's avatar
Tinderbox User committed
165
<p>
Automatic Updater's avatar
Automatic Updater committed
166 167 168 169 170 171 172 173 174 175
            As with <code class="option">start-time</code>, an absolute
            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
            to the start time is indicated with +N, which is N seconds from
            the start time.  A time relative to the current time is
            indicated with now+N.  If no <code class="option">extended end-time</code> is
            specified, the value of <code class="option">end-time</code> is used as
            the default.  (<code class="option">end-time</code>, in turn, defaults to
            30 days from the start time.) <code class="option">extended end-time</code>
            must be later than <code class="option">start-time</code>.
          </p>
Tinderbox User's avatar
Tinderbox User committed
176
</dd>
Rob Austein's avatar
regen  
Rob Austein committed
177
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
178
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
179 180
            The name of the output file containing the signed zone.  The
            default is to append <code class="filename">.signed</code> to
Automatic Updater's avatar
Automatic Updater committed
181 182 183 184
            the input filename.  If <code class="option">output-file</code> is
            set to <code class="literal">"-"</code>, then the signed zone is
            written to the standard output, with a default output
            format of "full".
Tinderbox User's avatar
Tinderbox User committed
185
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
186
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
187
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
188
            Prints a short summary of the options and arguments to
Tinderbox User's avatar
Tinderbox User committed
189
            <span class="command"><strong>dnssec-signzone</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
190
          </p></dd>
Tinderbox User's avatar
Tinderbox User committed
191
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
192
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
193
	    Prints version information.
Tinderbox User's avatar
Tinderbox User committed
194
	  </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
195 196
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
197
<p>
Mark Andrews's avatar
regen  
Mark Andrews committed
198
            When a previously-signed zone is passed as input, records
Rob Austein's avatar
regen  
Rob Austein committed
199 200 201 202 203 204
            may be resigned.  The <code class="option">interval</code> option
            specifies the cycle interval as an offset from the current
            time (in seconds).  If a RRSIG record expires after the
            cycle interval, it is retained.  Otherwise, it is considered
            to be expiring soon, and it will be replaced.
          </p>
Tinderbox User's avatar
Tinderbox User committed
205
<p>
Rob Austein's avatar
regen  
Rob Austein committed
206 207 208
            The default cycle interval is one quarter of the difference
            between the signature end and start times.  So if neither
            <code class="option">end-time</code> or <code class="option">start-time</code>
Tinderbox User's avatar
Tinderbox User committed
209
            are specified, <span class="command"><strong>dnssec-signzone</strong></span>
Rob Austein's avatar
regen  
Rob Austein committed
210 211 212 213 214 215
            generates
            signatures that are valid for 30 days, with a cycle
            interval of 7.5 days.  Therefore, if any existing RRSIG records
            are due to expire in less than 7.5 days, they would be
            replaced.
          </p>
Tinderbox User's avatar
Tinderbox User committed
216
</dd>
Mark Andrews's avatar
regen  
Mark Andrews committed
217
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
218
<dd><p>
Mark Andrews's avatar
regen  
Mark Andrews committed
219
            The format of the input zone file.
Tinderbox User's avatar
Tinderbox User committed
220 221
	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
Mark Andrews's avatar
regen  
Mark Andrews committed
222 223 224 225 226
	    This option is primarily intended to be used for dynamic
            signed zones so that the dumped zone file in a non-text
            format containing updates can be signed directly.
	    The use of this option does not make much sense for
	    non-dynamic zones.
Tinderbox User's avatar
Tinderbox User committed
227
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
228 229
<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
230
<p>
Rob Austein's avatar
regen  
Rob Austein committed
231 232 233
            When signing a zone with a fixed signature lifetime, all
            RRSIG records issued at the time of signing expires
            simultaneously.  If the zone is incrementally signed, i.e.
Mark Andrews's avatar
regen  
Mark Andrews committed
234 235
            a previously-signed zone is passed as input to the signer,
            all expired signatures have to be regenerated at about the
Rob Austein's avatar
regen  
Rob Austein committed
236 237 238 239 240
            same time.  The <code class="option">jitter</code> option specifies a
            jitter window that will be used to randomize the signature
            expire time, thus spreading incremental signature
            regeneration over time.
          </p>
Tinderbox User's avatar
Tinderbox User committed
241
<p>
Rob Austein's avatar
regen  
Rob Austein committed
242 243 244 245 246 247
            Signature lifetime jitter also to some extent benefits
            validators and servers by spreading out cache expiration,
            i.e. if large numbers of RRSIGs don't expire at the same time
            from all caches there will be less congestion than if all
            validators need to refetch at mostly the same time.
          </p>
Tinderbox User's avatar
Tinderbox User committed
248
</dd>
Automatic Updater's avatar
Automatic Updater committed
249
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
250
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
251
            When writing a signed zone to "raw" or "map" format, set the
Tinderbox User's avatar
Tinderbox User committed
252 253 254
            "source serial" value in the header to the specified serial
            number.  (This is expected to be used primarily for testing
            purposes.)
Tinderbox User's avatar
Tinderbox User committed
255
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
256
<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
257
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
258 259
            Specifies the number of threads to use.  By default, one
            thread is started for each detected CPU.
Tinderbox User's avatar
Tinderbox User committed
260
          </p></dd>
Mark Andrews's avatar
regen  
Mark Andrews committed
261 262
<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
263
<p>
Mark Andrews's avatar
regen  
Mark Andrews committed
264
            The SOA serial number format of the signed zone.
Tinderbox User's avatar
Tinderbox User committed
265 266 267 268
	    Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
            <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
            and <span class="command"><strong>"date"</strong></span>.
          </p>
Tinderbox User's avatar
Tinderbox User committed
269
<div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
270
<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
271
<dd><p>Do not modify the SOA serial number.</p></dd>
Tinderbox User's avatar
Tinderbox User committed
272
<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
273 274
<dd><p>Increment the SOA serial number using RFC 1982
                      arithmetics.</p></dd>
Tinderbox User's avatar
Tinderbox User committed
275
<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
276 277
<dd><p>Set the SOA serial number to the number of seconds
	        since epoch.</p></dd>
Tinderbox User's avatar
Tinderbox User committed
278
<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
279 280
<dd><p>Set the SOA serial number to today's date in
                YYYYMMDDNN format.</p></dd>
Mark Andrews's avatar
regen  
Mark Andrews committed
281
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
282
</dd>
Rob Austein's avatar
regen  
Rob Austein committed
283
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
284
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
285 286
            The zone origin.  If not specified, the name of the zone file
            is assumed to be the origin.
Tinderbox User's avatar
Tinderbox User committed
287
          </p></dd>
Mark Andrews's avatar
regen  
Mark Andrews committed
288
<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
289
<dd><p>
Mark Andrews's avatar
regen  
Mark Andrews committed
290
            The format of the output file containing the signed zone.
Tinderbox User's avatar
Tinderbox User committed
291
	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
Tinderbox User's avatar
Tinderbox User committed
292
            which is the standard textual representation of the zone;
Tinderbox User's avatar
Tinderbox User committed
293
	    <span class="command"><strong>"full"</strong></span>, which is text output in a
Tinderbox User's avatar
Tinderbox User committed
294
            format suitable for processing by external scripts;
Tinderbox User's avatar
Tinderbox User committed
295 296 297 298
            and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
            and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
            binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
            <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
Tinderbox User's avatar
Tinderbox User committed
299
            the raw zone file: if N is 0, the raw file can be read by
Tinderbox User's avatar
Tinderbox User committed
300
            any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
Tinderbox User's avatar
Tinderbox User committed
301
            can be read by release 9.9.0 or higher; the default is 1.
Tinderbox User's avatar
Tinderbox User committed
302
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
303
<dt><span class="term">-p</span></dt>
Tinderbox User's avatar
Tinderbox User committed
304
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
305 306 307 308
            Use pseudo-random data when signing the zone.  This is faster,
            but less secure, than using real random data.  This option
            may be useful when signing large zones or when the entropy
            source is limited.
Tinderbox User's avatar
Tinderbox User committed
309
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
310 311
<dt><span class="term">-P</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
312
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
313 314
	    Disable post sign verification tests.
          </p>
Tinderbox User's avatar
Tinderbox User committed
315
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
316
	    The post sign verification test ensures that for each algorithm
Automatic Updater's avatar
regen  
Automatic Updater committed
317 318
	    in use there is at least one non revoked self signed KSK key,
	    that all revoked KSK keys are self signed, and that all records
Automatic Updater's avatar
regen  
Automatic Updater committed
319
	    in the zone are signed by the algorithm.
Automatic Updater's avatar
regen  
Automatic Updater committed
320
	    This option skips these tests.
Automatic Updater's avatar
regen  
Automatic Updater committed
321
          </p>
Tinderbox User's avatar
Tinderbox User committed
322
</dd>
Tinderbox User's avatar
Tinderbox User committed
323
<dt><span class="term">-Q</span></dt>
Automatic Updater's avatar
Automatic Updater committed
324
<dd>
Tinderbox User's avatar
Tinderbox User committed
325
<p>
Tinderbox User's avatar
Tinderbox User committed
326
	    Remove signatures from keys that are no longer active.
Automatic Updater's avatar
Automatic Updater committed
327
          </p>
Tinderbox User's avatar
Tinderbox User committed
328
<p>
Automatic Updater's avatar
Automatic Updater committed
329 330
            Normally, when a previously-signed zone is passed as input
            to the signer, and a DNSKEY record has been removed and
Tinderbox User's avatar
Tinderbox User committed
331
            replaced with a new one, signatures from the old key
Automatic Updater's avatar
Automatic Updater committed
332 333
            that are still within their validity period are retained.
	    This allows the zone to continue to validate with cached
Tinderbox User's avatar
Tinderbox User committed
334
	    copies of the old DNSKEY RRset.  The <code class="option">-Q</code>
Tinderbox User's avatar
Tinderbox User committed
335
            forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
Tinderbox User's avatar
Tinderbox User committed
336 337 338 339
            signatures from keys that are no longer active. This
            enables ZSK rollover using the procedure described in
            RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
          </p>
Tinderbox User's avatar
Tinderbox User committed
340
</dd>
Tinderbox User's avatar
Tinderbox User committed
341 342
<dt><span class="term">-R</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
343
<p>
Tinderbox User's avatar
Tinderbox User committed
344 345
	    Remove signatures from keys that are no longer published.
          </p>
Tinderbox User's avatar
Tinderbox User committed
346
<p>
Tinderbox User's avatar
Tinderbox User committed
347
            This option is similar to <code class="option">-Q</code>, except it
Tinderbox User's avatar
Tinderbox User committed
348
            forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
Tinderbox User's avatar
Tinderbox User committed
349 350 351
            keys that are no longer published. This enables ZSK rollover
            using the procedure described in RFC 4641, section 4.2.1.2
            ("Double Signature Zone Signing Key Rollover").
Automatic Updater's avatar
Automatic Updater committed
352
          </p>
Tinderbox User's avatar
Tinderbox User committed
353
</dd>
Rob Austein's avatar
regen  
Rob Austein committed
354
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
355
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
356 357 358 359 360 361 362 363 364
            Specifies the source of randomness.  If the operating
            system does not provide a <code class="filename">/dev/random</code>
            or equivalent device, the default source of randomness
            is keyboard input.  <code class="filename">randomdev</code>
            specifies
            the name of a character device or file containing random
            data to be used instead of the default.  The special value
            <code class="filename">keyboard</code> indicates that keyboard
            input should be used.
Tinderbox User's avatar
Tinderbox User committed
365
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
366 367
<dt><span class="term">-S</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
368
<p>
Tinderbox User's avatar
Tinderbox User committed
369
            Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
Automatic Updater's avatar
regen  
Automatic Updater committed
370 371 372
            search the key repository for keys that match the zone being
            signed, and to include them in the zone if appropriate.
          </p>
Tinderbox User's avatar
Tinderbox User committed
373
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
374 375 376 377 378
            When a key is found, its timing metadata is examined to
            determine how it should be used, according to the following
            rules.  Each successive rule takes priority over the prior
            ones:
          </p>
Tinderbox User's avatar
Tinderbox User committed
379
<div class="variablelist"><dl class="variablelist">
Automatic Updater's avatar
regen  
Automatic Updater committed
380
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
381
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
382 383
                  If no timing metadata has been set for the key, the key is
                  published in the zone and used to sign the zone.
Tinderbox User's avatar
Tinderbox User committed
384
                </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
385
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
386
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
387 388
                  If the key's publication date is set and is in the past, the
                  key is published in the zone.
Tinderbox User's avatar
Tinderbox User committed
389
                </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
390
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
391
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
392 393
                  If the key's activation date is set and in the past, the
                  key is published (regardless of publication date) and
Tinderbox User's avatar
Tinderbox User committed
394
                  used to sign the zone.
Tinderbox User's avatar
Tinderbox User committed
395
                </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
396
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
397
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
398 399 400
                  If the key's revocation date is set and in the past, and the
                  key is published, then the key is revoked, and the revoked key
                  is used to sign the zone.
Tinderbox User's avatar
Tinderbox User committed
401
                </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
402
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
403
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
404 405 406
                  If either of the key's unpublication or deletion dates are set
                  and in the past, the key is NOT published or used to sign the
                  zone, regardless of any other metadata.
Tinderbox User's avatar
Tinderbox User committed
407
                </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
408
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
409
</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
410
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
411
<dd><p>
Automatic Updater's avatar
Automatic Updater committed
412 413 414
            Specifies a TTL to be used for new DNSKEY records imported
            into the zone from the key repository.  If not
            specified, the default is the TTL value from the zone's SOA
Automatic Updater's avatar
regen  
Automatic Updater committed
415 416 417 418 419
            record.  This option is ignored when signing without
            <code class="option">-S</code>, since DNSKEY records are not imported
            from the key repository in that case.  It is also ignored if
            there are any pre-existing DNSKEY records at the zone apex,
            in which case new records' TTL values will be set to match
Automatic Updater's avatar
Automatic Updater committed
420 421 422
            them, or if any of the imported DNSKEY records had a default
            TTL value.  In the event of a a conflict between TTL values in
            imported keys, the shortest one is used.
Tinderbox User's avatar
Tinderbox User committed
423
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
424
<dt><span class="term">-t</span></dt>
Tinderbox User's avatar
Tinderbox User committed
425
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
426
            Print statistics at completion.
Tinderbox User's avatar
Tinderbox User committed
427
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
428
<dt><span class="term">-u</span></dt>
Tinderbox User's avatar
Tinderbox User committed
429
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
430 431 432 433
            Update NSEC/NSEC3 chain when re-signing a previously signed
            zone.  With this option, a zone signed with NSEC can be
            switched to NSEC3, or a zone signed with NSEC3 can
            be switch to NSEC or to NSEC3 with different parameters.
Tinderbox User's avatar
Tinderbox User committed
434
            Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
Automatic Updater's avatar
regen  
Automatic Updater committed
435
            retain the existing chain when re-signing.
Tinderbox User's avatar
Tinderbox User committed
436
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
437
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
438
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
439
            Sets the debugging level.
Tinderbox User's avatar
Tinderbox User committed
440
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
441
<dt><span class="term">-x</span></dt>
Tinderbox User's avatar
Tinderbox User committed
442
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
443
            Only sign the DNSKEY RRset with key-signing keys, and omit
Automatic Updater's avatar
regen  
Automatic Updater committed
444
            signatures from zone-signing keys.  (This is similar to the
Tinderbox User's avatar
Tinderbox User committed
445 446
            <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
            <span class="command"><strong>named</strong></span>.)
Tinderbox User's avatar
Tinderbox User committed
447
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
448
<dt><span class="term">-z</span></dt>
Tinderbox User's avatar
Tinderbox User committed
449
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
450 451
            Ignore KSK flag on key when determining what to sign.  This
            causes KSK-flagged keys to sign all records, not just the
Automatic Updater's avatar
regen  
Automatic Updater committed
452
            DNSKEY RRset.  (This is similar to the
Tinderbox User's avatar
Tinderbox User committed
453 454
            <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
            <span class="command"><strong>named</strong></span>.)
Tinderbox User's avatar
Tinderbox User committed
455
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
456
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
457
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
458
            Generate an NSEC3 chain with the given hex encoded salt.
Automatic Updater's avatar
regen  
Automatic Updater committed
459 460
	    A dash (<em class="replaceable"><code>salt</code></em>) can
	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
Tinderbox User's avatar
Tinderbox User committed
461
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
462
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
463
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
464
	    When generating an NSEC3 chain, use this many iterations.  The
Automatic Updater's avatar
regen  
Automatic Updater committed
465
	    default is 10.
Tinderbox User's avatar
Tinderbox User committed
466
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
467
<dt><span class="term">-A</span></dt>
Automatic Updater's avatar
regen  
Automatic Updater committed
468
<dd>
Tinderbox User's avatar
Tinderbox User committed
469
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
470
	    When generating an NSEC3 chain set the OPTOUT flag on all
Automatic Updater's avatar
regen  
Automatic Updater committed
471 472
	    NSEC3 records and do not generate NSEC3 records for insecure
	    delegations.
Automatic Updater's avatar
regen  
Automatic Updater committed
473
          </p>
Tinderbox User's avatar
Tinderbox User committed
474
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
475 476 477 478 479
	    Using this option twice (i.e., <code class="option">-AA</code>)
	    turns the OPTOUT flag off for all records.  This is useful
	    when using the <code class="option">-u</code> option to modify an NSEC3
	    chain which previously had OPTOUT set.
          </p>
Tinderbox User's avatar
Tinderbox User committed
480
</dd>
Rob Austein's avatar
regen  
Rob Austein committed
481
<dt><span class="term">zonefile</span></dt>
Tinderbox User's avatar
Tinderbox User committed
482
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
483
            The file containing the zone to be signed.
Tinderbox User's avatar
Tinderbox User committed
484
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
485
<dt><span class="term">key</span></dt>
Tinderbox User's avatar
Tinderbox User committed
486
<dd><p>
Mark Andrews's avatar
regen  
Mark Andrews committed
487 488 489 490 491
	    Specify which keys should be used to sign the zone.  If
	    no keys are specified, then the zone will be examined
	    for DNSKEY records at the zone apex.  If these are found and
	    there are matching private keys, in the current directory,
	    then these will be used for signing.
Tinderbox User's avatar
Tinderbox User committed
492
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
493
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
494 495 496 497
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXAMPLE</h2>
<p>
Rob Austein's avatar
regen  
Rob Austein committed
498
      The following command signs the <strong class="userinput"><code>example.com</code></strong>
Tinderbox User's avatar
Tinderbox User committed
499 500
      zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
      (Kexample.com.+003+17247).  Because the <span class="command"><strong>-S</strong></span> option
Automatic Updater's avatar
regen  
Automatic Updater committed
501 502 503
      is not being used, the zone's keys must be in the master file
      (<code class="filename">db.example.com</code>).  This invocation looks
      for <code class="filename">dsset</code> files, in the current directory,
Tinderbox User's avatar
Tinderbox User committed
504
      so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
Rob Austein's avatar
regen  
Rob Austein committed
505
    </p>
Mark Andrews's avatar
regen  
Mark Andrews committed
506 507 508 509
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</pre>
Tinderbox User's avatar
Tinderbox User committed
510
<p>
Tinderbox User's avatar
Tinderbox User committed
511
      In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
Rob Austein's avatar
regen  
Rob Austein committed
512
      the file <code class="filename">db.example.com.signed</code>.  This
Mark Andrews's avatar
regen  
Mark Andrews committed
513
      file should be referenced in a zone statement in a
Rob Austein's avatar
regen  
Rob Austein committed
514 515
      <code class="filename">named.conf</code> file.
    </p>
Tinderbox User's avatar
Tinderbox User committed
516
<p>
Mark Andrews's avatar
regen  
Mark Andrews committed
517 518 519 520 521 522 523
      This example re-signs a previously signed zone with default parameters.
      The private keys are assumed to be in the current directory.
    </p>
<pre class="programlisting">% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
Tinderbox User's avatar
Tinderbox User committed
524 525 526 527
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
Rob Austein's avatar
regen  
Rob Austein committed
528
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
Tinderbox User's avatar
Tinderbox User committed
529
      <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
Rob Austein's avatar
regen  
Rob Austein committed
530
    </p>
Tinderbox User's avatar
Tinderbox User committed
531
</div>
Rob Austein's avatar
regen  
Rob Austein committed
532 533
</div></body>
</html>