man.dnssec-signzone.html 30.7 KB
Newer Older
1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
Mark Andrews's avatar
gregen  
Mark Andrews committed
2
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
gregen  
Mark Andrews committed
4
 - 
Tinderbox User's avatar
Tinderbox User committed
5 6 7
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Mark Andrews's avatar
gregen  
Mark Andrews committed
8
-->
9
<html lang="en">
Mark Andrews's avatar
gregen  
Mark Andrews committed
10 11 12
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-signzone</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Evan Hunt's avatar
Evan Hunt committed
14
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
Tinderbox User's avatar
Tinderbox User committed
15
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
Automatic Updater's avatar
regen  
Automatic Updater committed
16
<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
Tinderbox User's avatar
Tinderbox User committed
17
<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
Mark Andrews's avatar
gregen  
Mark Andrews committed
18 19 20 21 22 23 24
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
<tr>
<td width="20%" align="left">
Automatic Updater's avatar
regen  
Automatic Updater committed
25
<a accesskey="p" href="man.dnssec-settime.html">Prev</a></td>
Mark Andrews's avatar
gregen  
Mark Andrews committed
26
<th width="60%" align="center">Manual pages</th>
Tinderbox User's avatar
Tinderbox User committed
27
<td width="20%" align="right"><a accesskey="n" href="man.dnssec-verify.html">Next</a>
Mark Andrews's avatar
gregen  
Mark Andrews committed
28 29 30 31 32
</td>
</tr>
</table>
<hr>
</div>
Tinderbox User's avatar
Tinderbox User committed
33
<div class="refentry">
Mark Andrews's avatar
gregen  
Mark Andrews committed
34
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
35 36 37 38 39 40
  
  

  

  <div class="refnamediv">
Mark Andrews's avatar
gregen  
Mark Andrews committed
41
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
42 43 44 45
<p>
    <span class="application">dnssec-signzone</span>
     &#8212; DNSSEC zone signing tool
  </p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
46
</div>
Tinderbox User's avatar
Tinderbox User committed
47 48 49 50

  

  <div class="refsynopsisdiv">
Mark Andrews's avatar
gregen  
Mark Andrews committed
51
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
    <div class="cmdsynopsis"><p>
      <code class="command">dnssec-signzone</code> 
       [<code class="option">-a</code>]
       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
       [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
       [<code class="option">-D</code>]
       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
       [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
       [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
       [<code class="option">-g</code>]
       [<code class="option">-h</code>]
       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
       [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
       [<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
       [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>]
       [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
       [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
       [<code class="option">-P</code>]
       [<code class="option">-p</code>]
       [<code class="option">-Q</code>]
       [<code class="option">-R</code>]
       [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
       [<code class="option">-S</code>]
       [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
       [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
       [<code class="option">-t</code>]
       [<code class="option">-u</code>]
       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
       [<code class="option">-V</code>]
       [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
       [<code class="option">-x</code>]
       [<code class="option">-z</code>]
       [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
       [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
       [<code class="option">-A</code>]
       {zonefile}
       [key...]
    </p></div>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
98
<a name="id-1.14.16.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
99 100

    <p><span class="command"><strong>dnssec-signzone</strong></span>
Mark Andrews's avatar
gregen  
Mark Andrews committed
101 102 103 104 105 106 107
      signs a zone.  It generates
      NSEC and RRSIG records and produces a signed version of the
      zone. The security status of delegations from the signed zone
      (that is, whether the child zones are secure or not) is
      determined by the presence or absence of a
      <code class="filename">keyset</code> file for each child zone.
    </p>
Tinderbox User's avatar
Tinderbox User committed
108 109 110
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
111
<a name="id-1.14.16.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
112 113 114


    <div class="variablelist"><dl class="variablelist">
Mark Andrews's avatar
gregen  
Mark Andrews committed
115
<dt><span class="term">-a</span></dt>
Tinderbox User's avatar
Tinderbox User committed
116 117
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
118
            Verify all generated signatures.
Tinderbox User's avatar
Tinderbox User committed
119 120
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
121
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
122 123
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
124
            Specifies the DNS class of the zone.
Tinderbox User's avatar
Tinderbox User committed
125 126
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
127
<dt><span class="term">-C</span></dt>
Tinderbox User's avatar
Tinderbox User committed
128 129
<dd>
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
130 131 132 133 134
            Compatibility mode: Generate a
            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
            file in addition to
            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
            when signing a zone, for use by older versions of
Evan Hunt's avatar
Evan Hunt committed
135
            <span class="command"><strong>dnssec-signzone</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
136 137
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
138
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
139 140
<dd>
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
141 142
            Look for <code class="filename">dsset-</code> or
            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
Tinderbox User's avatar
Tinderbox User committed
143 144
          </p>
        </dd>
Automatic Updater's avatar
Automatic Updater committed
145
<dt><span class="term">-D</span></dt>
Tinderbox User's avatar
Tinderbox User committed
146 147
<dd>
          <p>
Automatic Updater's avatar
Automatic Updater committed
148
	    Output only those record types automatically managed by
Evan Hunt's avatar
Evan Hunt committed
149
	    <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
Automatic Updater's avatar
Automatic Updater committed
150 151 152
	    NSEC3 and NSEC3PARAM records. If smart signing
	    (<code class="option">-S</code>) is used, DNSKEY records are also
	    included. The resulting file can be included in the original
Evan Hunt's avatar
Evan Hunt committed
153
	    zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
Tinderbox User's avatar
Tinderbox User committed
154
	    cannot be combined with <code class="option">-O raw</code>,
Tinderbox User's avatar
Tinderbox User committed
155
            <code class="option">-O map</code>, or serial number updating.
Tinderbox User's avatar
Tinderbox User committed
156 157
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
158
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
159
<dd>
Tinderbox User's avatar
Tinderbox User committed
160
          <p>
Tinderbox User's avatar
Tinderbox User committed
161 162 163 164
            When applicable, specifies the hardware to use for
            cryptographic operations, such as a secure key store used
            for signing.
          </p>
Tinderbox User's avatar
Tinderbox User committed
165
          <p>
Tinderbox User's avatar
Tinderbox User committed
166 167 168 169 170 171 172
            When BIND is built with OpenSSL PKCS#11 support, this defaults
            to the string "pkcs11", which identifies an OpenSSL engine
            that can drive a cryptographic accelerator or hardware service
            module.  When BIND is built with native PKCS#11 cryptography
            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
            provider library specified via "--with-pkcs11".
          </p>
Tinderbox User's avatar
Tinderbox User committed
173
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
174
<dt><span class="term">-g</span></dt>
Tinderbox User's avatar
Tinderbox User committed
175 176
<dd>
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
177 178 179
            Generate DS records for child zones from
            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
            file.  Existing DS records will be removed.
Tinderbox User's avatar
Tinderbox User committed
180 181
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
182
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
183 184
<dd>
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
185 186
            Key repository: Specify a directory to search for DNSSEC keys.
            If not specified, defaults to the current directory.
Tinderbox User's avatar
Tinderbox User committed
187 188
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
189
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
190 191
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
192 193
            Treat specified key as a key signing key ignoring any
            key flags.  This option may be specified multiple times.
Tinderbox User's avatar
Tinderbox User committed
194 195
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
196
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
197 198
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
199 200
            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
            The domain is appended to the name of the records.
Tinderbox User's avatar
Tinderbox User committed
201 202
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
203
<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
204 205
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
206 207 208 209 210 211 212 213 214 215 216 217
            Sets the maximum TTL for the signed zone.
            Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
            input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
            in the output. This provides certainty as to the largest
            possible TTL in the signed zone, which is useful to know when
            rolling keys because it is the longest possible time before
            signatures that have been retrieved by resolvers will expire
            from resolver caches.  Zones that are signed with this
            option should be configured to use a matching
            <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
            (Note: This option is incompatible with <code class="option">-D</code>,
            because it modifies non-DNSSEC data in the output zone.)
Tinderbox User's avatar
Tinderbox User committed
218 219
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
220
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
221 222
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
223 224 225 226 227 228 229 230
            Specify the date and time when the generated RRSIG records
            become valid.  This can be either an absolute or relative
            time.  An absolute start time is indicated by a number
            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
            14:45:00 UTC on May 30th, 2000.  A relative start time is
            indicated by +N, which is N seconds from the current time.
            If no <code class="option">start-time</code> is specified, the current
            time minus 1 hour (to allow for clock skew) is used.
Tinderbox User's avatar
Tinderbox User committed
231 232
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
233
<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
234 235
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
236 237 238 239 240 241 242
            Specify the date and time when the generated RRSIG records
            expire.  As with <code class="option">start-time</code>, an absolute
            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
            to the start time is indicated with +N, which is N seconds from
            the start time.  A time relative to the current time is
            indicated with now+N.  If no <code class="option">end-time</code> is
            specified, 30 days from the start time is used as a default.
Automatic Updater's avatar
regen  
Automatic Updater committed
243 244
            <code class="option">end-time</code> must be later than
            <code class="option">start-time</code>.
Tinderbox User's avatar
Tinderbox User committed
245 246
          </p>
        </dd>
Automatic Updater's avatar
Automatic Updater committed
247 248
<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
249
          <p>
Automatic Updater's avatar
Automatic Updater committed
250 251 252 253 254 255 256
            Specify the date and time when the generated RRSIG records
            for the DNSKEY RRset will expire.  This is to be used in cases
            when the DNSKEY signatures need to persist longer than
            signatures on other records; e.g., when the private component
            of the KSK is kept offline and the KSK signature is to be
            refreshed manually.
          </p>
Tinderbox User's avatar
Tinderbox User committed
257
          <p>
Automatic Updater's avatar
Automatic Updater committed
258 259 260 261 262 263 264 265 266 267
            As with <code class="option">start-time</code>, an absolute
            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
            to the start time is indicated with +N, which is N seconds from
            the start time.  A time relative to the current time is
            indicated with now+N.  If no <code class="option">extended end-time</code> is
            specified, the value of <code class="option">end-time</code> is used as
            the default.  (<code class="option">end-time</code>, in turn, defaults to
            30 days from the start time.) <code class="option">extended end-time</code>
            must be later than <code class="option">start-time</code>.
          </p>
Tinderbox User's avatar
Tinderbox User committed
268
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
269
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
270 271
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
272 273
            The name of the output file containing the signed zone.  The
            default is to append <code class="filename">.signed</code> to
Automatic Updater's avatar
Automatic Updater committed
274 275 276 277
            the input filename.  If <code class="option">output-file</code> is
            set to <code class="literal">"-"</code>, then the signed zone is
            written to the standard output, with a default output
            format of "full".
Tinderbox User's avatar
Tinderbox User committed
278 279
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
280
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
281 282
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
283
            Prints a short summary of the options and arguments to
Evan Hunt's avatar
Evan Hunt committed
284
            <span class="command"><strong>dnssec-signzone</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
285 286
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
287
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
288 289
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
290
	    Prints version information.
Tinderbox User's avatar
Tinderbox User committed
291 292
	  </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
293 294
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
295
          <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
296
            When a previously-signed zone is passed as input, records
Mark Andrews's avatar
gregen  
Mark Andrews committed
297 298 299 300 301 302
            may be resigned.  The <code class="option">interval</code> option
            specifies the cycle interval as an offset from the current
            time (in seconds).  If a RRSIG record expires after the
            cycle interval, it is retained.  Otherwise, it is considered
            to be expiring soon, and it will be replaced.
          </p>
Tinderbox User's avatar
Tinderbox User committed
303
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
304 305 306
            The default cycle interval is one quarter of the difference
            between the signature end and start times.  So if neither
            <code class="option">end-time</code> or <code class="option">start-time</code>
Evan Hunt's avatar
Evan Hunt committed
307
            are specified, <span class="command"><strong>dnssec-signzone</strong></span>
Mark Andrews's avatar
gregen  
Mark Andrews committed
308 309 310 311 312 313
            generates
            signatures that are valid for 30 days, with a cycle
            interval of 7.5 days.  Therefore, if any existing RRSIG records
            are due to expire in less than 7.5 days, they would be
            replaced.
          </p>
Tinderbox User's avatar
Tinderbox User committed
314
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
315
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
316 317
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
318
            The format of the input zone file.
Evan Hunt's avatar
Evan Hunt committed
319 320
	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
Mark Andrews's avatar
gregen  
Mark Andrews committed
321 322 323 324 325
	    This option is primarily intended to be used for dynamic
            signed zones so that the dumped zone file in a non-text
            format containing updates can be signed directly.
	    The use of this option does not make much sense for
	    non-dynamic zones.
Tinderbox User's avatar
Tinderbox User committed
326 327
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
328 329
<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
330
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
331 332 333
            When signing a zone with a fixed signature lifetime, all
            RRSIG records issued at the time of signing expires
            simultaneously.  If the zone is incrementally signed, i.e.
Mark Andrews's avatar
regen  
Mark Andrews committed
334 335
            a previously-signed zone is passed as input to the signer,
            all expired signatures have to be regenerated at about the
Mark Andrews's avatar
gregen  
Mark Andrews committed
336 337 338 339 340
            same time.  The <code class="option">jitter</code> option specifies a
            jitter window that will be used to randomize the signature
            expire time, thus spreading incremental signature
            regeneration over time.
          </p>
Tinderbox User's avatar
Tinderbox User committed
341
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
342 343 344 345 346 347
            Signature lifetime jitter also to some extent benefits
            validators and servers by spreading out cache expiration,
            i.e. if large numbers of RRSIGs don't expire at the same time
            from all caches there will be less congestion than if all
            validators need to refetch at mostly the same time.
          </p>
Tinderbox User's avatar
Tinderbox User committed
348
        </dd>
Automatic Updater's avatar
Automatic Updater committed
349
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
350 351
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
352
            When writing a signed zone to "raw" or "map" format, set the
Tinderbox User's avatar
Tinderbox User committed
353 354 355
            "source serial" value in the header to the specified serial
            number.  (This is expected to be used primarily for testing
            purposes.)
Tinderbox User's avatar
Tinderbox User committed
356 357
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
358
<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
359 360
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
361 362
            Specifies the number of threads to use.  By default, one
            thread is started for each detected CPU.
Tinderbox User's avatar
Tinderbox User committed
363 364
          </p>
        </dd>
Mark Andrews's avatar
regen  
Mark Andrews committed
365 366
<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
367
          <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
368
            The SOA serial number format of the signed zone.
Evan Hunt's avatar
Evan Hunt committed
369 370 371 372
	    Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
            <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
            and <span class="command"><strong>"date"</strong></span>.
          </p>
Tinderbox User's avatar
Tinderbox User committed
373 374

          <div class="variablelist"><dl class="variablelist">
Evan Hunt's avatar
Evan Hunt committed
375
<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
376 377 378
<dd>
                <p>Do not modify the SOA serial number.</p>
	      </dd>
Evan Hunt's avatar
Evan Hunt committed
379
<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
380 381 382 383
<dd>
                <p>Increment the SOA serial number using RFC 1982
                      arithmetics.</p>
	      </dd>
Evan Hunt's avatar
Evan Hunt committed
384
<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
385 386 387 388
<dd>
                <p>Set the SOA serial number to the number of seconds
	        since epoch.</p>
	      </dd>
Evan Hunt's avatar
Evan Hunt committed
389
<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
390 391 392 393
<dd>
                <p>Set the SOA serial number to today's date in
                YYYYMMDDNN format.</p>
	      </dd>
Mark Andrews's avatar
regen  
Mark Andrews committed
394
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
395 396

        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
397
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
398 399
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
400 401
            The zone origin.  If not specified, the name of the zone file
            is assumed to be the origin.
Tinderbox User's avatar
Tinderbox User committed
402 403
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
404
<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
405 406
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
407
            The format of the output file containing the signed zone.
Evan Hunt's avatar
Evan Hunt committed
408
	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
Tinderbox User's avatar
Tinderbox User committed
409
            which is the standard textual representation of the zone;
Evan Hunt's avatar
Evan Hunt committed
410
	    <span class="command"><strong>"full"</strong></span>, which is text output in a
Tinderbox User's avatar
Tinderbox User committed
411
            format suitable for processing by external scripts;
Evan Hunt's avatar
Evan Hunt committed
412 413 414 415
            and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
            and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
            binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
            <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
Tinderbox User's avatar
Tinderbox User committed
416
            the raw zone file: if N is 0, the raw file can be read by
Evan Hunt's avatar
Evan Hunt committed
417
            any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
Tinderbox User's avatar
Tinderbox User committed
418
            can be read by release 9.9.0 or higher; the default is 1.
Tinderbox User's avatar
Tinderbox User committed
419 420
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
421
<dt><span class="term">-p</span></dt>
Tinderbox User's avatar
Tinderbox User committed
422 423
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
424 425 426 427
            Use pseudo-random data when signing the zone.  This is faster,
            but less secure, than using real random data.  This option
            may be useful when signing large zones or when the entropy
            source is limited.
Tinderbox User's avatar
Tinderbox User committed
428 429
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
430 431
<dt><span class="term">-P</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
432
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
433 434
	    Disable post sign verification tests.
          </p>
Tinderbox User's avatar
Tinderbox User committed
435
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
436
	    The post sign verification test ensures that for each algorithm
Automatic Updater's avatar
regen  
Automatic Updater committed
437 438
	    in use there is at least one non revoked self signed KSK key,
	    that all revoked KSK keys are self signed, and that all records
Automatic Updater's avatar
regen  
Automatic Updater committed
439
	    in the zone are signed by the algorithm.
Automatic Updater's avatar
regen  
Automatic Updater committed
440
	    This option skips these tests.
Automatic Updater's avatar
regen  
Automatic Updater committed
441
          </p>
Tinderbox User's avatar
Tinderbox User committed
442
        </dd>
Tinderbox User's avatar
Tinderbox User committed
443
<dt><span class="term">-Q</span></dt>
Automatic Updater's avatar
Automatic Updater committed
444
<dd>
Tinderbox User's avatar
Tinderbox User committed
445
          <p>
Tinderbox User's avatar
Tinderbox User committed
446
	    Remove signatures from keys that are no longer active.
Automatic Updater's avatar
Automatic Updater committed
447
          </p>
Tinderbox User's avatar
Tinderbox User committed
448
          <p>
Automatic Updater's avatar
Automatic Updater committed
449 450
            Normally, when a previously-signed zone is passed as input
            to the signer, and a DNSKEY record has been removed and
Tinderbox User's avatar
Tinderbox User committed
451
            replaced with a new one, signatures from the old key
Automatic Updater's avatar
Automatic Updater committed
452 453
            that are still within their validity period are retained.
	    This allows the zone to continue to validate with cached
Tinderbox User's avatar
Tinderbox User committed
454
	    copies of the old DNSKEY RRset.  The <code class="option">-Q</code>
Evan Hunt's avatar
Evan Hunt committed
455
            forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
Tinderbox User's avatar
Tinderbox User committed
456 457 458 459
            signatures from keys that are no longer active. This
            enables ZSK rollover using the procedure described in
            RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
          </p>
Tinderbox User's avatar
Tinderbox User committed
460
        </dd>
Tinderbox User's avatar
Tinderbox User committed
461 462
<dt><span class="term">-R</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
463
          <p>
Tinderbox User's avatar
Tinderbox User committed
464 465
	    Remove signatures from keys that are no longer published.
          </p>
Tinderbox User's avatar
Tinderbox User committed
466
          <p>
Tinderbox User's avatar
Tinderbox User committed
467
            This option is similar to <code class="option">-Q</code>, except it
Evan Hunt's avatar
Evan Hunt committed
468
            forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
Tinderbox User's avatar
Tinderbox User committed
469 470 471
            keys that are no longer published. This enables ZSK rollover
            using the procedure described in RFC 4641, section 4.2.1.2
            ("Double Signature Zone Signing Key Rollover").
Automatic Updater's avatar
Automatic Updater committed
472
          </p>
Tinderbox User's avatar
Tinderbox User committed
473
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
474
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
475 476
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
477 478 479 480 481 482 483 484 485
            Specifies the source of randomness.  If the operating
            system does not provide a <code class="filename">/dev/random</code>
            or equivalent device, the default source of randomness
            is keyboard input.  <code class="filename">randomdev</code>
            specifies
            the name of a character device or file containing random
            data to be used instead of the default.  The special value
            <code class="filename">keyboard</code> indicates that keyboard
            input should be used.
Tinderbox User's avatar
Tinderbox User committed
486 487
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
488 489
<dt><span class="term">-S</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
490
          <p>
Evan Hunt's avatar
Evan Hunt committed
491
            Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
Automatic Updater's avatar
regen  
Automatic Updater committed
492 493 494
            search the key repository for keys that match the zone being
            signed, and to include them in the zone if appropriate.
          </p>
Tinderbox User's avatar
Tinderbox User committed
495
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
496 497 498 499 500
            When a key is found, its timing metadata is examined to
            determine how it should be used, according to the following
            rules.  Each successive rule takes priority over the prior
            ones:
          </p>
Tinderbox User's avatar
Tinderbox User committed
501
          <div class="variablelist"><dl class="variablelist">
Automatic Updater's avatar
regen  
Automatic Updater committed
502
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
503 504
<dd>
                <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
505 506
                  If no timing metadata has been set for the key, the key is
                  published in the zone and used to sign the zone.
Tinderbox User's avatar
Tinderbox User committed
507 508
                </p>
	      </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
509
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
510 511
<dd>
                <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
512 513
                  If the key's publication date is set and is in the past, the
                  key is published in the zone.
Tinderbox User's avatar
Tinderbox User committed
514 515
                </p>
	      </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
516
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
517 518
<dd>
                <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
519 520
                  If the key's activation date is set and in the past, the
                  key is published (regardless of publication date) and
Tinderbox User's avatar
Tinderbox User committed
521
                  used to sign the zone.
Tinderbox User's avatar
Tinderbox User committed
522 523
                </p>
	      </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
524
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
525 526
<dd>
                <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
527 528 529
                  If the key's revocation date is set and in the past, and the
                  key is published, then the key is revoked, and the revoked key
                  is used to sign the zone.
Tinderbox User's avatar
Tinderbox User committed
530 531
                </p>
	      </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
532
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
533 534
<dd>
                <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
535 536 537
                  If either of the key's unpublication or deletion dates are set
                  and in the past, the key is NOT published or used to sign the
                  zone, regardless of any other metadata.
Tinderbox User's avatar
Tinderbox User committed
538 539
                </p>
	      </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
540
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
541
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
542
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
543 544
<dd>
          <p>
Automatic Updater's avatar
Automatic Updater committed
545 546 547
            Specifies a TTL to be used for new DNSKEY records imported
            into the zone from the key repository.  If not
            specified, the default is the TTL value from the zone's SOA
Automatic Updater's avatar
regen  
Automatic Updater committed
548 549 550 551 552
            record.  This option is ignored when signing without
            <code class="option">-S</code>, since DNSKEY records are not imported
            from the key repository in that case.  It is also ignored if
            there are any pre-existing DNSKEY records at the zone apex,
            in which case new records' TTL values will be set to match
Automatic Updater's avatar
Automatic Updater committed
553 554 555
            them, or if any of the imported DNSKEY records had a default
            TTL value.  In the event of a a conflict between TTL values in
            imported keys, the shortest one is used.
Tinderbox User's avatar
Tinderbox User committed
556 557
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
558
<dt><span class="term">-t</span></dt>
Tinderbox User's avatar
Tinderbox User committed
559 560
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
561
            Print statistics at completion.
Tinderbox User's avatar
Tinderbox User committed
562 563
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
564
<dt><span class="term">-u</span></dt>
Tinderbox User's avatar
Tinderbox User committed
565 566
<dd>
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
567 568 569 570
            Update NSEC/NSEC3 chain when re-signing a previously signed
            zone.  With this option, a zone signed with NSEC can be
            switched to NSEC3, or a zone signed with NSEC3 can
            be switch to NSEC or to NSEC3 with different parameters.
Evan Hunt's avatar
Evan Hunt committed
571
            Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
Automatic Updater's avatar
regen  
Automatic Updater committed
572
            retain the existing chain when re-signing.
Tinderbox User's avatar
Tinderbox User committed
573 574
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
575
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
576 577
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
578
            Sets the debugging level.
Tinderbox User's avatar
Tinderbox User committed
579 580
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
581
<dt><span class="term">-x</span></dt>
Tinderbox User's avatar
Tinderbox User committed
582 583
<dd>
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
584
            Only sign the DNSKEY RRset with key-signing keys, and omit
Automatic Updater's avatar
regen  
Automatic Updater committed
585
            signatures from zone-signing keys.  (This is similar to the
Evan Hunt's avatar
Evan Hunt committed
586 587
            <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
            <span class="command"><strong>named</strong></span>.)
Tinderbox User's avatar
Tinderbox User committed
588 589
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
590
<dt><span class="term">-z</span></dt>
Tinderbox User's avatar
Tinderbox User committed
591 592
<dd>
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
593 594
            Ignore KSK flag on key when determining what to sign.  This
            causes KSK-flagged keys to sign all records, not just the
Automatic Updater's avatar
regen  
Automatic Updater committed
595
            DNSKEY RRset.  (This is similar to the
Evan Hunt's avatar
Evan Hunt committed
596 597
            <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
            <span class="command"><strong>named</strong></span>.)
Tinderbox User's avatar
Tinderbox User committed
598 599
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
600
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
601 602
<dd>
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
603
            Generate an NSEC3 chain with the given hex encoded salt.
Automatic Updater's avatar
regen  
Automatic Updater committed
604 605
	    A dash (<em class="replaceable"><code>salt</code></em>) can
	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
Tinderbox User's avatar
Tinderbox User committed
606 607
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
608
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
609 610
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
611
	    When generating an NSEC3 chain, use this many iterations.  The
Automatic Updater's avatar
regen  
Automatic Updater committed
612
	    default is 10.
Tinderbox User's avatar
Tinderbox User committed
613 614
          </p>
        </dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
615
<dt><span class="term">-A</span></dt>
Automatic Updater's avatar
regen  
Automatic Updater committed
616
<dd>
Tinderbox User's avatar
Tinderbox User committed
617
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
618
	    When generating an NSEC3 chain set the OPTOUT flag on all
Automatic Updater's avatar
regen  
Automatic Updater committed
619 620
	    NSEC3 records and do not generate NSEC3 records for insecure
	    delegations.
Automatic Updater's avatar
regen  
Automatic Updater committed
621
          </p>
Tinderbox User's avatar
Tinderbox User committed
622
          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
623 624 625 626 627
	    Using this option twice (i.e., <code class="option">-AA</code>)
	    turns the OPTOUT flag off for all records.  This is useful
	    when using the <code class="option">-u</code> option to modify an NSEC3
	    chain which previously had OPTOUT set.
          </p>
Tinderbox User's avatar
Tinderbox User committed
628
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
629
<dt><span class="term">zonefile</span></dt>
Tinderbox User's avatar
Tinderbox User committed
630 631
<dd>
          <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
632
            The file containing the zone to be signed.
Tinderbox User's avatar
Tinderbox User committed
633 634
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
635
<dt><span class="term">key</span></dt>
Tinderbox User's avatar
Tinderbox User committed
636 637
<dd>
          <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
638 639 640 641 642
	    Specify which keys should be used to sign the zone.  If
	    no keys are specified, then the zone will be examined
	    for DNSKEY records at the zone apex.  If these are found and
	    there are matching private keys, in the current directory,
	    then these will be used for signing.
Tinderbox User's avatar
Tinderbox User committed
643 644
          </p>
        </dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
645
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
646 647 648
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
649
<a name="id-1.14.16.9"></a><h2>EXAMPLE</h2>
Tinderbox User's avatar
Tinderbox User committed
650 651

    <p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
652
      The following command signs the <strong class="userinput"><code>example.com</code></strong>
Evan Hunt's avatar
Evan Hunt committed
653 654
      zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span>
      (Kexample.com.+003+17247).  Because the <span class="command"><strong>-S</strong></span> option
Automatic Updater's avatar
regen  
Automatic Updater committed
655 656 657
      is not being used, the zone's keys must be in the master file
      (<code class="filename">db.example.com</code>).  This invocation looks
      for <code class="filename">dsset</code> files, in the current directory,
Evan Hunt's avatar
Evan Hunt committed
658
      so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
Mark Andrews's avatar
gregen  
Mark Andrews committed
659
    </p>
Mark Andrews's avatar
regen  
Mark Andrews committed
660 661 662 663
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</pre>
Tinderbox User's avatar
Tinderbox User committed
664
    <p>
Evan Hunt's avatar
Evan Hunt committed
665
      In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
Mark Andrews's avatar
gregen  
Mark Andrews committed
666
      the file <code class="filename">db.example.com.signed</code>.  This
Mark Andrews's avatar
regen  
Mark Andrews committed
667
      file should be referenced in a zone statement in a
Mark Andrews's avatar
gregen  
Mark Andrews committed
668 669
      <code class="filename">named.conf</code> file.
    </p>
Tinderbox User's avatar
Tinderbox User committed
670
    <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
671 672 673 674 675 676 677
      This example re-signs a previously signed zone with default parameters.
      The private keys are assumed to be in the current directory.
    </p>
<pre class="programlisting">% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
Tinderbox User's avatar
Tinderbox User committed
678 679 680
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
681
<a name="id-1.14.16.10"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
682 683 684 685

    <p><span class="citerefentry">
        <span class="refentrytitle">dnssec-keygen</span>(8)
      </span>,
Mark Andrews's avatar
gregen  
Mark Andrews committed
686
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
Tinderbox User's avatar
Tinderbox User committed
687
      <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
Mark Andrews's avatar
gregen  
Mark Andrews committed
688
    </p>
Tinderbox User's avatar
Tinderbox User committed
689 690
  </div>

Mark Andrews's avatar
gregen  
Mark Andrews committed
691 692 693 694 695 696
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
Automatic Updater's avatar
regen  
Automatic Updater committed
697
<a accesskey="p" href="man.dnssec-settime.html">Prev</a></td>
Tinderbox User's avatar
Tinderbox User committed
698
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
Tinderbox User's avatar
Tinderbox User committed
699
<td width="40%" align="right"><a accesskey="n" href="man.dnssec-verify.html">Next</a>
Mark Andrews's avatar
gregen  
Mark Andrews committed
700 701 702
</td>
</tr>
<tr>
Mark Andrews's avatar
regen  
Mark Andrews committed
703
<td width="40%" align="left" valign="top">
Automatic Updater's avatar
regen  
Automatic Updater committed
704
<span class="application">dnssec-settime</span></td>
Mark Andrews's avatar
gregen  
Mark Andrews committed
705
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
Tinderbox User's avatar
Tinderbox User committed
706
<td width="40%" align="right" valign="top"><span class="application">dnssec-verify</span>
Mark Andrews's avatar
regen  
Mark Andrews committed
707
</td>
Mark Andrews's avatar
gregen  
Mark Andrews committed
708 709 710
</tr>
</table>
</div>
Tinderbox User's avatar
Tinderbox User committed
711
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.21 (Extended Support Version)</p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
712 713
</body>
</html>