Commit bcab20b2 authored by Mark Andrews's avatar Mark Andrews
Browse files

regen

parent bd77e325
......@@ -13,14 +13,14 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.32 2004/06/11 03:03:12 marka Exp $
.\" $Id: dnssec-signzone.8,v 1.33 2005/03/22 04:58:13 marka Exp $
.\"
.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" ""
.SH NAME
dnssec-signzone \- DNSSEC zone signing tool
.SH SYNOPSIS
.sp
\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-g\fR ] [ \fB-h\fR ] [ \fB-k \fIkey\fB\fR ] [ \fB-l \fIdomain\fB\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] [ \fB-z\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ]
\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-g\fR ] [ \fB-h\fR ] [ \fB-k \fIkey\fB\fR ] [ \fB-l \fIdomain\fB\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-j \fIjitter\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] [ \fB-z\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ]
.SH "DESCRIPTION"
.PP
\fBdnssec-signzone\fR signs a zone. It generates
......@@ -98,6 +98,23 @@ interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be
replaced.
.TP
\fB\fR
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
same time. The \fBjitter\fR option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
.TP
\fB-n \fIncpus\fB\fR
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
......
......@@ -15,7 +15,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.html,v 1.13 2004/08/23 00:05:44 marka Exp $ -->
<!-- $Id: dnssec-signzone.html,v 1.14 2005/03/22 04:58:13 marka Exp $ -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
......@@ -115,6 +115,12 @@ CLASS="REPLACEABLE"
></VAR
>] [<VAR
CLASS="OPTION"
>-j <VAR
CLASS="REPLACEABLE"
>jitter</VAR
></VAR
>] [<VAR
CLASS="OPTION"
>-n <VAR
CLASS="REPLACEABLE"
>nthreads</VAR
......@@ -157,7 +163,7 @@ CLASS="OPTION"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN66"
NAME="AEN69"
></A
><H2
>DESCRIPTION</H2
......@@ -179,7 +185,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN71"
NAME="AEN74"
></A
><H2
>OPTIONS</H2
......@@ -358,6 +364,31 @@ CLASS="COMMAND"
</P
></DD
><DT
></DT
><DD
><P
> When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
same time. The <VAR
CLASS="OPTION"
>jitter</VAR
> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</P
><P
> Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</P
></DD
><DT
>-n <VAR
CLASS="REPLACEABLE"
>ncpus</VAR
......@@ -462,7 +493,7 @@ CLASS="REPLACEABLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN181"
NAME="AEN190"
></A
><H2
>EXAMPLE</H2
......@@ -515,7 +546,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN195"
NAME="AEN204"
></A
><H2
>SEE ALSO</H2
......@@ -540,7 +571,7 @@ CLASS="CITETITLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN203"
NAME="AEN212"
></A
><H2
>AUTHOR</H2
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment