man.dnssec-signzone.html 30 KB
Newer Older
Tinderbox User's avatar
Tinderbox User committed
1 2
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
Tinderbox User's avatar
Tinderbox User committed
4 5 6 7 8 9 10 11 12
 - 
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-signzone</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Tinderbox User's avatar
Tinderbox User committed
14
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
15
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
Tinderbox User's avatar
Tinderbox User committed
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.dnssec-settime.html">Prev</a></td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"><a accesskey="n" href="man.dnssec-verify.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry">
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
35 36 37 38 39 40
  
  

  

  <div class="refnamediv">
Tinderbox User's avatar
Tinderbox User committed
41
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
42 43 44 45
<p>
    <span class="application">dnssec-signzone</span>
     &#8212; DNSSEC zone signing tool
  </p>
Tinderbox User's avatar
Tinderbox User committed
46
</div>
Tinderbox User's avatar
Tinderbox User committed
47 48 49 50

  

  <div class="refsynopsisdiv">
Tinderbox User's avatar
Tinderbox User committed
51
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
    <div class="cmdsynopsis"><p>
      <code class="command">dnssec-signzone</code> 
       [<code class="option">-a</code>]
       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
       [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>]
       [<code class="option">-D</code>]
       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
       [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>]
       [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>]
       [<code class="option">-g</code>]
       [<code class="option">-h</code>]
       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
       [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>]
       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
       [<code class="option">-k <em class="replaceable"><code>key</code></em></code>]
       [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
       [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>]
       [<code class="option">-M <em class="replaceable"><code>maxttl</code></em></code>]
       [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>]
       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
       [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>]
       [<code class="option">-P</code>]
       [<code class="option">-Q</code>]
       [<code class="option">-R</code>]
       [<code class="option">-S</code>]
       [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>]
       [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>]
       [<code class="option">-t</code>]
       [<code class="option">-u</code>]
       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
       [<code class="option">-V</code>]
       [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>]
       [<code class="option">-x</code>]
       [<code class="option">-z</code>]
       [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>]
       [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>]
       [<code class="option">-A</code>]
       {zonefile}
       [key...]
    </p></div>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
96
<a name="id-1.13.16.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
97 98

    <p><span class="command"><strong>dnssec-signzone</strong></span>
Tinderbox User's avatar
Tinderbox User committed
99 100 101 102 103 104 105
      signs a zone.  It generates
      NSEC and RRSIG records and produces a signed version of the
      zone. The security status of delegations from the signed zone
      (that is, whether the child zones are secure or not) is
      determined by the presence or absence of a
      <code class="filename">keyset</code> file for each child zone.
    </p>
Tinderbox User's avatar
Tinderbox User committed
106 107 108
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
109
<a name="id-1.13.16.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
110 111 112


    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
113
<dt><span class="term">-a</span></dt>
Tinderbox User's avatar
Tinderbox User committed
114 115
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
116
            Verify all generated signatures.
Tinderbox User's avatar
Tinderbox User committed
117 118
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
119
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
120 121
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
122
            Specifies the DNS class of the zone.
Tinderbox User's avatar
Tinderbox User committed
123 124
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
125
<dt><span class="term">-C</span></dt>
Tinderbox User's avatar
Tinderbox User committed
126 127
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
128 129 130 131 132 133
            Compatibility mode: Generate a
            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
            file in addition to
            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
            when signing a zone, for use by older versions of
            <span class="command"><strong>dnssec-signzone</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
134 135
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
136
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
137 138
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
139 140
            Look for <code class="filename">dsset-</code> or
            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
Tinderbox User's avatar
Tinderbox User committed
141 142
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
143
<dt><span class="term">-D</span></dt>
Tinderbox User's avatar
Tinderbox User committed
144 145
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
146 147 148 149 150 151 152 153
	    Output only those record types automatically managed by
	    <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
	    NSEC3 and NSEC3PARAM records. If smart signing
	    (<code class="option">-S</code>) is used, DNSKEY records are also
	    included. The resulting file can be included in the original
	    zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option
	    cannot be combined with <code class="option">-O raw</code>,
            <code class="option">-O map</code>, or serial number updating.
Tinderbox User's avatar
Tinderbox User committed
154 155
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
156 157
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
158
          <p>
Tinderbox User's avatar
Tinderbox User committed
159 160 161 162
            When applicable, specifies the hardware to use for
            cryptographic operations, such as a secure key store used
            for signing.
          </p>
Tinderbox User's avatar
Tinderbox User committed
163
          <p>
Tinderbox User's avatar
Tinderbox User committed
164 165 166 167 168 169 170
            When BIND is built with OpenSSL PKCS#11 support, this defaults
            to the string "pkcs11", which identifies an OpenSSL engine
            that can drive a cryptographic accelerator or hardware service
            module.  When BIND is built with native PKCS#11 cryptography
            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
            provider library specified via "--with-pkcs11".
          </p>
Tinderbox User's avatar
Tinderbox User committed
171
        </dd>
Tinderbox User's avatar
Tinderbox User committed
172
<dt><span class="term">-g</span></dt>
Tinderbox User's avatar
Tinderbox User committed
173 174
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
175 176 177
            Generate DS records for child zones from
            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
            file.  Existing DS records will be removed.
Tinderbox User's avatar
Tinderbox User committed
178 179
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
180
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
181 182
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
183 184
            Key repository: Specify a directory to search for DNSSEC keys.
            If not specified, defaults to the current directory.
Tinderbox User's avatar
Tinderbox User committed
185 186
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
187
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
188 189
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
190 191
            Treat specified key as a key signing key ignoring any
            key flags.  This option may be specified multiple times.
Tinderbox User's avatar
Tinderbox User committed
192 193
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
194
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
195 196
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
197 198
            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
            The domain is appended to the name of the records.
Tinderbox User's avatar
Tinderbox User committed
199 200
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
201
<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
202 203
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
204 205 206 207 208 209 210 211 212 213 214 215
            Sets the maximum TTL for the signed zone.
            Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the
            input zone will be reduced to <em class="replaceable"><code>maxttl</code></em>
            in the output. This provides certainty as to the largest
            possible TTL in the signed zone, which is useful to know when
            rolling keys because it is the longest possible time before
            signatures that have been retrieved by resolvers will expire
            from resolver caches.  Zones that are signed with this
            option should be configured to use a matching
            <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>.
            (Note: This option is incompatible with <code class="option">-D</code>,
            because it modifies non-DNSSEC data in the output zone.)
Tinderbox User's avatar
Tinderbox User committed
216 217
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
218
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
219 220
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
221 222 223 224 225 226 227 228
            Specify the date and time when the generated RRSIG records
            become valid.  This can be either an absolute or relative
            time.  An absolute start time is indicated by a number
            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
            14:45:00 UTC on May 30th, 2000.  A relative start time is
            indicated by +N, which is N seconds from the current time.
            If no <code class="option">start-time</code> is specified, the current
            time minus 1 hour (to allow for clock skew) is used.
Tinderbox User's avatar
Tinderbox User committed
229 230
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
231
<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
232 233
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
234 235 236 237 238 239 240 241 242
            Specify the date and time when the generated RRSIG records
            expire.  As with <code class="option">start-time</code>, an absolute
            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
            to the start time is indicated with +N, which is N seconds from
            the start time.  A time relative to the current time is
            indicated with now+N.  If no <code class="option">end-time</code> is
            specified, 30 days from the start time is used as a default.
            <code class="option">end-time</code> must be later than
            <code class="option">start-time</code>.
Tinderbox User's avatar
Tinderbox User committed
243 244
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
245 246
<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
247
          <p>
Tinderbox User's avatar
Tinderbox User committed
248 249 250 251 252 253 254
            Specify the date and time when the generated RRSIG records
            for the DNSKEY RRset will expire.  This is to be used in cases
            when the DNSKEY signatures need to persist longer than
            signatures on other records; e.g., when the private component
            of the KSK is kept offline and the KSK signature is to be
            refreshed manually.
          </p>
Tinderbox User's avatar
Tinderbox User committed
255
          <p>
Tinderbox User's avatar
Tinderbox User committed
256 257 258 259 260 261 262 263 264 265
            As with <code class="option">start-time</code>, an absolute
            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
            to the start time is indicated with +N, which is N seconds from
            the start time.  A time relative to the current time is
            indicated with now+N.  If no <code class="option">extended end-time</code> is
            specified, the value of <code class="option">end-time</code> is used as
            the default.  (<code class="option">end-time</code>, in turn, defaults to
            30 days from the start time.) <code class="option">extended end-time</code>
            must be later than <code class="option">start-time</code>.
          </p>
Tinderbox User's avatar
Tinderbox User committed
266
        </dd>
Tinderbox User's avatar
Tinderbox User committed
267
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
268 269
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
270 271 272 273 274 275
            The name of the output file containing the signed zone.  The
            default is to append <code class="filename">.signed</code> to
            the input filename.  If <code class="option">output-file</code> is
            set to <code class="literal">"-"</code>, then the signed zone is
            written to the standard output, with a default output
            format of "full".
Tinderbox User's avatar
Tinderbox User committed
276 277
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
278
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
279 280
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
281 282
            Prints a short summary of the options and arguments to
            <span class="command"><strong>dnssec-signzone</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
283 284
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
285
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
286 287
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
288
	    Prints version information.
Tinderbox User's avatar
Tinderbox User committed
289 290
	  </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
291 292
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
293
          <p>
Tinderbox User's avatar
Tinderbox User committed
294 295 296 297 298 299 300
            When a previously-signed zone is passed as input, records
            may be resigned.  The <code class="option">interval</code> option
            specifies the cycle interval as an offset from the current
            time (in seconds).  If a RRSIG record expires after the
            cycle interval, it is retained.  Otherwise, it is considered
            to be expiring soon, and it will be replaced.
          </p>
Tinderbox User's avatar
Tinderbox User committed
301
          <p>
Tinderbox User's avatar
Tinderbox User committed
302 303 304 305 306 307 308 309 310 311
            The default cycle interval is one quarter of the difference
            between the signature end and start times.  So if neither
            <code class="option">end-time</code> or <code class="option">start-time</code>
            are specified, <span class="command"><strong>dnssec-signzone</strong></span>
            generates
            signatures that are valid for 30 days, with a cycle
            interval of 7.5 days.  Therefore, if any existing RRSIG records
            are due to expire in less than 7.5 days, they would be
            replaced.
          </p>
Tinderbox User's avatar
Tinderbox User committed
312
        </dd>
Tinderbox User's avatar
Tinderbox User committed
313
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
314 315
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
316 317 318 319 320 321 322 323
            The format of the input zone file.
	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
	    <span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
	    This option is primarily intended to be used for dynamic
            signed zones so that the dumped zone file in a non-text
            format containing updates can be signed directly.
	    The use of this option does not make much sense for
	    non-dynamic zones.
Tinderbox User's avatar
Tinderbox User committed
324 325
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
326 327
<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
328
          <p>
Tinderbox User's avatar
Tinderbox User committed
329 330 331 332 333 334 335 336 337 338
            When signing a zone with a fixed signature lifetime, all
            RRSIG records issued at the time of signing expires
            simultaneously.  If the zone is incrementally signed, i.e.
            a previously-signed zone is passed as input to the signer,
            all expired signatures have to be regenerated at about the
            same time.  The <code class="option">jitter</code> option specifies a
            jitter window that will be used to randomize the signature
            expire time, thus spreading incremental signature
            regeneration over time.
          </p>
Tinderbox User's avatar
Tinderbox User committed
339
          <p>
Tinderbox User's avatar
Tinderbox User committed
340 341 342 343 344 345
            Signature lifetime jitter also to some extent benefits
            validators and servers by spreading out cache expiration,
            i.e. if large numbers of RRSIGs don't expire at the same time
            from all caches there will be less congestion than if all
            validators need to refetch at mostly the same time.
          </p>
Tinderbox User's avatar
Tinderbox User committed
346
        </dd>
Tinderbox User's avatar
Tinderbox User committed
347
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
348 349
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
350 351 352 353
            When writing a signed zone to "raw" or "map" format, set the
            "source serial" value in the header to the specified serial
            number.  (This is expected to be used primarily for testing
            purposes.)
Tinderbox User's avatar
Tinderbox User committed
354 355
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
356
<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
357 358
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
359 360
            Specifies the number of threads to use.  By default, one
            thread is started for each detected CPU.
Tinderbox User's avatar
Tinderbox User committed
361 362
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
363 364
<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
365
          <p>
Tinderbox User's avatar
Tinderbox User committed
366 367 368 369 370
            The SOA serial number format of the signed zone.
	    Possible formats are <span class="command"><strong>"keep"</strong></span> (default),
            <span class="command"><strong>"increment"</strong></span>, <span class="command"><strong>"unixtime"</strong></span>,
            and <span class="command"><strong>"date"</strong></span>.
          </p>
Tinderbox User's avatar
Tinderbox User committed
371 372

          <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
373
<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
374 375 376
<dd>
                <p>Do not modify the SOA serial number.</p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
377
<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
378 379 380 381
<dd>
                <p>Increment the SOA serial number using RFC 1982
                      arithmetics.</p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
382
<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
383 384 385 386
<dd>
                <p>Set the SOA serial number to the number of seconds
	        since epoch.</p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
387
<dt><span class="term"><span class="command"><strong>"date"</strong></span></span></dt>
Tinderbox User's avatar
Tinderbox User committed
388 389 390 391
<dd>
                <p>Set the SOA serial number to today's date in
                YYYYMMDDNN format.</p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
392
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
393 394

        </dd>
Tinderbox User's avatar
Tinderbox User committed
395
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
396 397
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
398 399
            The zone origin.  If not specified, the name of the zone file
            is assumed to be the origin.
Tinderbox User's avatar
Tinderbox User committed
400 401
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
402
<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
403 404
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
405 406 407 408 409 410 411 412 413 414 415 416
            The format of the output file containing the signed zone.
	    Possible formats are <span class="command"><strong>"text"</strong></span> (default),
            which is the standard textual representation of the zone;
	    <span class="command"><strong>"full"</strong></span>, which is text output in a
            format suitable for processing by external scripts;
            and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
            and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in
            binary formats for rapid loading by <span class="command"><strong>named</strong></span>.
            <span class="command"><strong>"raw=N"</strong></span> specifies the format version of
            the raw zone file: if N is 0, the raw file can be read by
            any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
            can be read by release 9.9.0 or higher; the default is 1.
Tinderbox User's avatar
Tinderbox User committed
417 418
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
419 420
<dt><span class="term">-P</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
421
          <p>
Tinderbox User's avatar
Tinderbox User committed
422 423
	    Disable post sign verification tests.
          </p>
Tinderbox User's avatar
Tinderbox User committed
424
          <p>
Tinderbox User's avatar
Tinderbox User committed
425 426 427 428 429 430
	    The post sign verification test ensures that for each algorithm
	    in use there is at least one non revoked self signed KSK key,
	    that all revoked KSK keys are self signed, and that all records
	    in the zone are signed by the algorithm.
	    This option skips these tests.
          </p>
Tinderbox User's avatar
Tinderbox User committed
431
        </dd>
Tinderbox User's avatar
Tinderbox User committed
432 433
<dt><span class="term">-Q</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
434
          <p>
Tinderbox User's avatar
Tinderbox User committed
435 436
	    Remove signatures from keys that are no longer active.
          </p>
Tinderbox User's avatar
Tinderbox User committed
437
          <p>
Tinderbox User's avatar
Tinderbox User committed
438 439 440 441 442 443 444 445 446 447 448
            Normally, when a previously-signed zone is passed as input
            to the signer, and a DNSKEY record has been removed and
            replaced with a new one, signatures from the old key
            that are still within their validity period are retained.
	    This allows the zone to continue to validate with cached
	    copies of the old DNSKEY RRset.  The <code class="option">-Q</code>
            forces <span class="command"><strong>dnssec-signzone</strong></span> to remove
            signatures from keys that are no longer active. This
            enables ZSK rollover using the procedure described in
            RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
          </p>
Tinderbox User's avatar
Tinderbox User committed
449
        </dd>
Tinderbox User's avatar
Tinderbox User committed
450 451
<dt><span class="term">-R</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
452
          <p>
Tinderbox User's avatar
Tinderbox User committed
453 454
	    Remove signatures from keys that are no longer published.
          </p>
Tinderbox User's avatar
Tinderbox User committed
455
          <p>
Tinderbox User's avatar
Tinderbox User committed
456 457 458 459 460 461
            This option is similar to <code class="option">-Q</code>, except it
            forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from
            keys that are no longer published. This enables ZSK rollover
            using the procedure described in RFC 4641, section 4.2.1.2
            ("Double Signature Zone Signing Key Rollover").
          </p>
Tinderbox User's avatar
Tinderbox User committed
462
        </dd>
Tinderbox User's avatar
Tinderbox User committed
463 464
<dt><span class="term">-S</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
465
          <p>
Tinderbox User's avatar
Tinderbox User committed
466 467 468 469
            Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to
            search the key repository for keys that match the zone being
            signed, and to include them in the zone if appropriate.
          </p>
Tinderbox User's avatar
Tinderbox User committed
470
          <p>
Tinderbox User's avatar
Tinderbox User committed
471 472 473 474 475
            When a key is found, its timing metadata is examined to
            determine how it should be used, according to the following
            rules.  Each successive rule takes priority over the prior
            ones:
          </p>
Tinderbox User's avatar
Tinderbox User committed
476
          <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
477
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
478 479
<dd>
                <p>
Tinderbox User's avatar
Tinderbox User committed
480 481
                  If no timing metadata has been set for the key, the key is
                  published in the zone and used to sign the zone.
Tinderbox User's avatar
Tinderbox User committed
482 483
                </p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
484
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
485 486
<dd>
                <p>
Tinderbox User's avatar
Tinderbox User committed
487 488
                  If the key's publication date is set and is in the past, the
                  key is published in the zone.
Tinderbox User's avatar
Tinderbox User committed
489 490
                </p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
491
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
492 493
<dd>
                <p>
Tinderbox User's avatar
Tinderbox User committed
494 495 496
                  If the key's activation date is set and in the past, the
                  key is published (regardless of publication date) and
                  used to sign the zone.
Tinderbox User's avatar
Tinderbox User committed
497 498
                </p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
499
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
500 501
<dd>
                <p>
Tinderbox User's avatar
Tinderbox User committed
502 503 504
                  If the key's revocation date is set and in the past, and the
                  key is published, then the key is revoked, and the revoked key
                  is used to sign the zone.
Tinderbox User's avatar
Tinderbox User committed
505 506
                </p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
507
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
508 509
<dd>
                <p>
Tinderbox User's avatar
Tinderbox User committed
510 511 512
                  If either of the key's unpublication or deletion dates are set
                  and in the past, the key is NOT published or used to sign the
                  zone, regardless of any other metadata.
Tinderbox User's avatar
Tinderbox User committed
513 514
                </p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
515
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
516 517
<dd>
                <p>
Tinderbox User's avatar
Tinderbox User committed
518 519 520
                  If key's sync publication date is set and in the past,
		  synchronization records (type CDS and/or CDNSKEY) are
		  created.
Tinderbox User's avatar
Tinderbox User committed
521 522
                </p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
523
<dt></dt>
Tinderbox User's avatar
Tinderbox User committed
524 525
<dd>
                <p>
Tinderbox User's avatar
Tinderbox User committed
526 527 528
                  If key's sync deletion date is set and in the past,
		  synchronization records (type CDS and/or CDNSKEY) are
		  removed.
Tinderbox User's avatar
Tinderbox User committed
529 530
                </p>
	      </dd>
Tinderbox User's avatar
Tinderbox User committed
531
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
532
        </dd>
Tinderbox User's avatar
Tinderbox User committed
533
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
534 535
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
536 537 538 539 540 541 542 543 544 545 546
            Specifies a TTL to be used for new DNSKEY records imported
            into the zone from the key repository.  If not
            specified, the default is the TTL value from the zone's SOA
            record.  This option is ignored when signing without
            <code class="option">-S</code>, since DNSKEY records are not imported
            from the key repository in that case.  It is also ignored if
            there are any pre-existing DNSKEY records at the zone apex,
            in which case new records' TTL values will be set to match
            them, or if any of the imported DNSKEY records had a default
            TTL value.  In the event of a a conflict between TTL values in
            imported keys, the shortest one is used.
Tinderbox User's avatar
Tinderbox User committed
547 548
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
549
<dt><span class="term">-t</span></dt>
Tinderbox User's avatar
Tinderbox User committed
550 551
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
552
            Print statistics at completion.
Tinderbox User's avatar
Tinderbox User committed
553 554
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
555
<dt><span class="term">-u</span></dt>
Tinderbox User's avatar
Tinderbox User committed
556 557
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
558 559 560 561 562 563
            Update NSEC/NSEC3 chain when re-signing a previously signed
            zone.  With this option, a zone signed with NSEC can be
            switched to NSEC3, or a zone signed with NSEC3 can
            be switch to NSEC or to NSEC3 with different parameters.
            Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will
            retain the existing chain when re-signing.
Tinderbox User's avatar
Tinderbox User committed
564 565
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
566
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
567 568
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
569
            Sets the debugging level.
Tinderbox User's avatar
Tinderbox User committed
570 571
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
572
<dt><span class="term">-x</span></dt>
Tinderbox User's avatar
Tinderbox User committed
573 574
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
575 576 577
            Only sign the DNSKEY, CDNSKEY, and CDS RRsets with
            key-signing keys, and omit signatures from zone-signing
            keys. (This is similar to the
Tinderbox User's avatar
Tinderbox User committed
578 579
            <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in
            <span class="command"><strong>named</strong></span>.)
Tinderbox User's avatar
Tinderbox User committed
580 581
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
582
<dt><span class="term">-z</span></dt>
Tinderbox User's avatar
Tinderbox User committed
583 584
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
585 586 587 588 589
            Ignore KSK flag on key when determining what to sign.  This
            causes KSK-flagged keys to sign all records, not just the
            DNSKEY RRset.  (This is similar to the
            <span class="command"><strong>update-check-ksk no;</strong></span> zone option in
            <span class="command"><strong>named</strong></span>.)
Tinderbox User's avatar
Tinderbox User committed
590 591
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
592
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
593 594
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
595 596 597
            Generate an NSEC3 chain with the given hex encoded salt.
	    A dash (<em class="replaceable"><code>salt</code></em>) can
	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
Tinderbox User's avatar
Tinderbox User committed
598 599
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
600
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
601 602
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
603 604
	    When generating an NSEC3 chain, use this many iterations.  The
	    default is 10.
Tinderbox User's avatar
Tinderbox User committed
605 606
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
607 608
<dt><span class="term">-A</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
609
          <p>
Tinderbox User's avatar
Tinderbox User committed
610 611 612 613
	    When generating an NSEC3 chain set the OPTOUT flag on all
	    NSEC3 records and do not generate NSEC3 records for insecure
	    delegations.
          </p>
Tinderbox User's avatar
Tinderbox User committed
614
          <p>
Tinderbox User's avatar
Tinderbox User committed
615 616 617 618 619
	    Using this option twice (i.e., <code class="option">-AA</code>)
	    turns the OPTOUT flag off for all records.  This is useful
	    when using the <code class="option">-u</code> option to modify an NSEC3
	    chain which previously had OPTOUT set.
          </p>
Tinderbox User's avatar
Tinderbox User committed
620
        </dd>
Tinderbox User's avatar
Tinderbox User committed
621
<dt><span class="term">zonefile</span></dt>
Tinderbox User's avatar
Tinderbox User committed
622 623
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
624
            The file containing the zone to be signed.
Tinderbox User's avatar
Tinderbox User committed
625 626
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
627
<dt><span class="term">key</span></dt>
Tinderbox User's avatar
Tinderbox User committed
628 629
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
630 631 632 633 634
	    Specify which keys should be used to sign the zone.  If
	    no keys are specified, then the zone will be examined
	    for DNSKEY records at the zone apex.  If these are found and
	    there are matching private keys, in the current directory,
	    then these will be used for signing.
Tinderbox User's avatar
Tinderbox User committed
635 636
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
637
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
638 639 640
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
641
<a name="id-1.13.16.9"></a><h2>EXAMPLE</h2>
Tinderbox User's avatar
Tinderbox User committed
642 643

    <p>
Tinderbox User's avatar
Tinderbox User committed
644
      The following command signs the <strong class="userinput"><code>example.com</code></strong>
Tinderbox User's avatar
Tinderbox User committed
645 646 647 648
      zone with the ECDSAP256SHA256 key generated by key generated by
      <span class="command"><strong>dnssec-keygen</strong></span> (Kexample.com.+013+17247).
      Because the <span class="command"><strong>-S</strong></span> option is not being used,
      the zone's keys must be in the master file
Tinderbox User's avatar
Tinderbox User committed
649 650 651 652 653
      (<code class="filename">db.example.com</code>).  This invocation looks
      for <code class="filename">dsset</code> files, in the current directory,
      so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>).
    </p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Tinderbox User's avatar
Tinderbox User committed
654
Kexample.com.+013+17247
Tinderbox User's avatar
Tinderbox User committed
655 656
db.example.com.signed
%</pre>
Tinderbox User's avatar
Tinderbox User committed
657
    <p>
Tinderbox User's avatar
Tinderbox User committed
658 659 660 661 662
      In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates
      the file <code class="filename">db.example.com.signed</code>.  This
      file should be referenced in a zone statement in a
      <code class="filename">named.conf</code> file.
    </p>
Tinderbox User's avatar
Tinderbox User committed
663
    <p>
Tinderbox User's avatar
Tinderbox User committed
664 665 666 667 668 669 670
      This example re-signs a previously signed zone with default parameters.
      The private keys are assumed to be in the current directory.
    </p>
<pre class="programlisting">% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
Tinderbox User's avatar
Tinderbox User committed
671 672 673
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
674
<a name="id-1.13.16.10"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
675 676 677 678

    <p><span class="citerefentry">
        <span class="refentrytitle">dnssec-keygen</span>(8)
      </span>,
Tinderbox User's avatar
Tinderbox User committed
679 680 681
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
682 683
  </div>

Tinderbox User's avatar
Tinderbox User committed
684 685 686 687 688 689 690
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-settime.html">Prev</a></td>
691
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
Tinderbox User's avatar
Tinderbox User committed
692 693 694 695 696 697 698 699 700 701 702 703
<td width="40%" align="right"><a accesskey="n" href="man.dnssec-verify.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-settime</span></td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"><span class="application">dnssec-verify</span>
</td>
</tr>
</table>
</div>
Tinderbox User's avatar
Tinderbox User committed
704
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
Tinderbox User's avatar
Tinderbox User committed
705 706
</body>
</html>