1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
22 <refentry id="man.dnssec-signzone">
24 <date>June 08, 2009</date>
28 <refentrytitle><application>dnssec-signzone</application></refentrytitle>
29 <manvolnum>8</manvolnum>
30 <refmiscinfo>BIND9</refmiscinfo>
34 <refname><application>dnssec-signzone</application></refname>
35 <refpurpose>DNSSEC zone signing tool</refpurpose>
47 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
54 <holder>Internet Software Consortium.</holder>
60 <command>dnssec-signzone</command>
61 <arg><option>-a</option></arg>
62 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
63 <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
64 <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
65 <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
66 <arg><option>-g</option></arg>
67 <arg><option>-h</option></arg>
68 <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
69 <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
70 <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
71 <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
72 <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
73 <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
74 <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
75 <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
76 <arg><option>-p</option></arg>
77 <arg><option>-P</option></arg>
78 <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
79 <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
80 <arg><option>-t</option></arg>
81 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
82 <arg><option>-z</option></arg>
83 <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
84 <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
85 <arg><option>-A</option></arg>
86 <arg choice="req">zonefile</arg>
87 <arg rep="repeat">key</arg>
92 <title>DESCRIPTION</title>
93 <para><command>dnssec-signzone</command>
94 signs a zone. It generates
95 NSEC and RRSIG records and produces a signed version of the
96 zone. It also generates a <filename>keyset-</filename> file containing
97 the key-signing keys for the zone, and if signing a zone which
98 contains delegations, it can optionally generate DS records for
99 the child zones from their <filename>keyset-</filename> files.
104 <title>OPTIONS</title>
111 Verify all generated signatures.
117 <term>-c <replaceable class="parameter">class</replaceable></term>
120 Specifies the DNS class of the zone.
126 <term>-k <replaceable class="parameter">key</replaceable></term>
129 Treat specified key as a key signing key ignoring any
130 key flags. This option may be specified multiple times.
136 <term>-l <replaceable class="parameter">domain</replaceable></term>
139 Generate a DLV set in addition to the key (DNSKEY) and DS sets.
140 The domain is appended to the name of the records.
146 <term>-d <replaceable class="parameter">directory</replaceable></term>
149 Look for <filename>keyset</filename> files in
150 <option>directory</option> as the directory
159 If the zone contains any delegations, and there are
160 <filename>keyset-</filename> files for any of the child zones,
161 then DS records for the child zones will be generated from the
162 keys in those files. Existing DS records will be removed.
168 <term>-s <replaceable class="parameter">start-time</replaceable></term>
171 Specify the date and time when the generated RRSIG records
172 become valid. This can be either an absolute or relative
173 time. An absolute start time is indicated by a number
174 in YYYYMMDDHHMMSS notation; 20000530144500 denotes
175 14:45:00 UTC on May 30th, 2000. A relative start time is
176 indicated by +N, which is N seconds from the current time.
177 If no <option>start-time</option> is specified, the current
178 time minus 1 hour (to allow for clock skew) is used.
184 <term>-e <replaceable class="parameter">end-time</replaceable></term>
187 Specify the date and time when the generated RRSIG records
188 expire. As with <option>start-time</option>, an absolute
189 time is indicated in YYYYMMDDHHMMSS notation. A time relative
190 to the start time is indicated with +N, which is N seconds from
191 the start time. A time relative to the current time is
192 indicated with now+N. If no <option>end-time</option> is
193 specified, 30 days from the start time is used as a default.
199 <term>-f <replaceable class="parameter">output-file</replaceable></term>
202 The name of the output file containing the signed zone. The
203 default is to append <filename>.signed</filename> to
214 Prints a short summary of the options and arguments to
215 <command>dnssec-signzone</command>.
221 <term>-i <replaceable class="parameter">interval</replaceable></term>
224 When a previously-signed zone is passed as input, records
225 may be resigned. The <option>interval</option> option
226 specifies the cycle interval as an offset from the current
227 time (in seconds). If a RRSIG record expires after the
228 cycle interval, it is retained. Otherwise, it is considered
229 to be expiring soon, and it will be replaced.
232 The default cycle interval is one quarter of the difference
233 between the signature end and start times. So if neither
234 <option>end-time</option> or <option>start-time</option>
235 are specified, <command>dnssec-signzone</command>
237 signatures that are valid for 30 days, with a cycle
238 interval of 7.5 days. Therefore, if any existing RRSIG records
239 are due to expire in less than 7.5 days, they would be
246 <term>-I <replaceable class="parameter">input-format</replaceable></term>
249 The format of the input zone file.
250 Possible formats are <command>"text"</command> (default)
251 and <command>"raw"</command>.
252 This option is primarily intended to be used for dynamic
253 signed zones so that the dumped zone file in a non-text
254 format containing updates can be signed directly.
255 The use of this option does not make much sense for
262 <term>-j <replaceable class="parameter">jitter</replaceable></term>
265 When signing a zone with a fixed signature lifetime, all
266 RRSIG records issued at the time of signing expires
267 simultaneously. If the zone is incrementally signed, i.e.
268 a previously-signed zone is passed as input to the signer,
269 all expired signatures have to be regenerated at about the
270 same time. The <option>jitter</option> option specifies a
271 jitter window that will be used to randomize the signature
272 expire time, thus spreading incremental signature
273 regeneration over time.
276 Signature lifetime jitter also to some extent benefits
277 validators and servers by spreading out cache expiration,
278 i.e. if large numbers of RRSIGs don't expire at the same time
279 from all caches there will be less congestion than if all
280 validators need to refetch at mostly the same time.
286 <term>-n <replaceable class="parameter">ncpus</replaceable></term>
289 Specifies the number of threads to use. By default, one
290 thread is started for each detected CPU.
296 <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
299 The SOA serial number format of the signed zone.
300 Possible formats are <command>"keep"</command> (default),
301 <command>"increment"</command> and
302 <command>"unixtime"</command>.
307 <term><command>"keep"</command></term>
309 <para>Do not modify the SOA serial number.</para>
314 <term><command>"increment"</command></term>
316 <para>Increment the SOA serial number using RFC 1982
322 <term><command>"unixtime"</command></term>
324 <para>Set the SOA serial number to the number of seconds
334 <term>-o <replaceable class="parameter">origin</replaceable></term>
337 The zone origin. If not specified, the name of the zone file
338 is assumed to be the origin.
344 <term>-O <replaceable class="parameter">output-format</replaceable></term>
347 The format of the output file containing the signed zone.
348 Possible formats are <command>"text"</command> (default)
349 and <command>"raw"</command>.
358 Use pseudo-random data when signing the zone. This is faster,
359 but less secure, than using real random data. This option
360 may be useful when signing large zones or when the entropy
370 Disable post sign verification tests.
373 The post sign verification test ensures that for each algorithm
374 in use there is at least one non revoked self signed KSK key,
375 that all revoked KSK keys are self signed, and that all records
376 in the zone are signed by the algorithm.
377 This option skips these tests.
383 <term>-r <replaceable class="parameter">randomdev</replaceable></term>
386 Specifies the source of randomness. If the operating
387 system does not provide a <filename>/dev/random</filename>
388 or equivalent device, the default source of randomness
389 is keyboard input. <filename>randomdev</filename>
391 the name of a character device or file containing random
392 data to be used instead of the default. The special value
393 <filename>keyboard</filename> indicates that keyboard
394 input should be used.
403 Print statistics at completion.
409 <term>-v <replaceable class="parameter">level</replaceable></term>
412 Sets the debugging level.
421 Ignore KSK flag on key when determining what to sign.
427 <term>-3 <replaceable class="parameter">salt</replaceable></term>
430 Generate a NSEC3 chain with the given hex encoded salt.
431 A dash (<replaceable class="parameter">salt</replaceable>) can
432 be used to indicate that no salt is to be used when generating the NSEC3 chain.
438 <term>-H <replaceable class="parameter">iterations</replaceable></term>
441 When generating a NSEC3 chain use this many interations. The
451 When generating a NSEC3 chain set the OPTOUT flag on all
452 NSEC3 records and do not generate NSEC3 records for insecure
459 <term>zonefile</term>
462 The file containing the zone to be signed.
471 Specify which keys should be used to sign the zone. If
472 no keys are specified, then the zone will be examined
473 for DNSKEY records at the zone apex. If these are found and
474 there are matching private keys, in the current directory,
475 then these will be used for signing.
484 <title>EXAMPLE</title>
486 The following command signs the <userinput>example.com</userinput>
487 zone with the DSA key generated by <command>dnssec-keygen</command>
488 (Kexample.com.+003+17247). The zone's keys must be in the master
489 file (<filename>db.example.com</filename>). This invocation looks
490 for <filename>keyset</filename> files, in the current directory,
491 so that DS records can be generated from them (<command>-g</command>).
493 <programlisting>% dnssec-signzone -g -o example.com db.example.com \
494 Kexample.com.+003+17247
495 db.example.com.signed
498 In the above example, <command>dnssec-signzone</command> creates
499 the file <filename>db.example.com.signed</filename>. This
500 file should be referenced in a zone statement in a
501 <filename>named.conf</filename> file.
504 This example re-signs a previously signed zone with default parameters.
505 The private keys are assumed to be in the current directory.
507 <programlisting>% cp db.example.com.signed db.example.com
508 % dnssec-signzone -o example.com db.example.com
509 db.example.com.signed
514 <title>KNOWN BUGS</title>
516 <command>dnssec-signzone</command> was designed so that it could
517 sign a zone partially, using only a subset of the DNSSEC keys
518 needed to produce a fully-signed zone. This permits a zone
519 administrator, for example, to sign a zone with one key on one
520 machine, move the resulting partially-signed zone to a second
521 machine, and sign it again with a second key.
524 An unfortunate side-effect of this flexibility is that
525 <command>dnssec-signzone</command> does not check to make sure
526 it's signing a zone with any valid keys at all. An attempt to
527 sign a zone without any keys will appear to succeed, producing
528 a "signed" zone with no signatures. There is no warning issued
529 when a zone is not fully signed.
533 This will be corrected in a future release. In the meantime, ISC
534 recommends examining the output of <command>dnssec-signzone</command>
535 to confirm that the zone is properly signed by all keys before
541 <title>SEE ALSO</title>
543 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
545 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
546 <citetitle>RFC 4033</citetitle>.
551 <title>AUTHOR</title>
552 <para><corpauthor>Internet Systems Consortium</corpauthor>