1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <!-- $Id: dnssec-signzone.docbook,v 1.31.44.8 2009-11-06 21:36:22 each Exp $ -->
22 <refentry id="man.dnssec-signzone">
24 <date>June 08, 2009</date>
28 <refentrytitle><application>dnssec-signzone</application></refentrytitle>
29 <manvolnum>8</manvolnum>
30 <refmiscinfo>BIND9</refmiscinfo>
34 <refname><application>dnssec-signzone</application></refname>
35 <refpurpose>DNSSEC zone signing tool</refpurpose>
46 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
53 <holder>Internet Software Consortium.</holder>
59 <command>dnssec-signzone</command>
60 <arg><option>-a</option></arg>
61 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
62 <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
63 <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
64 <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
65 <arg><option>-g</option></arg>
66 <arg><option>-h</option></arg>
67 <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
68 <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
69 <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
70 <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
71 <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
72 <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
73 <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
74 <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
75 <arg><option>-p</option></arg>
76 <arg><option>-P</option></arg>
77 <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
78 <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
79 <arg><option>-t</option></arg>
80 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
81 <arg><option>-z</option></arg>
82 <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
83 <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
84 <arg><option>-A</option></arg>
85 <arg choice="req">zonefile</arg>
86 <arg rep="repeat">key</arg>
91 <title>DESCRIPTION</title>
92 <para><command>dnssec-signzone</command>
93 signs a zone. It generates
94 NSEC and RRSIG records and produces a signed version of the
95 zone. It also generates a <filename>keyset-</filename> file containing
96 the key-signing keys for the zone, and if signing a zone which
97 contains delegations, it can optionally generate DS records for
98 the child zones from their <filename>keyset-</filename> files.
103 <title>OPTIONS</title>
110 Verify all generated signatures.
116 <term>-c <replaceable class="parameter">class</replaceable></term>
119 Specifies the DNS class of the zone.
125 <term>-k <replaceable class="parameter">key</replaceable></term>
128 Treat specified key as a key signing key ignoring any
129 key flags. This option may be specified multiple times.
135 <term>-l <replaceable class="parameter">domain</replaceable></term>
138 Generate a DLV set in addition to the key (DNSKEY) and DS sets.
139 The domain is appended to the name of the records.
145 <term>-d <replaceable class="parameter">directory</replaceable></term>
148 Look for <filename>keyset</filename> files in
149 <option>directory</option> as the directory
158 If the zone contains any delegations, and there are
159 <filename>keyset-</filename> files for any of the child zones,
160 then DS records for the child zones will be generated from the
161 keys in those files. Existing DS records will be removed.
167 <term>-s <replaceable class="parameter">start-time</replaceable></term>
170 Specify the date and time when the generated RRSIG records
171 become valid. This can be either an absolute or relative
172 time. An absolute start time is indicated by a number
173 in YYYYMMDDHHMMSS notation; 20000530144500 denotes
174 14:45:00 UTC on May 30th, 2000. A relative start time is
175 indicated by +N, which is N seconds from the current time.
176 If no <option>start-time</option> is specified, the current
177 time minus 1 hour (to allow for clock skew) is used.
183 <term>-e <replaceable class="parameter">end-time</replaceable></term>
186 Specify the date and time when the generated RRSIG records
187 expire. As with <option>start-time</option>, an absolute
188 time is indicated in YYYYMMDDHHMMSS notation. A time relative
189 to the start time is indicated with +N, which is N seconds from
190 the start time. A time relative to the current time is
191 indicated with now+N. If no <option>end-time</option> is
192 specified, 30 days from the start time is used as a default.
198 <term>-f <replaceable class="parameter">output-file</replaceable></term>
201 The name of the output file containing the signed zone. The
202 default is to append <filename>.signed</filename> to
213 Prints a short summary of the options and arguments to
214 <command>dnssec-signzone</command>.
220 <term>-i <replaceable class="parameter">interval</replaceable></term>
223 When a previously-signed zone is passed as input, records
224 may be resigned. The <option>interval</option> option
225 specifies the cycle interval as an offset from the current
226 time (in seconds). If a RRSIG record expires after the
227 cycle interval, it is retained. Otherwise, it is considered
228 to be expiring soon, and it will be replaced.
231 The default cycle interval is one quarter of the difference
232 between the signature end and start times. So if neither
233 <option>end-time</option> or <option>start-time</option>
234 are specified, <command>dnssec-signzone</command>
236 signatures that are valid for 30 days, with a cycle
237 interval of 7.5 days. Therefore, if any existing RRSIG records
238 are due to expire in less than 7.5 days, they would be
245 <term>-I <replaceable class="parameter">input-format</replaceable></term>
248 The format of the input zone file.
249 Possible formats are <command>"text"</command> (default)
250 and <command>"raw"</command>.
251 This option is primarily intended to be used for dynamic
252 signed zones so that the dumped zone file in a non-text
253 format containing updates can be signed directly.
254 The use of this option does not make much sense for
261 <term>-j <replaceable class="parameter">jitter</replaceable></term>
264 When signing a zone with a fixed signature lifetime, all
265 RRSIG records issued at the time of signing expires
266 simultaneously. If the zone is incrementally signed, i.e.
267 a previously-signed zone is passed as input to the signer,
268 all expired signatures have to be regenerated at about the
269 same time. The <option>jitter</option> option specifies a
270 jitter window that will be used to randomize the signature
271 expire time, thus spreading incremental signature
272 regeneration over time.
275 Signature lifetime jitter also to some extent benefits
276 validators and servers by spreading out cache expiration,
277 i.e. if large numbers of RRSIGs don't expire at the same time
278 from all caches there will be less congestion than if all
279 validators need to refetch at mostly the same time.
285 <term>-n <replaceable class="parameter">ncpus</replaceable></term>
288 Specifies the number of threads to use. By default, one
289 thread is started for each detected CPU.
295 <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
298 The SOA serial number format of the signed zone.
299 Possible formats are <command>"keep"</command> (default),
300 <command>"increment"</command> and
301 <command>"unixtime"</command>.
306 <term><command>"keep"</command></term>
308 <para>Do not modify the SOA serial number.</para>
313 <term><command>"increment"</command></term>
315 <para>Increment the SOA serial number using RFC 1982
321 <term><command>"unixtime"</command></term>
323 <para>Set the SOA serial number to the number of seconds
333 <term>-o <replaceable class="parameter">origin</replaceable></term>
336 The zone origin. If not specified, the name of the zone file
337 is assumed to be the origin.
343 <term>-O <replaceable class="parameter">output-format</replaceable></term>
346 The format of the output file containing the signed zone.
347 Possible formats are <command>"text"</command> (default)
348 and <command>"raw"</command>.
357 Use pseudo-random data when signing the zone. This is faster,
358 but less secure, than using real random data. This option
359 may be useful when signing large zones or when the entropy
369 Disable post sign verification tests.
372 The post sign verification test ensures that for each algorithm
373 in use there is at least one non revoked self signed KSK key,
374 that all revoked KSK keys are self signed, and that all records
375 in the zone are signed by the algorithm.
376 This option skips these tests.
382 <term>-r <replaceable class="parameter">randomdev</replaceable></term>
385 Specifies the source of randomness. If the operating
386 system does not provide a <filename>/dev/random</filename>
387 or equivalent device, the default source of randomness
388 is keyboard input. <filename>randomdev</filename>
390 the name of a character device or file containing random
391 data to be used instead of the default. The special value
392 <filename>keyboard</filename> indicates that keyboard
393 input should be used.
402 Print statistics at completion.
408 <term>-v <replaceable class="parameter">level</replaceable></term>
411 Sets the debugging level.
420 Ignore KSK flag on key when determining what to sign.
426 <term>-3 <replaceable class="parameter">salt</replaceable></term>
429 Generate a NSEC3 chain with the given hex encoded salt.
430 A dash (<replaceable class="parameter">salt</replaceable>) can
431 be used to indicate that no salt is to be used when generating the NSEC3 chain.
437 <term>-H <replaceable class="parameter">iterations</replaceable></term>
440 When generating a NSEC3 chain use this many interations. The
450 When generating a NSEC3 chain set the OPTOUT flag on all
451 NSEC3 records and do not generate NSEC3 records for insecure
458 <term>zonefile</term>
461 The file containing the zone to be signed.
470 Specify which keys should be used to sign the zone. If
471 no keys are specified, then the zone will be examined
472 for DNSKEY records at the zone apex. If these are found and
473 there are matching private keys, in the current directory,
474 then these will be used for signing.
483 <title>EXAMPLE</title>
485 The following command signs the <userinput>example.com</userinput>
486 zone with the DSA key generated by <command>dnssec-keygen</command>
487 (Kexample.com.+003+17247). The zone's keys must be in the master
488 file (<filename>db.example.com</filename>). This invocation looks
489 for <filename>keyset</filename> files, in the current directory,
490 so that DS records can be generated from them (<command>-g</command>).
492 <programlisting>% dnssec-signzone -g -o example.com db.example.com \
493 Kexample.com.+003+17247
494 db.example.com.signed
497 In the above example, <command>dnssec-signzone</command> creates
498 the file <filename>db.example.com.signed</filename>. This
499 file should be referenced in a zone statement in a
500 <filename>named.conf</filename> file.
503 This example re-signs a previously signed zone with default parameters.
504 The private keys are assumed to be in the current directory.
506 <programlisting>% cp db.example.com.signed db.example.com
507 % dnssec-signzone -o example.com db.example.com
508 db.example.com.signed
513 <title>KNOWN BUGS</title>
515 <command>dnssec-signzone</command> was designed so that it could
516 sign a zone partially, using only a subset of the DNSSEC keys
517 needed to produce a fully-signed zone. This permits a zone
518 administrator, for example, to sign a zone with one key on one
519 machine, move the resulting partially-signed zone to a second
520 machine, and sign it again with a second key.
523 An unfortunate side-effect of this flexibility is that
524 <command>dnssec-signzone</command> does not check to make sure
525 it's signing a zone with any valid keys at all. An attempt to
526 sign a zone without any keys will appear to succeed, producing
527 a "signed" zone with no signatures. There is no warning issued
528 when a zone is not fully signed.
532 This will be corrected in a future release. In the meantime, ISC
533 recommends examining the output of <command>dnssec-signzone</command>
534 to confirm that the zone is properly signed by all keys before
540 <title>SEE ALSO</title>
542 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
544 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
545 <citetitle>RFC 4033</citetitle>.
550 <title>AUTHOR</title>
551 <para><corpauthor>Internet Systems Consortium</corpauthor>