2 - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
17 <!-- $Id: man.dnssec-signzone.html,v 1.94.14.25 2010-08-20 02:05:39 tbox Exp $ -->
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21 <title>dnssec-signzone</title>
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
25 <link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
26 <link rel="next" href="man.named-checkconf.html" title="named-checkconf">
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
35 <th width="60%" align="center">Manual pages</th>
36 <td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
42 <div class="refentry" lang="en">
43 <a name="man.dnssec-signzone"></a><div class="titlepage"></div>
44 <div class="refnamediv">
46 <p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p>
48 <div class="refsynopsisdiv">
50 <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
52 <div class="refsect1" lang="en">
53 <a name="id2607637"></a><h2>DESCRIPTION</h2>
54 <p><span><strong class="command">dnssec-signzone</strong></span>
55 signs a zone. It generates
56 NSEC and RRSIG records and produces a signed version of the
57 zone. It also generates a <code class="filename">keyset-</code> file containing
58 the key-signing keys for the zone, and if signing a zone which
59 contains delegations, it can optionally generate DS records for
60 the child zones from their <code class="filename">keyset-</code> files.
63 <div class="refsect1" lang="en">
64 <a name="id2607661"></a><h2>OPTIONS</h2>
65 <div class="variablelist"><dl>
66 <dt><span class="term">-a</span></dt>
68 Verify all generated signatures.
70 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
72 Specifies the DNS class of the zone.
74 <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
76 Treat specified key as a key signing key ignoring any
77 key flags. This option may be specified multiple times.
79 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
81 Generate a DLV set in addition to the key (DNSKEY) and DS sets.
82 The domain is appended to the name of the records.
84 <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
86 Look for <code class="filename">keyset</code> files in
87 <code class="option">directory</code> as the directory
89 <dt><span class="term">-g</span></dt>
91 If the zone contains any delegations, and there are
92 <code class="filename">keyset-</code> files for any of the child zones,
93 then DS records for the child zones will be generated from the
94 keys in those files. Existing DS records will be removed.
96 <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
98 Specify the date and time when the generated RRSIG records
99 become valid. This can be either an absolute or relative
100 time. An absolute start time is indicated by a number
101 in YYYYMMDDHHMMSS notation; 20000530144500 denotes
102 14:45:00 UTC on May 30th, 2000. A relative start time is
103 indicated by +N, which is N seconds from the current time.
104 If no <code class="option">start-time</code> is specified, the current
105 time minus 1 hour (to allow for clock skew) is used.
107 <dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
109 Specify the date and time when the generated RRSIG records
110 expire. As with <code class="option">start-time</code>, an absolute
111 time is indicated in YYYYMMDDHHMMSS notation. A time relative
112 to the start time is indicated with +N, which is N seconds from
113 the start time. A time relative to the current time is
114 indicated with now+N. If no <code class="option">end-time</code> is
115 specified, 30 days from the start time is used as a default.
117 <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
119 The name of the output file containing the signed zone. The
120 default is to append <code class="filename">.signed</code> to
124 <dt><span class="term">-h</span></dt>
126 Prints a short summary of the options and arguments to
127 <span><strong class="command">dnssec-signzone</strong></span>.
129 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
132 When a previously-signed zone is passed as input, records
133 may be resigned. The <code class="option">interval</code> option
134 specifies the cycle interval as an offset from the current
135 time (in seconds). If a RRSIG record expires after the
136 cycle interval, it is retained. Otherwise, it is considered
137 to be expiring soon, and it will be replaced.
140 The default cycle interval is one quarter of the difference
141 between the signature end and start times. So if neither
142 <code class="option">end-time</code> or <code class="option">start-time</code>
143 are specified, <span><strong class="command">dnssec-signzone</strong></span>
145 signatures that are valid for 30 days, with a cycle
146 interval of 7.5 days. Therefore, if any existing RRSIG records
147 are due to expire in less than 7.5 days, they would be
151 <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
153 The format of the input zone file.
154 Possible formats are <span><strong class="command">"text"</strong></span> (default)
155 and <span><strong class="command">"raw"</strong></span>.
156 This option is primarily intended to be used for dynamic
157 signed zones so that the dumped zone file in a non-text
158 format containing updates can be signed directly.
159 The use of this option does not make much sense for
162 <dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
165 When signing a zone with a fixed signature lifetime, all
166 RRSIG records issued at the time of signing expires
167 simultaneously. If the zone is incrementally signed, i.e.
168 a previously-signed zone is passed as input to the signer,
169 all expired signatures have to be regenerated at about the
170 same time. The <code class="option">jitter</code> option specifies a
171 jitter window that will be used to randomize the signature
172 expire time, thus spreading incremental signature
173 regeneration over time.
176 Signature lifetime jitter also to some extent benefits
177 validators and servers by spreading out cache expiration,
178 i.e. if large numbers of RRSIGs don't expire at the same time
179 from all caches there will be less congestion than if all
180 validators need to refetch at mostly the same time.
183 <dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
185 Specifies the number of threads to use. By default, one
186 thread is started for each detected CPU.
188 <dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
191 The SOA serial number format of the signed zone.
192 Possible formats are <span><strong class="command">"keep"</strong></span> (default),
193 <span><strong class="command">"increment"</strong></span> and
194 <span><strong class="command">"unixtime"</strong></span>.
196 <div class="variablelist"><dl>
197 <dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
198 <dd><p>Do not modify the SOA serial number.</p></dd>
199 <dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
200 <dd><p>Increment the SOA serial number using RFC 1982
201 arithmetics.</p></dd>
202 <dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
203 <dd><p>Set the SOA serial number to the number of seconds
204 since epoch.</p></dd>
207 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
209 The zone origin. If not specified, the name of the zone file
210 is assumed to be the origin.
212 <dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
214 The format of the output file containing the signed zone.
215 Possible formats are <span><strong class="command">"text"</strong></span> (default)
216 and <span><strong class="command">"raw"</strong></span>.
218 <dt><span class="term">-p</span></dt>
220 Use pseudo-random data when signing the zone. This is faster,
221 but less secure, than using real random data. This option
222 may be useful when signing large zones or when the entropy
225 <dt><span class="term">-P</span></dt>
228 Disable post sign verification tests.
231 The post sign verification test ensures that for each algorithm
232 in use there is at least one non revoked self signed KSK key,
233 that all revoked KSK keys are self signed, and that all records
234 in the zone are signed by the algorithm.
235 This option skips these tests.
238 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
240 Specifies the source of randomness. If the operating
241 system does not provide a <code class="filename">/dev/random</code>
242 or equivalent device, the default source of randomness
243 is keyboard input. <code class="filename">randomdev</code>
245 the name of a character device or file containing random
246 data to be used instead of the default. The special value
247 <code class="filename">keyboard</code> indicates that keyboard
248 input should be used.
250 <dt><span class="term">-t</span></dt>
252 Print statistics at completion.
254 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
256 Sets the debugging level.
258 <dt><span class="term">-z</span></dt>
260 Ignore KSK flag on key when determining what to sign.
262 <dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
264 Generate a NSEC3 chain with the given hex encoded salt.
265 A dash (<em class="replaceable"><code>salt</code></em>) can
266 be used to indicate that no salt is to be used when generating the NSEC3 chain.
268 <dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
270 When generating a NSEC3 chain use this many interations. The
273 <dt><span class="term">-A</span></dt>
275 When generating a NSEC3 chain set the OPTOUT flag on all
276 NSEC3 records and do not generate NSEC3 records for insecure
279 <dt><span class="term">zonefile</span></dt>
281 The file containing the zone to be signed.
283 <dt><span class="term">key</span></dt>
285 Specify which keys should be used to sign the zone. If
286 no keys are specified, then the zone will be examined
287 for DNSKEY records at the zone apex. If these are found and
288 there are matching private keys, in the current directory,
289 then these will be used for signing.
293 <div class="refsect1" lang="en">
294 <a name="id2659554"></a><h2>EXAMPLE</h2>
296 The following command signs the <strong class="userinput"><code>example.com</code></strong>
297 zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
298 (Kexample.com.+003+17247). The zone's keys must be in the master
299 file (<code class="filename">db.example.com</code>). This invocation looks
300 for <code class="filename">keyset</code> files, in the current directory,
301 so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
303 <pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
304 Kexample.com.+003+17247
305 db.example.com.signed
308 In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
309 the file <code class="filename">db.example.com.signed</code>. This
310 file should be referenced in a zone statement in a
311 <code class="filename">named.conf</code> file.
314 This example re-signs a previously signed zone with default parameters.
315 The private keys are assumed to be in the current directory.
317 <pre class="programlisting">% cp db.example.com.signed db.example.com
318 % dnssec-signzone -o example.com db.example.com
319 db.example.com.signed
322 <div class="refsect1" lang="en">
323 <a name="id2659694"></a><h2>KNOWN BUGS</h2>
325 <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
326 sign a zone partially, using only a subset of the DNSSEC keys
327 needed to produce a fully-signed zone. This permits a zone
328 administrator, for example, to sign a zone with one key on one
329 machine, move the resulting partially-signed zone to a second
330 machine, and sign it again with a second key.
333 An unfortunate side-effect of this flexibility is that
334 <span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
335 it's signing a zone with any valid keys at all. An attempt to
336 sign a zone without any keys will appear to succeed, producing
337 a "signed" zone with no signatures. There is no warning issued
338 when a zone is not fully signed.
341 This will be corrected in a future release. In the meantime, ISC
342 recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
343 to confirm that the zone is properly signed by all keys before
347 <div class="refsect1" lang="en">
348 <a name="id2659726"></a><h2>SEE ALSO</h2>
349 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
350 <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
351 <em class="citetitle">RFC 4033</em>.
354 <div class="refsect1" lang="en">
355 <a name="id2659751"></a><h2>AUTHOR</h2>
356 <p><span class="corpauthor">Internet Systems Consortium</span>
360 <div class="navfooter">
362 <table width="100%" summary="Navigation footer">
364 <td width="40%" align="left">
365 <a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
366 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
367 <td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
371 <td width="40%" align="left" valign="top">
372 <span class="application">dnssec-keygen</span> </td>
373 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
374 <td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>