summaryrefslogtreecommitdiff
path: root/usr.sbin/bind/bin/dnssec/dnssec-signzone.html
blob: 787d7703ba9bf2cc7c706fba9e25c55f01aebf9b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
<!--
 - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
 - Copyright (C) 2000-2003 Internet Software Consortium.
 - 
 - Permission to use, copy, modify, and distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 - 
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $ISC: dnssec-signzone.html,v 1.4.2.1.4.14 2005/10/13 02:33:46 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-signzone</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="id2463721"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2525979"></a><h2>DESCRIPTION</h2>
<p>
        <span><strong class="command">dnssec-signzone</strong></span> signs a zone.  It generates
	NSEC and RRSIG records and produces a signed version of the
	zone. The security status of delegations from the signed zone
	(that is, whether the child zones are secure or not) is
	determined by the presence or absence of a
	<code class="filename">keyset</code> file for each child zone.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2525995"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
	      Verify all generated signatures.
	  </p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
	       Specifies the DNS class of the zone.
	  </p></dd>
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
	       Treat specified key as a key signing key ignoring any
	       key flags.  This option may be specified multiple times.
	  </p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
		The domain is appended to the name of the records.
	  </p></dd>
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
	       Look for <code class="filename">keyset</code> files in
	       <code class="option">directory</code> as the directory 
	  </p></dd>
<dt><span class="term">-g</span></dt>
<dd><p>
		Generate DS records for child zones from keyset files.
		Existing DS records will be removed.
	  </p></dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd><p>
	       Specify the date and time when the generated RRSIG records
	       become valid.  This can be either an absolute or relative
	       time.  An absolute start time is indicated by a number
	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
	       14:45:00 UTC on May 30th, 2000.  A relative start time is
	       indicated by +N, which is N seconds from the current time.
	       If no <code class="option">start-time</code> is specified, the current
	       time minus 1 hour (to allow for clock skew) is used.
	  </p></dd>
<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
<dd><p>
	       Specify the date and time when the generated RRSIG records
	       expire.  As with <code class="option">start-time</code>, an absolute
	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
	       to the start time is indicated with +N, which is N seconds from
	       the start time.  A time relative to the current time is
	       indicated with now+N.  If no <code class="option">end-time</code> is
	       specified, 30 days from the start time is used as a default.
	  </p></dd>
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
<dd><p>
	       The name of the output file containing the signed zone.  The
	       default is to append <code class="filename">.signed</code> to the
	       input file.
	  </p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
	       Prints a short summary of the options and arguments to
	       <span><strong class="command">dnssec-signzone</strong></span>.
	  </p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
	       When a previously signed zone is passed as input, records
	       may be resigned.  The <code class="option">interval</code> option
	       specifies the cycle interval as an offset from the current
	       time (in seconds).  If a RRSIG record expires after the
	       cycle interval, it is retained.  Otherwise, it is considered
	       to be expiring soon, and it will be replaced.
	  </p>
<p>
	       The default cycle interval is one quarter of the difference
	       between the signature end and start times.  So if neither
	       <code class="option">end-time</code> or <code class="option">start-time</code>
	       are specified, <span><strong class="command">dnssec-signzone</strong></span> generates
	       signatures that are valid for 30 days, with a cycle
	       interval of 7.5 days.  Therefore, if any existing RRSIG records
	       are due to expire in less than 7.5 days, they would be
	       replaced.
	  </p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
<dd><p>
	       Specifies the number of threads to use.  By default, one
	       thread is started for each detected CPU.
	  </p></dd>
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
<dd><p>
	       The zone origin.  If not specified, the name of the zone file
	       is assumed to be the origin.
	  </p></dd>
<dt><span class="term">-p</span></dt>
<dd><p>
	       Use pseudo-random data when signing the zone.  This is faster,
	       but less secure, than using real random data.  This option
	       may be useful when signing large zones or when the entropy
	       source is limited.
	  </p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
	       Specifies the source of randomness.  If the operating
	       system does not provide a <code class="filename">/dev/random</code>
	       or equivalent device, the default source of randomness
	       is keyboard input.  <code class="filename">randomdev</code> specifies
	       the name of a character device or file containing random
	       data to be used instead of the default.  The special value
	       <code class="filename">keyboard</code> indicates that keyboard
	       input should be used.
	  </p></dd>
<dt><span class="term">-t</span></dt>
<dd><p>
	       Print statistics at completion.
	  </p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
	       Sets the debugging level.
	  </p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
	       Ignore KSK flag on key when determining what to sign.
	  </p></dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
	       The file containing the zone to be signed.
	  </p></dd>
<dt><span class="term">key</span></dt>
<dd><p>
	       The keys used to sign the zone.  If no keys are specified, the
	       default all zone keys that have private key files in the
	       current directory.
	  </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2526435"></a><h2>EXAMPLE</h2>
<p>
        The following command signs the <strong class="userinput"><code>example.com</code></strong>
	zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
	man page.  The zone's keys must be in the zone.  If there are
	<code class="filename">keyset</code> files associated with child zones,
	they must be in the current directory.
	<strong class="userinput"><code>example.com</code></strong>, the following command would be
	issued:
    </p>
<p>
        <strong class="userinput"><code>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</code></strong>
    </p>
<p>
        The command would print a string of the form:
    </p>
<p>
        In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
	the file <code class="filename">db.example.com.signed</code>.  This file
	should be referenced in a zone statement in a
	<code class="filename">named.conf</code> file.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2526485"></a><h2>SEE ALSO</h2>
<p>
      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 2535</em>.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2526512"></a><h2>AUTHOR</h2>
<p>
        <span class="corpauthor">Internet Systems Consortium</span>
    </p>
</div>
</div></body>
</html>