1ldns-signzone(1) General Commands Manual ldns-signzone(1)
2
3
4
6 ldns-signzone - sign a zonefile with DNSSEC data
7
9 ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ... ]
10
11
13 ldns-signzone is used to generate a DNSSEC signed zone. When run it
14 will create a new zonefile that contains RRSIG and NSEC resource
15 records, as specified in RFC 4033, RFC 4034 and RFC 4035.
16
17 Keys must be specified by their base name (i.e. without .private). If
18 the DNSKEY that belongs to the key in the .private file is not present
19 in the zone, it will be read from the file <base name>.key. If that
20 file does not exist, the DNSKEY value will be generated from the pri‐
21 vate key.
22
23 Multiple keys can be specified, Key Signing Keys are used as such when
24 they are either already present in the zone, or specified in a .key
25 file, and have the KSK bit set.
26
27
29 -b Augments the zone and the RR's with extra comment texts for a
30 more readable layout, easier to debug. DS records will have a
31 bubblebabble version of the data in the comment text, NSEC3
32 records will have the original NSEC3 in the comment text.
33
34 Without this option, only DNSKEY RR's will have their Key Tag
35 annotated in the comment text.
36
37
38 -d Normally, if the DNSKEY RR for a key that is used to sign the
39 zone is not found in the zone file, it will be read from .key,
40 or derived from the private key (in that order). This option
41 turns that feature off, so that only the signatures are added to
42 the zone.
43
44
45 -e date
46 Set expiration date of the signatures to this date, the format
47 can be YYYYMMDD[hhmmss], or a timestamp.
48
49
50 -f file
51 Use this file to store the signed zone in (default <original‐
52 file>.signed)
53
54
55 -i date
56 Set inception date of the signatures to this date, the format
57 can be YYYYMMDD[hhmmss], or a timestamp.
58
59
60 -l Leave old DNSSEC RRSIGS and NSEC records intact (by default,
61 they are removed from the zone)
62
63
64 -o origin
65 Use this as the origin of the zone
66
67
68 -v Print the version and exit
69
70
71 -A Sign the DNSKEY record with all keys. By default it is signed
72 with a minimal number of keys, to keep the response size for the
73 DNSKEY query small, and only the SEP keys that are passed are
74 used. If there are no SEP keys, the DNSKEY RRset is signed with
75 the non-SEP keys. This option turns off the default and all
76 keys are used to sign the DNSKEY RRset.
77
78
79 -E name
80 Use the EVP cryptographic engine with the given name for sign‐
81 ing. This can have some extra options; see ENGINE OPTIONS for
82 more information.
83
84
85 -k id,int
86 Use the key with the given id as the signing key for algorithm
87 int as a Zone signing key. This option is used when you use an
88 OpenSSL engine, see ENGINE OPTIONS for more information.
89
90
91 -K id,int
92
93 Use the key with the given id as the signing key for algorithm
94 int as a Key signing key. This options is used when you use an
95 OpenSSL engine, see ENGINE OPTIONS for more information.
96
97
98 -n Use NSEC3 instead of NSEC.
99
100
101 If you use NSEC3, you can specify the following extra options:
102
103
104 -a algorithm
105 Algorithm used to create the hashed NSEC3 owner names
106
107
108 -p Opt-out. All NSEC3 records in the zone will have the Opt-out
109 flag set. After signing, you can add insecure delegations to the
110 signed zone.
111
112
113 -s string
114 Salt
115
116
117 -t number
118 Number of hash iterations
119
120
122 You can modify the possible engines, if supported, by setting an
123 OpenSSL configuration file. This is done through the environment vari‐
124 able OPENSSL_CONF. If you use -E with a non-existent engine name, ldns-
125 signzone will print a list of engines supported by your configuration.
126
127 The key options (-k and -K) work as follows; you specify a key id, and
128 a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can
129 be any of the following:
130
131 <id>
132 <slot>:<id>
133 id_<id>
134 slot_<slot>-id_<id>
135 label_<label>
136 slot_<slot>-label_<label>
137
138 Where '<id>' is the PKCS #11 key identifier in hexadecimal notation,
139 '<label>' is the PKCS #11 human-readable label, and '<slot>' is the
140 slot number where the token is present.
141
142 If not already present, a DNSKEY RR is generated from the key data, and
143 added to the zone.
144
145
147 ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
148 Sign the zone in the file 'nlnetlabs.nl' with the key in the
149 files 'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY is not
150 present in the zone, use the key in the file 'Knlnet‐
151 labs.nl.+005+12273.key'. If that is not present, generate one
152 with default values from 'Knlnetlabs.nl.+005+12273.private'.
153
154
155
157 Written by the ldns team as an example for ldns usage.
158
159
161 Report bugs to <ldns-team@nlnetlabs.nl>.
162
163
165 Copyright (C) 2005-2008 NLnet Labs. This is free software. There is NO
166 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
167 POSE.
168
169
170
171 30 May 2005 ldns-signzone(1)