1ZONESIGNER(1)         User Contributed Perl Documentation        ZONESIGNER(1)
2
3
4

NAME

6       zonesigner - Generates encryption keys and signs a DNS zone
7

SYNOPSIS

9         zonesigner [options] <zone-file> <signed-zone-file>
10
11         # get started immediately examples:
12
13         # first run on a zone for example.com:
14         zonesigner -genkeys -endtime +2678400 example.com
15
16         # future runs before expiration time (reuses the same keys):
17         zonesigner -endtime +2678400 example.com
18

DESCRIPTION

20       This script combines into a single command many actions that are
21       required to sign a DNS zone.  It generates the required KSK and ZSK
22       keys, adds the key data to a zone record file, signs the zone file, and
23       runs checks to ensure that everything worked properly.  It also keeps
24       records about the keys and how the zone was signed in order to
25       facilitate re-signing of the zone in the future.
26
27       The zonesigner-specific zone-signing records are kept in keyrec files.
28       Using keyrec files, defined and maintained by DNSSEC-Tools, zonesigner
29       can automatically gather many of the options used to previously sign
30       and generate a zone and its keys.  This allows the zone to be
31       maintained using the same key lengths and expiration times, for
32       example, without an administrator needing to manually track these
33       fields.
34

QUICK START

36       The following are examples that will allow a quick start on using
37       zonesigner:
38
39       first run on example.com
40           The following command will generate keys and sign the zone file for
41           example.com, giving an expiration date 31 days in the future.  The
42           zone file is named example.com and the signed zone file will be
43           named example.com.signed.
44
45               zonesigner -genkeys -endtime +2678400 example.com
46
47       subsequent runs on example.com
48           The following command will re-sign example.com's zone file, but
49           will not generate new keys.  The files and all key-generation and
50           zone-signing arguments will remain the same.
51
52               zonesigner example.com
53

USING ZONESIGNER

55       zonesigner is used in this way:
56
57           zonesigner [options] <zone-file> <signed-zone-file>
58
59       The zone-file argument is required.
60
61       zone-file is the name of the zone file from which a signed zone file
62       will be created.  If the -zone option is not given, then zone-file will
63       be used as the name of the zone that will be signed.  Generated keys
64       are given this name as their base.
65
66       The zone file is modified to have include commands, which will include
67       the KSK and ZSK keys.  These lines are placed at the end of the file
68       and should not be modified by the user.  If the zone file already
69       includes any key files, those inclusions will be deleted.  These lines
70       are distinguished by starting with "$INCLUDE" and end with ".key".
71       Only the actual include lines are deleted; any related comment lines
72       are left untouched.
73
74       An intermediate file is used in signing the zone.  zone-file is copied
75       to the intermediate file and is modified in preparation of signing the
76       zone file.  Several $INCLUDE lines will be added at the end of the file
77       and the SOA serial number will be incremented.
78
79       signed-zone is the name of the signed zone file.  If it is not given on
80       the command line, the default signed zone filename is the zone-file
81       appended with ".signed".  Thus, executing zonesigner example.com will
82       result in the signed zone being stored in example.com.signed.
83
84       Unless the -genkeys, -genksk, -genzsk, or -newpubksk options are
85       specified, the last keys generated for a particular zone will be used
86       in subsequent zonesigner executions.
87

KEYREC FILES

89       keyrec files retain information about previous key-generation and zone-
90       signing operations.  If a keyrec file is not specified (by way of the
91       -krfile option), then a default keyrec file is used.  If this default
92       is not specified in the system's DNSSEC-Tools configuration file, the
93       filename will be the zone name appended with .krf.  If the -nokrfile
94       option is given, then no keyrec file will be consulted or saved.
95
96       Each keyrec contains a set of "key/value" entries, one per line.
97       Example 4 below contains the contents of a sample keyrec file.
98
99       keyrec files contain three types of entries:  zone keyrecs, set
100       keyrecs, and key keyrecs.  Zone keyrecs contain information
101       specifically about the zone, such as the number of ZSKs used to sign
102       the zone, the end-time for the zone, and the key signing set names
103       (names of set keyrecs.)  Set keyrecs contain lists of key keyrec names
104       used for a specific purpose, such as the current ZSK keys or the
105       published ZSK keys.  Key keyrecs contain information about the
106       generated keys themselves, such as encryption algorithm, key length,
107       and key lifetime.
108
109   Keyrec Files and RFC5011 KSK Revocation
110       If RFC5011 processing is enabled, there is special handling of the
111       zone's set keyrec of revoked KSK keys.  The "kskrev" field in the
112       zone's keyrec points to a set keyrec, marked as being of type "kskrev".
113       This set keyrec, in turn, points to a number of other set keyrecs, all
114       of which are also marked as being of type "kskrev".  The group of all
115       revoked KSK keys is found by consulting that subsidiary set of "kskrev"
116       set keyrecs.  When the ages of these revoked keys exceeds their
117       revocation periods, they are marked as being obsolete ("kskobs").  If
118       this happens as part of normal rollover, these revoked key and set
119       keyrecs are all removed from the chain of active, revoked keyrecs.  If
120       this happens to a key that's part of a larger set of keys, it is
121       removed from that signing set and put in its own new signing set.
122

ENTROPY

124       On some systems, the implementation of the pseudo-random number
125       generator requires keyboard activity.  This keyboard activity is used
126       to fill a buffer in the system's random number generator.  If
127       zonesigner appears hung, you may have to add entropy to the random
128       number generator by randomly striking keys until the program completes.
129       Display of this message is controlled by the entropy_msg configuration
130       file parameter.
131

DETERMINING OPTION VALUES

133       zonesigner checks four places in order to determine option values.  In
134       descending order of precedence, these places are:
135
136           command line options
137
138           keyrec file
139
140           DNSSEC-Tools configuration file
141
142           zonesigner defaults
143
144       Each is checked until a value is found.  That value is then used for
145       that zonesigner execution and the value is stored in the keyrec file.
146
147   Example
148       For example, the KSK length has the following values:
149
150           -ksklength command line option:     8192
151
152           keyrec file:                        1024
153
154           DNSSEC-Tools configuration file:     512
155
156           zonesigner defaults:                2048
157
158       If all are present, then the KSK length will be 8192.
159
160       If the -ksklength command line option wasn't given, the KSK length will
161       be 1024.
162
163       If the KSK length wasn't given in the configuration file, it will be
164       8192.
165
166       If the KSK length wasn't in the keyrec file or the configuration file,
167       the KSK length will be 8192.
168
169       If the -ksklength command line option wasn't given and the KSK length
170       wasn't in the configuration file, it'll be 1024.
171
172       If the command line option wasn't given, the KSK length wasn't in the
173       keyrec file, and it wasn't in the configuration file, then the KSK
174       length will be 512.
175

OPTIONS

177       Three types of options may be given, based on the command for which
178       they are intended.  These commands are  dnssec-keygen, dnssec-signzone,
179       and zonesigner.
180
181   zonesigner-specific Options
182       -archivedir
183           The key archive directory.  If a key archive directory hasn't been
184           specified (on the command line or in the DNSSEC-Tools configuration
185           file) and the -nosave option was not given, then zonesigner will
186           leave the keys in the current directory.
187
188           When the files are saved into the archive directory, the existing
189           file names are prepended with a timestamp.  The timestamp indicates
190           when the files are archived.
191
192           This directory may not be the root directory.
193
194       -droprevoked
195           Explicitly obsolete currently revoked KSKs and remove them from the
196           signing set before resigning.  This is mutually exclusive from
197           -nodroprevoked.  If neither -droprevoked nor -nodroprevoked are
198           given, then -droprevoked functionality is assumed..
199
200       -dsdir
201           Specify a directory for storing dssets.  This directory will be
202           created if it does not exist.
203
204           The directory must be writable and may not be the root directory.
205
206       -genkeys
207           Generate new KSKs and ZSKs for the zone.
208
209       -genksk
210           Generate new Current KSKs for the zone.  Any existing Current KSKs
211           will be marked as obsolete.  If this option is not given, the last
212           KSKs generated for this zone will be used.
213
214       -genzsk
215           Generate new ZSKs for the zone.  By default, the last ZSKs
216           generated for this zone will be used.
217
218       -help
219           Display a usage message.
220
221       -intermediate
222           Filename to use for the temporary zone file.  The zone file will be
223           copied to this file and then the key names appended.
224
225       -keydirectory
226           The directory in which KSK and ZSK keys will be stored.  The
227           default is to store the keys in the directory in which zonesigner
228           is executed.
229
230           This directory may not be the root directory.
231
232       -krfile
233           keyrec file to use in processing options.  See the man page for
234           Net::DNS::SEC::Tools::tooloptions.pm for more details about this
235           file.
236
237       -ksignset
238           The name of the KSK signing set to use.  If the signing set does
239           not exist, then this must be used in conjunction with either
240           -genkeys or -genksk.  The name may contain alphanumerics,
241           underscores, hyphens, periods, and commas.
242
243           The name may contain alphanumerics, underscores, hyphens, periods,
244           and commas.  The default signing set name is "zone-signset-N",
245           where zone is the zone being signed and N is a number.
246
247           If -ksignset is not specified, then zonesigner will use the default
248           and increment the number for subsequent signing sets.
249
250       -kskcount
251           The number of KSK keys to generate and with which to sign the zone.
252           The default is to use a single KSK key.
253
254       -kskdirectory
255           The directory in which KSK keys will be stored.  The default is to
256           store the keys in the directory in which zonesigner is executed.
257
258           This directory may not be the root directory.
259
260       -ksklife
261           The time between KSK rollovers.  This is measured in seconds.
262
263       -newpubksk
264           Generate new Published KSKs for the zone.  Any existing Published
265           KSKs will be marked as obsolete.
266
267       -nodroprevoked
268           Explicitly turn off obsoleting currently revoked KSKs and remove
269           them from the signing set before resigning.  This is mutually
270           exclusive from -droprevoked.  If neither -droprevoked nor
271           -nodroprevoked are given, then -droprevoked functionality is
272           assumed..
273
274       -nokrfile
275           No keyrec file will be consulted or created.
276
277       -norfc5011
278           Disable RFC5011 KSK revocation when rolling or replacing existing
279           KSK key sets.  By default, zonesigner performs RFC5011 KSK
280           revocation and this option supersedes this behavior and any option
281           setting within the keyrec file.
282
283       -nosave
284           Do not save obsolete keys to the key archive directory.  The
285           default behavior is to save obsolete keys.
286
287       -phase
288           Specify an rollover option based on the rollover phase, as opposed
289           to using the option naming the specific action to be performed.
290           The purpose of this option is to bring clarity and greater
291           understanding to how zonesigner is used in the rollover process.
292
293           The following are the mappings between the -phase options and the
294           action options.
295
296               Phase Option             Action-based Option
297               -phase ksk2              -newpubksk
298               -phase ksk4              -rollksk
299               -phase zsk2              -usezskpub
300               -phase zsk4b             -rollzsk
301               -phase zsk4b             (no option)
302
303           Warning:  The -phase option should only be used if you know what
304           you're doing.
305
306       -rollksk
307           Force a rollover of the KSK keys.  The Current KSK keys are marked
308           as Obsolete and the Published KSK keys are marked as Current.  The
309           zone is then signed with the new set of Current KSK keys.  If the
310           zone's keyrec does not list a Current or Published KSK, an error
311           message is printed and zonesigner stops execution.
312
313           The zone's keyrec file is updated to show the new key state.
314
315           The keyrecs of the KSK keys are adjusted as follows:
316
317               The Current KSK keys are marked as Obsolete.
318               The Published KSK keys are marked as Current.
319               The Obsolete KSK keys are moved to the archive directory.
320
321           If RFC5011 processing is enabled, then the KSK rollover sequence is
322           modified as follows:
323
324               The Current KSK keys are marked as Revoked.
325               The Published KSK keys are marked as Current.
326               The Revoked KSK keys are checked to see if they are still
327               within their revocation period.  If not, they are marked
328               as Obsolete.
329               The Obsolete KSK keys are moved to the archive directory.
330
331           Warning:  The timing of key-rolling is critical.  Great care must
332           be taken when using this option.  In the future, rollerd will
333           automate the KSK rollover process and may be used to safely take
334           care of this aspect of DNSSEC management.
335
336           Warning:  Using the -rollksk option should only be used if you know
337           what you're doing.
338
339           Warning:  This is may be a temporary method of KSK rollover.  It
340           may be changed in the future.
341
342       -rollzsk
343           Force a rollover of the ZSK keys using the Pre-Publish Key Rollover
344           method.  The rollover process adjusts the keys used to sign the
345           specified zone, generates new keys, signs the zone with the
346           appropriate keys, and updates the keyrec file.  The Pre-Publish Key
347           Rollover process is described in the DNSSEC Operational Practices
348           document.
349
350           Three sets of ZSK keys are used in the rollover process:  Current,
351           Published, and New.  Current ZSKs are those which are used to sign
352           the zone.  Published ZSKs are available in the zone data, and
353           therefore in cached zone data, but are not yet used to sign the
354           zone.  New ZSKs are not available in zone data nor yet used to sign
355           the zone, but are waiting in the wings for future use.
356
357           The keyrecs of the ZSK keys are adjusted as follows:
358
359               The Current ZSK keys are marked as obsolete.
360               The Published ZSK keys are marked as Current.
361               The New ZSK keys, if they exist, are marked as Published.
362               Another set of ZSK keys are generated, which will be
363                   marked as the New ZSK keys.
364               The Published ZSK keys' zsklife field is copied to the
365                   new ZSK keys' keyrecs.
366               The obsolete ZSK keys are moved to the archive directory.
367
368           The quick summary of proper ZSK rolling (which rollerd does for you
369           if you use it):
370
371               - wait 2 * max(TTL in zone)
372               - run zonesigner using -usezskpub
373               - wait 2 * max(TTL in zone)
374               - run zonesigner using -rollzsk
375               - wait 2 * max(TTL in zone)
376
377           Warning:  The timing of key-rolling is critical.  Great care must
378           be taken when using this option.  rollerd automates the rollover
379           process and may be used to safely take care of this aspect of
380           DNSSEC management.  Using the -rollzsk option should only be used
381           if you know what you're doing.
382
383       -showkeycmd
384           Display the actual key-generation command (with options and
385           arguments) that is executed.  This is a small subset of verbose
386           level 3 output.
387
388       -showsigncmd
389           Display the actual zone-signing command (with options and
390           arguments) that is executed.  This is a small subset of verbose
391           level 3 output.
392
393       -signset
394           The name of the ZSK signing set to use as the Current ZSK signing
395           set.  The zone is signed and the given signing set becomes the
396           zone's new Current ZSK signing set.  If the signing set does not
397           exist, then this must be used in conjunction with either -genkeys
398           or -genzsk.
399
400           The name may contain alphanumerics, underscores, hyphens, periods,
401           and commas.  The default signing set name is "zonesignset-N", where
402           zone is the zone being signed and N is a number.
403
404           If -signset is not specified, then zonesigner will use the default
405           and increment the number for subsequent signing sets.
406
407       -useboth
408           Use the existing Current and Published ZSKs to sign the zone.
409
410       -usezskpub
411           Use the existing Published ZSKs to sign the zone.
412
413       -Version
414           Display the version information for zonesigner and the DNSSEC-Tools
415           package.
416
417       -verbose
418           Verbose output will be given.  As more instances of -verbose are
419           given on the command line, additional levels of verbosity are
420           achieved.
421
422               level       output
423               -----       ------
424                 1         operations being performed
425                             (e.g., generating key files, signing zone)
426                 2         details on operations and some operation results
427                             (e.g., new key names, zone serial number)
428                 3         operations' parameters and additional details
429                             (e.g., key lengths, encryption algorithm,
430                             executed commands)
431
432           Higher levels of verbosity are cumulative.  Specifying two
433           instances of -verbose will get the output from the first and second
434           levels of output.
435
436       -xc Display a message associated with a zonesigner exit value.  This
437           option is intended for use by those programs who wish for
438           zonesigner to run silently, but need a description for why
439           zonesigner has exited with an error.
440
441           The following are the exit codes and their associated messages.
442
443           0 - successful execution
444           1 - -rfc5011 and -norfc5011 may not be specified together
445           2 - -droprevoked and -nodroprevoked may not be specified together
446           3 - -keydirectory and -kskdirectory may not be specified together
447           4 - -keydirectory and -zskdirectory may not be specified together
448           5 - KSK count must be positive
449           6 - ZSK count must be positive
450           7 - no key archive directory was specified
451           8 - key archive directory is not a directory
452           9 - key archive directory must not be /
453           10 - -savekeys and -nosave may not be specified together
454           11 - either a KSK or a ZSK directory was incorrectly specified
455           12 - either a specified KSK or a specified ZSK directory is not a
456           directory
457           13 - neither the KSK nor the ZSK directory may be the root
458           directory
459           14 - zone file, output file, and intermediate file must all have
460           distinct names
461           15 - zone file does not exist
462           16 - zone file is empty
463           17 - zone file already signed
464           18 - specified signing set does not exist
465           19 - specified Current ZSK signing set does not exist
466           20 - specified Published ZSK signing set does not exist
467           21 - specified new signing-set name already exists
468           22 - specified KSK signing set already exists
469           23 - no KSK signing set was specified
470           24 - specified Current KSK signing set does not exist
471           25 - specified Published KSK signing set does not exist
472           26 - unable to generate KSK key file
473           27 - ZSK keyrec does not exist in keyrec file
474           28 - unable to generate ZSK key file
475           29 - unable to archive keys because key archive directory is not a
476           directory
477           30 - KSK repository is not a directory
478           31 - ZSK repository is not a directory
479           32 - unable to update serial number in zonefile
480           33 - zone file's modified contents are empty
481           34 - unable to sign zone
482           35 - no Published KSKs have been created
483           36 - zone has no Published ZSKs to rollover to Current ZSKs
484           37 - no keys defined for a particular signing set for zone
485           38 - no keyrec exists for required signing set
486           39 - error in keyrec file -- a particular signing set keyrec is not
487           a set keyrec
488           40 - specified signing set does not contain any keys
489           41 - no key keyrec exists for a particular key
490           42 - keyrec of specified key has an unexpected type
491           43 - usage message printed
492           44 - invalid exit code given to -xc
493           45 - named-checkzone returned an error
494           46 - unable to create dsset archive directory
495           47 - dsset archive directory is not a directory
496           48 - dsset archive directory is not writable
497           49 - dsset archive directory must not be /
498
499           An error message will be printed if an invalid exit code is given.
500
501       -zone
502           Name of the zone that will be signed.  This zone name may be given
503           with this option or as the first non-option command line argument.
504           In the second case, if the argument contains directory separators,
505           then final element of the path will be used for the zone name.
506
507       -zskcount
508           The number of ZSK keys to generate and with which to sign the zone.
509           The default is to use a single ZSK key.
510
511       -zskdirectory
512           The directory in which ZSK keys will be stored.  The default is to
513           store the keys in the directory in which zonesigner is executed.
514
515           This directory may not be the root directory.
516
517       -zsklife
518           The time between ZSK rollovers.  This is measured in seconds.
519
520   dnssec-keygen-specific Options
521       -algorithm
522           Cryptographic algorithm used to generate the zone's keys.  The
523           default value is RSASHA1.  The option value is passed to dnssec-
524           keygen as the -a flag.  Consult dnssec-keygen's manual page to
525           determine legal values.
526
527       -kgopts
528           Additional options for dnssec-keygen may be specified using this
529           option.  The additional options are passed as a single string value
530           as an argument to the -kgopts option.
531
532       -ksklength
533           Bit length of the zone's KSK key.  The default is 2048.
534
535       -nsec3optout
536           When this flag and the -usensec3 flag are set, the zone will be
537           signed using the Opt-Out support described in RFC5155.  A quick
538           summary is that only sub-domains with valid DS or public keys
539           available will be signed and the rest will not be.  This greatly
540           reduces the computational and memory requirements of extremely
541           large zones with lots of unsigned children.
542
543       -random
544           Source of randomness used to generate the zone's keys. This is
545           assumed to be a file, for example /dev/urandom.
546
547       -usensec3
548           Signs the zone using NSEC3 (see RFC5155) proof-of-non-existence
549           records rather than NSEC records.  The keys used to sign the zone
550           must support the use of NSEC3 or else zone-signing will fail.
551           Zonesigner will automatically generate new keys of the correct type
552           if one of the -genkeys or similar options is used.
553
554       -zsklength
555           Bit length of the zone's ZSK key.  The default is 1024.
556
557   dnssec-signzone-specific Options
558       -endtime
559           Time that the zone expires, measured in seconds.  See the man page
560           for dnssec-signzone for the valid format of this field.  The
561           default value is 2764800 seconds (32 days.)
562
563       -gends
564           Force dnssec-signzone to generate DS records for the zone.  This
565           option is translated into -g when passed to dnssec-signzone.
566
567           This option is obsolete.  DS records are generated by default.  Use
568           the -nogends option if DS records should not be generated.
569
570       -ksdir
571           Specify a directory for storing keysets.  This is passed to dnssec-
572           signzone as the -d option.
573
574       -nogends
575           Prevent dnssec-signzone from generating DS records for the zone.
576
577       -szopts
578           Additional options for dnssec-signzone may be specified using this
579           option.  The additional options are passed as a single string value
580           as an argument to the -szopts option.
581
582   Other Options
583       -zcopts
584           Additional options for named-checkzone may be specified using this
585           option.  The additional options are passed as a single string value
586           as an argument to the -zcopts option.
587

EXAMPLES

589       Example 1.
590
591       In the first example, an existing keyrec file is used to assist in
592       signing the example.com domain.  Zone data are stored in example.com,
593       and the keyrec is in example.krf.  The final signed zone file will be
594       db.example.com.signed.  Using this execution:
595
596           # zonesigner -krfile example.krf example.com db.example.com.signed
597
598       the following files are created:
599
600           Kexample.com.+005+45842.private
601           Kexample.com.+005+45842.key
602           Kexample.com.+005+50186.private
603           Kexample.com.+005+50186.key
604           Kexample.com.+005+59143.private
605           Kexample.com.+005+59143.key
606
607           dsset-example.com.
608           keyset-example.com.
609
610           db.example.com.signed
611
612       The first six files are the KSK and ZSK keys required for the zone.
613       The next two files are created by the zone-signing process.  The last
614       file is the final signed zone file.
615
616       Example 2.
617
618       In the second example, an existing keyrec file is used to assist in
619       signing the example.com domain.  Zone data are stored in example.com,
620       and the keyrec is in example.krf.  The generated keys, an intermediate
621       zone file, and final signed zone file will use example.com as a base.
622       Using this execution:
623
624           # zonesigner -krfile example.krf -intermediate example.zs example.com
625
626       the following files are created:
627
628           Kdb.example.com.+005+12354.key
629           Kdb.example.com.+005+12354.private
630           Kdb.example.com.+005+82197.key
631           Kdb.example.com.+005+82197.private
632           Kdb.example.com.+005+55888.key
633           Kdb.example.com.+005+55888.private
634
635           dsset-db.example.com.
636           keyset-db.example.com.
637
638           example.zs
639           example.com.signed
640
641       The first six files are the KSK and ZSK keys required for the zone.
642       The next two files are created by the zone-signing process.  The second
643       last file is an intermediate file that will be signed.  The last file
644       is file is the final signed zone.
645
646       Example 3.
647
648       In the third example, no keyrec file is specified for the signing of
649       the example.com domain.  In addition to files created as shown in
650       previous examples, a new keyrec file is created.  The new keyrec file
651       uses the domain name as its base.  Using this execution:
652
653           # zonesigner example.com db.example.com
654
655       the following keyrec file is created:
656
657           example.com.krf
658
659       The signed zone file is created in:
660
661           db.example.com
662
663       Example 4.
664
665       This example shows a keyrec file generated by zonesigner.
666
667       The command executed is:
668
669           # zonesigner example.com db.example.com
670
671       The generated keyrec file contains six keyrecs:  a zone keyrec, two set
672       keyrecs, one KSK keyrec, and two ZSK keyrecs.
673
674           zone        "example.com"
675               zonefile        "example.com"
676               signedzone      "db.example.com"
677               endtime         "+2764800"
678               kskcur          "example.com.signset-24"
679               kskdirectory    "."
680               zskcur          "example.com.signset-42"
681               zskpub          "example.com.signset-43"
682               zskdirectory    "."
683               keyrec_type     "zone"
684               keyrec_signsecs "1115166642"
685               keyrec_signdate "Wed May  4 00:30:42 2005"
686
687           set         "example.com.signset-24"
688               zonename        "example.com"
689               keys            "Kexample.com.+005+24082"
690               keyrec_setsecs  "1110000042"
691               keyrec_setdate  "Sat Mar  5 05:20:42 2005"
692
693           set         "example.com.signset-42"
694               zonename        "example.com"
695               keys            "Kexample.com.+005+53135"
696               keyrec_setsecs  "1115166640"
697               keyrec_setdate  "Wed May  4 00:30:40 2005"
698
699           set         "example.com.signset-43"
700               zonename        "example.com"
701               keys            "Kexample.com.+005+13531"
702               keyrec_setsecs  "1115166641"
703               keyrec_setdate  "Wed May  4 00:30:41 2005"
704
705           key         "Kexample.com.+005+24082"
706               zonename        "example.com"
707               keyrec_type     "kskcur"
708               algorithm       "rsasha1"
709               random          "/dev/urandom"
710               keypath         "./Kexample.com.+005+24082.key"
711               ksklength       "2048"
712               ksklife         "15768000"
713               keyrec_gensecs  "1110000042"
714               keyrec_gendate  "Sat Mar  5 05:20:42 2005"
715
716           key         "Kexample.com.+005+53135"
717               zonename        "example.com"
718               keyrec_type     "zskcur"
719               algorithm       "rsasha1"
720               random          "/dev/urandom"
721               keypath         "./Kexample.com.+005+53135.key"
722               zsklength       "1024"
723               zsklife         "604800"
724               keyrec_gensecs  "1115166638"
725               keyrec_gendate  "Wed May  4 00:30:38 2005"
726
727           key         "Kexample.com.+005+13531"
728               zonename        "example.com"
729               keyrec_type     "zskpub"
730               algorithm       "rsasha1"
731               random          "/dev/urandom"
732               keypath         "./Kexample.com.+005+13531.key"
733               zsklength       "1024"
734               zsklife         "604800"
735               keyrec_gensecs  "1115166638"
736               keyrec_gendate  "Wed May  4 00:30:38 2005"
737

NOTES

739       1.  One Zone in a keyrec File
740           There is a bug in the signing-set code that necessitates only
741           storing one zone in a keyrec file.
742
743       2.  SOA Serial Numbers
744           Serial numbers in SOA records are merely incremented in this
745           version.  Future plans are to allow for more flexible serial number
746           manipulation.
747
749       Copyright 2004-2011 SPARTA, Inc.  All rights reserved.  See the COPYING
750       file included with the DNSSEC-Tools package for details.
751

AUTHOR

753       Wayne Morrison, tewok@users.sourceforge.net
754

SEE ALSO

756       lskrf(1)
757
758       dnssec-keygen(8), dnssec-signzone(8)
759
760       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
761       Net::DNS::SEC::Tools::keyrec.pm(3),
762       Net::DNS::SEC::Tools::tooloptions.pm(3)
763
764       keyrec(5)
765
766
767
768perl v5.12.4                      2011-09-30                     ZONESIGNER(1)
Impressum