1ldns-signzone(1)            General Commands Manual           ldns-signzone(1)
2
3
4

NAME

6       ldns-signzone - sign a zonefile with DNSSEC data
7

SYNOPSIS

9       ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ...  ]
10
11

DESCRIPTION

13       ldns-signzone  is  used  to  generate a DNSSEC signed zone. When run it
14       will create a new  zonefile  that  contains  RRSIG  and  NSEC  resource
15       records, as specified in RFC 4033, RFC 4034 and RFC 4035.
16
17       Keys  must  be specified by their base name (i.e. without .private). If
18       the DNSKEY that belongs to the key in the .private file is not  present
19       in  the  zone,  it  will be read from the file <base name>.key. If that
20       file does not exist, the DNSKEY value will be generated from  the  pri‐
21       vate key.
22
23       Multiple  keys can be specified, Key Signing Keys are used as such when
24       they are either already present in the zone, or  specified  in  a  .key
25       file, and have the KSK bit set.
26
27

OPTIONS

29       -b     Augments  the  zone  and the RR's with extra comment texts for a
30              more readable layout, easier to debug. DS records  will  have  a
31              bubblebabble  version  of  the  data  in the comment text, NSEC3
32              records will have the original NSEC3 in the comment text.
33
34              Without this option, only DNSKEY RR's will have  their  Key  Tag
35              annotated in the comment text.
36
37
38       -d     Normally,  if  the  DNSKEY RR for a key that is used to sign the
39              zone is not found in the zone file, it will be read  from  .key,
40              or  derived  from  the  private key (in that order). This option
41              turns that feature off, so that only the signatures are added to
42              the zone.
43
44
45       -e date
46              Set  expiration  date of the signatures to this date, the format
47              can be YYYYMMDD[hhmmss], or a timestamp.
48
49
50       -f file
51              Use this file to store the signed zone  in  (default  <original‐
52              file>.signed)
53
54
55       -i date
56              Set  inception  date  of the signatures to this date, the format
57              can be YYYYMMDD[hhmmss], or a timestamp.
58
59
60       -o origin
61              Use this as the origin of the zone
62
63
64       -v     Print the version and exit
65
66
67       -A     Sign the DNSKEY record with all keys.  By default it  is  signed
68              with a minimal number of keys, to keep the response size for the
69              DNSKEY query small, and only the SEP keys that  are  passed  are
70              used.  If there are no SEP keys, the DNSKEY RRset is signed with
71              the non-SEP keys.  This option turns off  the  default  and  all
72              keys are used to sign the DNSKEY RRset.
73
74
75       -E name
76              Use  the  EVP cryptographic engine with the given name for sign‐
77              ing. This can have some extra options; see  ENGINE  OPTIONS  for
78              more information.
79
80
81       -k id,int
82              Use  the  key with the given id as the signing key for algorithm
83              int as a Zone signing key. This option is used when you  use  an
84              OpenSSL engine, see ENGINE OPTIONS for more information.
85
86
87       -K id,int
88
89              Use  the  key with the given id as the signing key for algorithm
90              int as a Key signing key. This options is used when you  use  an
91              OpenSSL engine, see ENGINE OPTIONS for more information.
92
93
94       -n     Use NSEC3 instead of NSEC.
95
96
97       If you use NSEC3, you can specify the following extra options:
98
99
100       -a algorithm
101              Algorithm used to create the hashed NSEC3 owner names
102
103
104       -p     Opt-out.  All  NSEC3  records  in the zone will have the Opt-out
105              flag set. After signing, you can add insecure delegations to the
106              signed zone.
107
108
109       -s string
110              Salt
111
112
113       -t number
114              Number of hash iterations
115
116

ENGINE OPTIONS

118       You  can  modify  the  possible  engines,  if  supported, by setting an
119       OpenSSL configuration file. This is done through the environment  vari‐
120       able OPENSSL_CONF. If you use -E with a non-existent engine name, ldns-
121       signzone will print a list of engines supported by your configuration.
122
123       The key options (-k and -K) work as follows; you specify a key id,  and
124       a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can
125       be any of the following:
126
127           <id>
128           <slot>:<id>
129           id_<id>
130           slot_<slot>-id_<id>
131           label_<label>
132           slot_<slot>-label_<label>
133
134       Where '<id>' is the PKCS #11 key identifier  in  hexadecimal  notation,
135       '<label>'  is  the  PKCS  #11 human-readable label, and '<slot>' is the
136       slot number where the token is present.
137
138       If not already present, a DNSKEY RR is generated from the key data, and
139       added to the zone.
140
141

EXAMPLES

143       ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
144              Sign  the  zone  in  the file 'nlnetlabs.nl' with the key in the
145              files 'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY  is  not
146              present   in  the  zone,  use  the  key  in  the  file  'Knlnet‐
147              labs.nl.+005+12273.key'. If that is not  present,  generate  one
148              with default values from 'Knlnetlabs.nl.+005+12273.private'.
149
150
151

AUTHOR

153       Written by the ldns team as an example for ldns usage.
154
155

REPORTING BUGS

157       Report bugs to <ldns-team@nlnetlabs.nl>.
158
159
161       Copyright  (C) 2005-2008 NLnet Labs. This is free software. There is NO
162       warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
163       POSE.
164
165
166
167                                  30 May 2005                 ldns-signzone(1)
Impressum