1DNSSEC-SIGNZONE(8)                  BIND 9                  DNSSEC-SIGNZONE(8)
2
3
4

NAME

6       dnssec-signzone - DNSSEC zone signing tool
7

SYNOPSIS

9       dnssec-signzone  [-a]  [-c  class]  [-d directory] [-D] [-E engine] [-e
10       end-time] [-f output-file] [-g] [-h] [-i  interval]  [-I  input-format]
11       [-j jitter] [-K directory] [-k key] [-L serial] [-M maxttl] [-N soa-se‐
12       rial-format] [-o origin] [-O output-format] [-P] [-Q]  [-q]  [-R]  [-S]
13       [-s  start-time]  [-T  ttl]  [-t]  [-u]  [-v  level]  [-V] [-X extended
14       end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
15

DESCRIPTION

17       dnssec-signzone signs a zone; it generates NSEC and RRSIG  records  and
18       produces  a  signed version of the zone. The security status of delega‐
19       tions from the signed zone (that is, whether the child  zones  are  se‐
20       cure)  is  determined  by  the presence or absence of a keyset file for
21       each child zone.
22

OPTIONS

24       -a     This option verifies all generated signatures.
25
26       -c class
27              This option specifies the DNS class of the zone.
28
29       -C     This option sets compatibility mode, in which a  keyset-zonename
30              file  is  generated in addition to dsset-zonename when signing a
31              zone, for use by older versions of dnssec-signzone.
32
33       -d directory
34              This option indicates the directory where BIND 9 should look for
35              dsset- or keyset- files.
36
37       -D     This option indicates that only those record types automatically
38              managed  by  dnssec-signzone,  i.e.,  RRSIG,  NSEC,  NSEC3   and
39              NSEC3PARAM  records, should be included in the output.  If smart
40              signing (-S) is used, DNSKEY records are also included.  The re‐
41              sulting file can be included in the original zone file with $IN‐
42              CLUDE. This option cannot be combined with -O raw,  -O  map,  or
43              serial-number updating.
44
45       -E engine
46              This  option specifies the hardware to use for cryptographic op‐
47              erations, such as a secure key store used for signing, when  ap‐
48              plicable.
49
50              When  BIND  9 is built with OpenSSL, this needs to be set to the
51              OpenSSL engine identifier that drives the cryptographic acceler‐
52              ator  or  hardware service module (usually pkcs11). When BIND is
53              built with native PKCS#11 cryptography (--enable-native-pkcs11),
54              it  defaults  to the path of the PKCS#11 provider library speci‐
55              fied via --with-pkcs11.
56
57       -g     This option indicates that DS records for child zones should  be
58              generated from a dsset- or keyset- file. Existing DS records are
59              removed.
60
61       -K directory
62              This option specifies the directory to search for  DNSSEC  keys.
63              If not specified, it defaults to the current directory.
64
65       -k key This  option  tells  BIND  9  to  treat  the  specified key as a
66              key-signing key, ignoring any key  flags.  This  option  may  be
67              specified multiple times.
68
69       -M maxttl
70              This  option  sets  the maximum TTL for the signed zone. Any TTL
71              higher than maxttl in the input zone is reduced to maxttl in the
72              output.  This  provides certainty as to the largest possible TTL
73              in the signed zone, which is useful to know when  rolling  keys.
74              The  maxttl  is the longest possible time before signatures that
75              have been retrieved by resolvers expire  from  resolver  caches.
76              Zones  that  are signed with this option should be configured to
77              use a matching max-zone-ttl in named.conf. (Note: This option is
78              incompatible with -D, because it modifies non-DNSSEC data in the
79              output zone.)
80
81       -s start-time
82              This option specifies the date and time when the generated RRSIG
83              records become valid. This can be either an absolute or relative
84              time. An absolute start time is indicated by a number in  YYYYM‐
85              MDDHHMMSS  notation;  20000530144500 denotes 14:45:00 UTC on May
86              30th, 2000. A relative start time is indicated by +N, which is N
87              seconds  from  the  current time. If no start-time is specified,
88              the current time minus 1 hour (to allow for clock skew) is used.
89
90       -e end-time
91              This option specifies the date and time when the generated RRSIG
92              records  expire.  As  with start-time, an absolute time is indi‐
93              cated in YYYYMMDDHHMMSS notation. A time relative to  the  start
94              time  is  indicated  with  +N, which is N seconds from the start
95              time. A time relative to the  current  time  is  indicated  with
96              now+N.  If no end-time is specified, 30 days from the start time
97              is the default.  end-time must be later than start-time.
98
99       -X extended end-time
100              This option specifies the date and time when the generated RRSIG
101              records for the DNSKEY RRset expire. This is to be used in cases
102              when the DNSKEY signatures need to persist  longer  than  signa‐
103              tures  on other records; e.g., when the private component of the
104              KSK is kept offline and the KSK signature  is  to  be  refreshed
105              manually.
106
107              As  with  end-time, an absolute time is indicated in YYYYMMDDHH‐
108              MMSS notation. A time relative to the start  time  is  indicated
109              with +N, which is N seconds from the start time. A time relative
110              to the current time is indicated  with  now+N.  If  no  extended
111              end-time  is specified, the value of end-time is used as the de‐
112              fault. (end-time, in turn, defaults to 30 days  from  the  start
113              time.) extended end-time must be later than start-time.
114
115       -f output-file
116              This option indicates the name of the output file containing the
117              signed zone. The default is to append .signed to the input file‐
118              name.  If output-file is set to -, then the signed zone is writ‐
119              ten to the standard output, with  a  default  output  format  of
120              full.
121
122       -h     This  option prints a short summary of the options and arguments
123              to dnssec-signzone.
124
125       -V     This option prints version information.
126
127       -i interval
128              This option indicates that, when a  previously  signed  zone  is
129              passed  as  input, records may be re-signed. The interval option
130              specifies the cycle interval as an offset from the current time,
131              in  seconds. If a RRSIG record expires after the cycle interval,
132              it is retained; otherwise, it is considered to be expiring  soon
133              and it is replaced.
134
135              The  default cycle interval is one quarter of the difference be‐
136              tween the signature end and start times. So if neither  end-time
137              nor  start-time  is  specified, dnssec-signzone generates signa‐
138              tures that are valid for 30 days, with a cycle interval  of  7.5
139              days. Therefore, if any existing RRSIG records are due to expire
140              in less than 7.5 days, they are replaced.
141
142       -I input-format
143              This option sets the format of the  input  zone  file.  Possible
144              formats  are  text  (the  default), raw, and map. This option is
145              primarily intended to be used for dynamic signed zones, so  that
146              the dumped zone file in a non-text format containing updates can
147              be signed directly.  This option is not useful  for  non-dynamic
148              zones.
149
150       -j jitter
151              When  signing  a zone with a fixed signature lifetime, all RRSIG
152              records issued at the time of signing expire simultaneously.  If
153              the zone is incrementally signed, i.e., a previously signed zone
154              is passed as input to the signer, all expired signatures must be
155              regenerated  at  approximately  the same time. The jitter option
156              specifies a jitter window that is used to randomize  the  signa‐
157              ture expire time, thus spreading incremental signature regenera‐
158              tion over time.
159
160              Signature lifetime jitter also, to some extent, benefits valida‐
161              tors  and  servers  by  spreading out cache expiration, i.e., if
162              large numbers of RRSIGs do not expire at the same time from  all
163              caches,  there is less congestion than if all validators need to
164              refetch at around the same time.
165
166       -L serial
167              When writing a signed zone to "raw" or "map" format, this option
168              sets  the  "source  serial" value in the header to the specified
169              serial number. (This is expected to be used primarily for  test‐
170              ing purposes.)
171
172       -n ncpus
173              This  option specifies the number of threads to use. By default,
174              one thread is started for each detected CPU.
175
176       -N soa-serial-format
177              This option sets the SOA serial  number  format  of  the  signed
178              zone.  Possible formats are keep (the default), increment, unix‐
179              time, and date.
180
181              keep   This format indicates that the SOA serial  number  should
182                     not be modified.
183
184              increment
185                     This  format  increments  the SOA serial number using RFC
186                     1982 arithmetic.
187
188              unixtime
189                     This format sets the SOA serial number to the  number  of
190                     seconds since the beginning of the Unix epoch, unless the
191                     serial number is already greater than or  equal  to  that
192                     value, in which case it is simply incremented by one.
193
194              date   This  format  sets the SOA serial number to today's date,
195                     in YYYYMMDDNN format, unless the serial number is already
196                     greater  than or equal to that value, in which case it is
197                     simply incremented by one.
198
199       -o origin
200              This option sets the zone origin. If not specified, the name  of
201              the zone file is assumed to be the origin.
202
203       -O output-format
204              This  option  sets  the format of the output file containing the
205              signed zone. Possible formats are text (the default),  which  is
206              the  standard textual representation of the zone; full, which is
207              text output in a format  suitable  for  processing  by  external
208              scripts; and map, raw, and raw=N, which store the zone in binary
209              formats for rapid loading by named. raw=N specifies  the  format
210              version  of  the  raw  zone file: if N is 0, the raw file can be
211              read by any version of named; if N is 1, the file can be read by
212              release 9.9.0 or higher. The default is 1.
213
214       -P     This option disables post-sign verification tests.
215
216              The  post-sign verification tests ensure that for each algorithm
217              in use there is at least one non-revoked  self-signed  KSK  key,
218              that  all revoked KSK keys are self-signed, and that all records
219              in the zone are signed by the algorithm. This option skips these
220              tests.
221
222       -Q     This  option removes signatures from keys that are no longer ac‐
223              tive.
224
225              Normally, when a previously signed zone is passed  as  input  to
226              the  signer,  and  a DNSKEY record has been removed and replaced
227              with a new one, signatures from  the  old  key  that  are  still
228              within  their validity period are retained. This allows the zone
229              to continue to validate with cached copies  of  the  old  DNSKEY
230              RRset. The -Q option forces dnssec-signzone to remove signatures
231              from keys that are no longer active. This enables  ZSK  rollover
232              using  the procedure described in RFC 4641#4.2.1.1 ("Pre-Publish
233              Key Rollover").
234
235       -q     This option enables quiet  mode,  which  suppresses  unnecessary
236              output.  Without  this  option,  when  dnssec-signzone is run it
237              prints three pieces of information to standard output: the  num‐
238              ber  of  keys in use; the algorithms used to verify the zone was
239              signed correctly and other status information; and the  filename
240              containing  the signed zone. With the option that output is sup‐
241              pressed, leaving only the filename.
242
243       -R     This option removes signatures from keys that are no longer pub‐
244              lished.
245
246              This  option  is similar to -Q, except it forces dnssec-signzone
247              to remove signatures from keys that  are  no  longer  published.
248              This  enables  ZSK rollover using the procedure described in RFC
249              4641#4.2.1.2 ("Double Signature Zone Signing Key Rollover").
250
251       -S     This option enables smart signing, which instructs  dnssec-sign‐
252              zone  to  search the key repository for keys that match the zone
253              being signed, and to include them in the zone if appropriate.
254
255              When a key is found, its timing metadata is examined  to  deter‐
256              mine  how  it  should be used, according to the following rules.
257              Each successive rule takes priority over the prior ones:
258                 If no timing metadata has been set for the key,  the  key  is
259                 published in the zone and used to sign the zone.
260
261                 If  the key's publication date is set and is in the past, the
262                 key is published in the zone.
263
264                 If the key's activation date is set and is in the  past,  the
265                 key is published (regardless of publication date) and used to
266                 sign the zone.
267
268                 If the key's revocation date is set and is in the  past,  and
269                 the  key  is  published, then the key is revoked, and the re‐
270                 voked key is used to sign the zone.
271
272                 If either the key's unpublication or deletion date is set and
273                 in  the  past,  the  key is NOT published or used to sign the
274                 zone, regardless of any other metadata.
275
276                 If the key's sync publication date is set and is in the past,
277                 synchronization  records  (type  CDS and/or CDNSKEY) are cre‐
278                 ated.
279
280                 If the key's sync deletion date is set and is  in  the  past,
281                 synchronization  records  (type  CDS  and/or CDNSKEY) are re‐
282                 moved.
283
284       -T ttl This option specifies a TTL to be used for  new  DNSKEY  records
285              imported  into  the  zone from the key repository. If not speci‐
286              fied, the default is the TTL value from the zone's  SOA  record.
287              This  option  is  ignored  when signing without -S, since DNSKEY
288              records are not imported from the key repository in  that  case.
289              It  is also ignored if there are any pre-existing DNSKEY records
290              at the zone apex, in which case new records' TTL values are  set
291              to  match  them,  or if any of the imported DNSKEY records had a
292              default TTL value. In the event of a conflict between TTL values
293              in imported keys, the shortest one is used.
294
295       -t     This option prints statistics at completion.
296
297       -u     This  option updates the NSEC/NSEC3 chain when re-signing a pre‐
298              viously signed zone.  With this option, a zone signed with  NSEC
299              can  be  switched  to  NSEC3, or a zone signed with NSEC3 can be
300              switched to NSEC or to NSEC3 with different parameters.  Without
301              this  option,  dnssec-signzone  retains  the existing chain when
302              re-signing.
303
304       -v level
305              This option sets the debugging level.
306
307       -x     This option indicates that BIND 9 should only sign  the  DNSKEY,
308              CDNSKEY,  and  CDS RRsets with key-signing keys, and should omit
309              signatures from zone-signing  keys.  (This  is  similar  to  the
310              dnssec-dnskey-kskonly yes; zone option in named.)
311
312       -z     This  option indicates that BIND 9 should ignore the KSK flag on
313              keys when determining what to sign. This causes KSK-flagged keys
314              to  sign all records, not just the DNSKEY RRset.  (This is simi‐
315              lar to the update-check-ksk no; zone option in named.)
316
317       -3 salt
318              This option generates an NSEC3 chain with the given  hex-encoded
319              salt.  A  dash (-) can be used to indicate that no salt is to be
320              used when generating the NSEC3 chain.
321
322       -H iterations
323              This option indicates that, when generating an NSEC3 chain, BIND
324              9 should use this many iterations. The default is 10.
325
326       -A     This option indicates that, when generating an NSEC3 chain, BIND
327              9 should set the OPTOUT flag on all NSEC3 records and should not
328              generate NSEC3 records for insecure delegations.
329
330              Using  this  option  twice (i.e., -AA) turns the OPTOUT flag off
331              for all records. This is useful when using the -u option to mod‐
332              ify an NSEC3 chain which previously had OPTOUT set.
333
334       zonefile
335              This option sets the file containing the zone to be signed.
336
337       key    This  option  specifies  which  keys  should be used to sign the
338              zone. If no keys are specified, the zone is examined for  DNSKEY
339              records  at  the zone apex. If these records are found and there
340              are matching private keys in the  current  directory,  they  are
341              used for signing.
342

EXAMPLE

344       The  following  command  signs  the  example.com  zone  with  the  ECD‐
345       SAP256SHA256 key generated by dnssec-keygen  (Kexample.com.+013+17247).
346       Because the -S option is not being used, the zone's keys must be in the
347       master file (db.example.com). This invocation looks for dsset files  in
348       the  current  directory,  so  that DS records can be imported from them
349       (-g).
350
351          % dnssec-signzone -g -o example.com db.example.com \
352          Kexample.com.+013+17247
353          db.example.com.signed
354          %
355
356       In  the  above  example,  dnssec-signzone  creates  the  file  db.exam‐
357       ple.com.signed.  This  file should be referenced in a zone statement in
358       the named.conf file.
359
360       This example re-signs a previously signed zone with default parameters.
361       The private keys are assumed to be in the current directory.
362
363          % cp db.example.com.signed db.example.com
364          % dnssec-signzone -o example.com db.example.com
365          db.example.com.signed
366          %
367

SEE ALSO

369       dnssec-keygen(8),  BIND 9 Administrator Reference Manual, RFC 4033, RFC
370       4641.
371

AUTHOR

373       Internet Systems Consortium
374
376       2021, Internet Systems Consortium
377
378
379
380
3819.16.16-RH                                                  DNSSEC-SIGNZONE(8)
Impressum