1DNSSEC-SIGNZONE(8) BIND 9 DNSSEC-SIGNZONE(8)
2
6 dnssec-signzone - DNSSEC zone signing tool
7
9 dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e
10 end-time] [-f output-file] [-g] [-h] [-i interval] [-I input-format]
11 [-j jitter] [-K directory] [-k key] [-L serial] [-M maxttl] [-N soa-se‐
12 rial-format] [-o origin] [-O output-format] [-P] [-Q] [-q] [-R] [-S]
13 [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended
14 end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
15
17 dnssec-signzone signs a zone; it generates NSEC and RRSIG records and
18 produces a signed version of the zone. The security status of delega‐
19 tions from the signed zone (that is, whether the child zones are se‐
20 cure) is determined by the presence or absence of a keyset file for
21 each child zone.
22
24 -a This option verifies all generated signatures.
25 -c class
27 This option specifies the DNS class of the zone.
28 -C This option sets compatibility mode, in which a keyset-zonename
30 file is generated in addition to dsset-zonename when signing a
31 zone, for use by older versions of dnssec-signzone.
32 -d directory
34 This option indicates the directory where BIND 9 should look for
35 dsset- or keyset- files.
36 -D This option indicates that only those record types automatically
38 managed by dnssec-signzone, i.e., RRSIG, NSEC, NSEC3 and
39 NSEC3PARAM records, should be included in the output. If smart
40 signing (-S) is used, DNSKEY records are also included. The re‐
41 sulting file can be included in the original zone file with $IN‐
42 CLUDE. This option cannot be combined with -O raw, -O map, or
43 serial-number updating.
44 -E engine
46 This option specifies the hardware to use for cryptographic op‐
47 erations, such as a secure key store used for signing, when ap‐
48 plicable.
49 When BIND 9 is built with OpenSSL, this needs to be set to the
51 OpenSSL engine identifier that drives the cryptographic acceler‐
52 ator or hardware service module (usually pkcs11). When BIND is
53 built with native PKCS#11 cryptography (--enable-native-pkcs11),
54 it defaults to the path of the PKCS#11 provider library speci‐
55 fied via --with-pkcs11.
56 -g This option indicates that DS records for child zones should be
58 generated from a dsset- or keyset- file. Existing DS records are
59 removed.
60 -K directory
62 This option specifies the directory to search for DNSSEC keys.
63 If not specified, it defaults to the current directory.
64 -k key This option tells BIND 9 to treat the specified key as a
66 key-signing key, ignoring any key flags. This option may be
67 specified multiple times.
68 -M maxttl
70 This option sets the maximum TTL for the signed zone. Any TTL
71 higher than maxttl in the input zone is reduced to maxttl in the
72 output. This provides certainty as to the largest possible TTL
73 in the signed zone, which is useful to know when rolling keys.
74 The maxttl is the longest possible time before signatures that
75 have been retrieved by resolvers expire from resolver caches.
76 Zones that are signed with this option should be configured to
77 use a matching max-zone-ttl in named.conf. (Note: This option is
78 incompatible with -D, because it modifies non-DNSSEC data in the
79 output zone.)
80 -s start-time
82 This option specifies the date and time when the generated RRSIG
83 records become valid. This can be either an absolute or relative
84 time. An absolute start time is indicated by a number in YYYYM‐
85 MDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May
86 30th, 2000. A relative start time is indicated by +N, which is N
87 seconds from the current time. If no start-time is specified,
88 the current time minus 1 hour (to allow for clock skew) is used.
89 -e end-time
91 This option specifies the date and time when the generated RRSIG
92 records expire. As with start-time, an absolute time is indi‐
93 cated in YYYYMMDDHHMMSS notation. A time relative to the start
94 time is indicated with +N, which is N seconds from the start
95 time. A time relative to the current time is indicated with
96 now+N. If no end-time is specified, 30 days from the start time
97 is the default. end-time must be later than start-time.
98 -X extended end-time
100 This option specifies the date and time when the generated RRSIG
101 records for the DNSKEY RRset expire. This is to be used in cases
102 when the DNSKEY signatures need to persist longer than signa‐
103 tures on other records; e.g., when the private component of the
104 KSK is kept offline and the KSK signature is to be refreshed
105 manually.
106 As with end-time, an absolute time is indicated in YYYYMMDDHH‐
108 MMSS notation. A time relative to the start time is indicated
109 with +N, which is N seconds from the start time. A time relative
110 to the current time is indicated with now+N. If no extended
111 end-time is specified, the value of end-time is used as the de‐
112 fault. (end-time, in turn, defaults to 30 days from the start
113 time.) extended end-time must be later than start-time.
114 -f output-file
116 This option indicates the name of the output file containing the
117 signed zone. The default is to append .signed to the input file‐
118 name. If output-file is set to -, then the signed zone is writ‐
119 ten to the standard output, with a default output format of
120 full.
121 -h This option prints a short summary of the options and arguments
123 to dnssec-signzone.
124 -V This option prints version information.
126 -i interval
128 This option indicates that, when a previously signed zone is
129 passed as input, records may be re-signed. The interval option
130 specifies the cycle interval as an offset from the current time,
131 in seconds. If a RRSIG record expires after the cycle interval,
132 it is retained; otherwise, it is considered to be expiring soon
133 and it is replaced.
134 The default cycle interval is one quarter of the difference be‐
136 tween the signature end and start times. So if neither end-time
137 nor start-time is specified, dnssec-signzone generates signa‐
138 tures that are valid for 30 days, with a cycle interval of 7.5
139 days. Therefore, if any existing RRSIG records are due to expire
140 in less than 7.5 days, they are replaced.
141 -I input-format
143 This option sets the format of the input zone file. Possible
144 formats are text (the default), raw, and map. This option is
145 primarily intended to be used for dynamic signed zones, so that
146 the dumped zone file in a non-text format containing updates can
147 be signed directly. This option is not useful for non-dynamic
148 zones.
149 -j jitter
151 When signing a zone with a fixed signature lifetime, all RRSIG
152 records issued at the time of signing expire simultaneously. If
153 the zone is incrementally signed, i.e., a previously signed zone
154 is passed as input to the signer, all expired signatures must be
155 regenerated at approximately the same time. The jitter option
156 specifies a jitter window that is used to randomize the signa‐
157 ture expire time, thus spreading incremental signature regenera‐
158 tion over time.
159 Signature lifetime jitter also, to some extent, benefits valida‐
161 tors and servers by spreading out cache expiration, i.e., if
162 large numbers of RRSIGs do not expire at the same time from all
163 caches, there is less congestion than if all validators need to
164 refetch at around the same time.
165 -L serial
167 When writing a signed zone to "raw" or "map" format, this option
168 sets the "source serial" value in the header to the specified
169 serial number. (This is expected to be used primarily for test‐
170 ing purposes.)
171 -n ncpus
173 This option specifies the number of threads to use. By default,
174 one thread is started for each detected CPU.
175 -N soa-serial-format
177 This option sets the SOA serial number format of the signed
178 zone. Possible formats are keep (the default), increment, unix‐
179 time, and date.
180 keep This format indicates that the SOA serial number should
182 not be modified.
183 increment
185 This format increments the SOA serial number using RFC
186 1982 arithmetic.
187 unixtime
189 This format sets the SOA serial number to the number of
190 seconds since the beginning of the Unix epoch, unless the
191 serial number is already greater than or equal to that
192 value, in which case it is simply incremented by one.
193 date This format sets the SOA serial number to today's date,
195 in YYYYMMDDNN format, unless the serial number is already
196 greater than or equal to that value, in which case it is
197 simply incremented by one.
198 -o origin
200 This option sets the zone origin. If not specified, the name of
201 the zone file is assumed to be the origin.
202 -O output-format
204 This option sets the format of the output file containing the
205 signed zone. Possible formats are text (the default), which is
206 the standard textual representation of the zone; full, which is
207 text output in a format suitable for processing by external
208 scripts; and map, raw, and raw=N, which store the zone in binary
209 formats for rapid loading by named. raw=N specifies the format
210 version of the raw zone file: if N is 0, the raw file can be
211 read by any version of named; if N is 1, the file can be read by
212 release 9.9.0 or higher. The default is 1.
213 -P This option disables post-sign verification tests.
215 The post-sign verification tests ensure that for each algorithm
217 in use there is at least one non-revoked self-signed KSK key,
218 that all revoked KSK keys are self-signed, and that all records
219 in the zone are signed by the algorithm. This option skips these
220 tests.
221 -Q This option removes signatures from keys that are no longer ac‐
223 tive.
224 Normally, when a previously signed zone is passed as input to
226 the signer, and a DNSKEY record has been removed and replaced
227 with a new one, signatures from the old key that are still
228 within their validity period are retained. This allows the zone
229 to continue to validate with cached copies of the old DNSKEY
230 RRset. The -Q option forces dnssec-signzone to remove signatures
231 from keys that are no longer active. This enables ZSK rollover
232 using the procedure described in RFC 4641#4.2.1.1 ("Pre-Publish
233 Key Rollover").
234 -q This option enables quiet mode, which suppresses unnecessary
236 output. Without this option, when dnssec-signzone is run it
237 prints three pieces of information to standard output: the num‐
238 ber of keys in use; the algorithms used to verify the zone was
239 signed correctly and other status information; and the filename
240 containing the signed zone. With the option that output is sup‐
241 pressed, leaving only the filename.
242 -R This option removes signatures from keys that are no longer pub‐
244 lished.
245 This option is similar to -Q, except it forces dnssec-signzone
247 to remove signatures from keys that are no longer published.
248 This enables ZSK rollover using the procedure described in RFC
249 4641#4.2.1.2 ("Double Signature Zone Signing Key Rollover").
250 -S This option enables smart signing, which instructs dnssec-sign‐
252 zone to search the key repository for keys that match the zone
253 being signed, and to include them in the zone if appropriate.
254 When a key is found, its timing metadata is examined to deter‐
256 mine how it should be used, according to the following rules.
257 Each successive rule takes priority over the prior ones:
258 If no timing metadata has been set for the key, the key is
259 published in the zone and used to sign the zone.
260 If the key's publication date is set and is in the past, the
262 key is published in the zone.
263 If the key's activation date is set and is in the past, the
265 key is published (regardless of publication date) and used to
266 sign the zone.
267 If the key's revocation date is set and is in the past, and
269 the key is published, then the key is revoked, and the re‐
270 voked key is used to sign the zone.
271 If either the key's unpublication or deletion date is set and
273 in the past, the key is NOT published or used to sign the
274 zone, regardless of any other metadata.
275 If the key's sync publication date is set and is in the past,
277 synchronization records (type CDS and/or CDNSKEY) are cre‐
278 ated.
279 If the key's sync deletion date is set and is in the past,
281 synchronization records (type CDS and/or CDNSKEY) are re‐
282 moved.
283 -T ttl This option specifies a TTL to be used for new DNSKEY records
285 imported into the zone from the key repository. If not speci‐
286 fied, the default is the TTL value from the zone's SOA record.
287 This option is ignored when signing without -S, since DNSKEY
288 records are not imported from the key repository in that case.
289 It is also ignored if there are any pre-existing DNSKEY records
290 at the zone apex, in which case new records' TTL values are set
291 to match them, or if any of the imported DNSKEY records had a
292 default TTL value. In the event of a conflict between TTL values
293 in imported keys, the shortest one is used.
294 -t This option prints statistics at completion.
296 -u This option updates the NSEC/NSEC3 chain when re-signing a pre‐
298 viously signed zone. With this option, a zone signed with NSEC
299 can be switched to NSEC3, or a zone signed with NSEC3 can be
300 switched to NSEC or to NSEC3 with different parameters. Without
301 this option, dnssec-signzone retains the existing chain when
302 re-signing.
303 -v level
305 This option sets the debugging level.
306 -x This option indicates that BIND 9 should only sign the DNSKEY,
308 CDNSKEY, and CDS RRsets with key-signing keys, and should omit
309 signatures from zone-signing keys. (This is similar to the
310 dnssec-dnskey-kskonly yes; zone option in named.)
311 -z This option indicates that BIND 9 should ignore the KSK flag on
313 keys when determining what to sign. This causes KSK-flagged keys
314 to sign all records, not just the DNSKEY RRset. (This is simi‐
315 lar to the update-check-ksk no; zone option in named.)
316 -3 salt
318 This option generates an NSEC3 chain with the given hex-encoded
319 salt. A dash (-) can be used to indicate that no salt is to be
320 used when generating the NSEC3 chain.
321 -H iterations
323 This option indicates that, when generating an NSEC3 chain, BIND
324 9 should use this many iterations. The default is 10.
325 -A This option indicates that, when generating an NSEC3 chain, BIND
327 9 should set the OPTOUT flag on all NSEC3 records and should not
328 generate NSEC3 records for insecure delegations.
329 Using this option twice (i.e., -AA) turns the OPTOUT flag off
331 for all records. This is useful when using the -u option to mod‐
332 ify an NSEC3 chain which previously had OPTOUT set.
333 zonefile
335 This option sets the file containing the zone to be signed.
336 key This option specifies which keys should be used to sign the
338 zone. If no keys are specified, the zone is examined for DNSKEY
339 records at the zone apex. If these records are found and there
340 are matching private keys in the current directory, they are
341 used for signing.
342
344 The following command signs the example.com zone with the ECD‐
345 SAP256SHA256 key generated by dnssec-keygen (Kexample.com.+013+17247).
346 Because the -S option is not being used, the zone's keys must be in the
347 master file (db.example.com). This invocation looks for dsset files in
348 the current directory, so that DS records can be imported from them
349 (-g).
350 % dnssec-signzone -g -o example.com db.example.com \
352 Kexample.com.+013+17247
353 db.example.com.signed
354 %
355 In the above example, dnssec-signzone creates the file db.exam‐
357 ple.com.signed. This file should be referenced in a zone statement in
358 the named.conf file.
359 This example re-signs a previously signed zone with default parameters.
361 The private keys are assumed to be in the current directory.
362 % cp db.example.com.signed db.example.com
364 % dnssec-signzone -o example.com db.example.com
365 db.example.com.signed
366 %
367
369 dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033, RFC
370 4641.
371
373 Internet Systems Consortium
374
376 2021, Internet Systems Consortium
3779.16.23-RH DNSSEC-SIGNZONE(8)