1DNSSEC-SIGNZONE(1)                  BIND 9                  DNSSEC-SIGNZONE(1)
2
3
4

NAME

6       dnssec-signzone - DNSSEC zone signing tool
7

SYNOPSIS

9       dnssec-signzone  [-a]  [-c  class]  [-d directory] [-D] [-E engine] [-e
10       end-time] [-f output-file] [-g] [-h] [-i  interval]  [-I  input-format]
11       [-j jitter] [-K directory] [-k key] [-L serial] [-M maxttl] [-N soa-se‐
12       rial-format] [-o origin] [-O output-format] [-P] [-Q]  [-q]  [-R]  [-S]
13       [-s  start-time]  [-T  ttl]  [-t]  [-u]  [-v  level]  [-V] [-X extended
14       end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
15

DESCRIPTION

17       dnssec-signzone signs a zone; it generates NSEC and RRSIG  records  and
18       produces  a  signed version of the zone. The security status of delega‐
19       tions from the signed zone (that is, whether the child  zones  are  se‐
20       cure)  is  determined  by  the presence or absence of a keyset file for
21       each child zone.
22

OPTIONS

24       -a     This option verifies all generated signatures.
25
26       -c class
27              This option specifies the DNS class of the zone.
28
29       -C     This option sets compatibility mode, in which a  keyset-zonename
30              file  is  generated in addition to dsset-zonename when signing a
31              zone, for use by older versions of dnssec-signzone.
32
33       -d directory
34              This option indicates the directory where BIND 9 should look for
35              dsset- or keyset- files.
36
37       -D     This option indicates that only those record types automatically
38              managed  by  dnssec-signzone,  i.e.,  RRSIG,  NSEC,  NSEC3   and
39              NSEC3PARAM  records, should be included in the output.  If smart
40              signing (-S) is used, DNSKEY records are also included.  The re‐
41              sulting file can be included in the original zone file with $IN‐
42              CLUDE. This option cannot be combined with -O raw or serial-num‐
43              ber updating.
44
45       -E engine
46              This  option specifies the hardware to use for cryptographic op‐
47              erations, such as a secure key store used for signing, when  ap‐
48              plicable.
49
50              When  BIND  9 is built with OpenSSL, this needs to be set to the
51              OpenSSL engine identifier that drives the cryptographic acceler‐
52              ator or hardware service module (usually pkcs11).
53
54       -g     This  option indicates that DS records for child zones should be
55              generated from a dsset- or keyset- file. Existing DS records are
56              removed.
57
58       -K directory
59              This  option  specifies the directory to search for DNSSEC keys.
60              If not specified, it defaults to the current directory.
61
62       -k key This option tells BIND  9  to  treat  the  specified  key  as  a
63              key-signing  key,  ignoring  any  key  flags. This option may be
64              specified multiple times.
65
66       -M maxttl
67              This option sets the maximum TTL for the signed  zone.  Any  TTL
68              higher than maxttl in the input zone is reduced to maxttl in the
69              output. This provides certainty as to the largest  possible  TTL
70              in  the  signed zone, which is useful to know when rolling keys.
71              The maxttl is the longest possible time before  signatures  that
72              have  been  retrieved  by resolvers expire from resolver caches.
73              Zones that are signed with this option should be  configured  to
74              use a matching max-zone-ttl in named.conf. (Note: This option is
75              incompatible with -D, because it modifies non-DNSSEC data in the
76              output zone.)
77
78       -s start-time
79              This option specifies the date and time when the generated RRSIG
80              records become valid. This can be either an absolute or relative
81              time.  An absolute start time is indicated by a number in YYYYM‐
82              MDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC  on  May
83              30th, 2000. A relative start time is indicated by +N, which is N
84              seconds from the current time. If no  start-time  is  specified,
85              the current time minus 1 hour (to allow for clock skew) is used.
86
87       -e end-time
88              This option specifies the date and time when the generated RRSIG
89              records expire. As with start-time, an absolute  time  is  indi‐
90              cated  in  YYYYMMDDHHMMSS notation. A time relative to the start
91              time is indicated with +N, which is N  seconds  from  the  start
92              time.  A  time  relative  to  the current time is indicated with
93              now+N. If no end-time is specified, 30 days from the start  time
94              is the default.  end-time must be later than start-time.
95
96       -X extended end-time
97              This option specifies the date and time when the generated RRSIG
98              records for the DNSKEY RRset expire. This is to be used in cases
99              when  the  DNSKEY  signatures need to persist longer than signa‐
100              tures on other records; e.g., when the private component of  the
101              KSK  is  kept  offline  and the KSK signature is to be refreshed
102              manually.
103
104              As with end-time, an absolute time is indicated  in  YYYYMMDDHH‐
105              MMSS  notation.  A  time relative to the start time is indicated
106              with +N, which is N seconds from the start time. A time relative
107              to  the  current  time  is  indicated with now+N. If no extended
108              end-time is specified, the value of end-time is used as the  de‐
109              fault.  (end-time,  in  turn, defaults to 30 days from the start
110              time.) extended end-time must be later than start-time.
111
112       -f output-file
113              This option indicates the name of the output file containing the
114              signed zone. The default is to append .signed to the input file‐
115              name. If output-file is set to -, then the signed zone is  writ‐
116              ten  to  the  standard  output,  with a default output format of
117              full.
118
119       -h     This option prints a short summary of the options and  arguments
120              to dnssec-signzone.
121
122       -V     This option prints version information.
123
124       -i interval
125              This  option  indicates  that,  when a previously signed zone is
126              passed as input, records may be re-signed. The  interval  option
127              specifies the cycle interval as an offset from the current time,
128              in seconds. If a RRSIG record expires after the cycle  interval,
129              it  is retained; otherwise, it is considered to be expiring soon
130              and it is replaced.
131
132              The default cycle interval is one quarter of the difference  be‐
133              tween  the signature end and start times. So if neither end-time
134              nor start-time is specified,  dnssec-signzone  generates  signa‐
135              tures  that  are valid for 30 days, with a cycle interval of 7.5
136              days. Therefore, if any existing RRSIG records are due to expire
137              in less than 7.5 days, they are replaced.
138
139       -I input-format
140              This  option  sets  the  format of the input zone file. Possible
141              formats are text (the default), and raw. This option is  primar‐
142              ily  intended  to  be used for dynamic signed zones, so that the
143              dumped zone file in a non-text format containing updates can  be
144              signed  directly.   This  option  is  not useful for non-dynamic
145              zones.
146
147       -j jitter
148              When signing a zone with a fixed signature lifetime,  all  RRSIG
149              records  issued at the time of signing expire simultaneously. If
150              the zone is incrementally signed, i.e., a previously signed zone
151              is passed as input to the signer, all expired signatures must be
152              regenerated at approximately the same time.  The  jitter  option
153              specifies  a  jitter window that is used to randomize the signa‐
154              ture expire time, thus spreading incremental signature regenera‐
155              tion over time.
156
157              Signature lifetime jitter also, to some extent, benefits valida‐
158              tors and servers by spreading out  cache  expiration,  i.e.,  if
159              large  numbers of RRSIGs do not expire at the same time from all
160              caches, there is less congestion than if all validators need  to
161              refetch at around the same time.
162
163       -L serial
164              When writing a signed zone to "raw" format, this option sets the
165              "source serial" value in the header to the specified serial num‐
166              ber.  (This  is  expected  to be used primarily for testing pur‐
167              poses.)
168
169       -n ncpus
170              This option specifies the number of threads to use. By  default,
171              one thread is started for each detected CPU.
172
173       -N soa-serial-format
174              This  option  sets  the  SOA  serial number format of the signed
175              zone. Possible formats are keep (the default), increment,  unix‐
176              time, and date.
177
178              keep   This  format  indicates that the SOA serial number should
179                     not be modified.
180
181              increment
182                     This format increments the SOA serial  number  using  RFC
183                     1982 arithmetic.
184
185              unixtime
186                     This  format  sets the SOA serial number to the number of
187                     seconds since the beginning of the Unix epoch, unless the
188                     serial  number  is  already greater than or equal to that
189                     value, in which case it is simply incremented by one.
190
191              date   This format sets the SOA serial number to  today's  date,
192                     in YYYYMMDDNN format, unless the serial number is already
193                     greater than or equal to that value, in which case it  is
194                     simply incremented by one.
195
196       -o origin
197              This  option sets the zone origin. If not specified, the name of
198              the zone file is assumed to be the origin.
199
200       -O output-format
201              This option sets the format of the output  file  containing  the
202              signed  zone.  Possible formats are text (the default), which is
203              the standard textual representation of the zone; full, which  is
204              text  output  in  a  format  suitable for processing by external
205              scripts; and raw and raw=N, which store the zone in binary  for‐
206              mats for rapid loading by named. raw=N specifies the format ver‐
207              sion of the raw zone file: if N is 0, the raw file can  be  read
208              by  any version of named; if N is 1, the file can be read by re‐
209              lease 9.9.0 or higher. The default is 1.
210
211       -P     This option disables post-sign verification tests.
212
213              The post-sign verification tests ensure that for each  algorithm
214              in  use  there  is at least one non-revoked self-signed KSK key,
215              that all revoked KSK keys are self-signed, and that all  records
216              in the zone are signed by the algorithm. This option skips these
217              tests.
218
219       -Q     This option removes signatures from keys that are no longer  ac‐
220              tive.
221
222              Normally,  when  a  previously signed zone is passed as input to
223              the signer, and a DNSKEY record has been  removed  and  replaced
224              with  a  new  one,  signatures  from  the old key that are still
225              within their validity period are retained. This allows the  zone
226              to  continue  to  validate  with cached copies of the old DNSKEY
227              RRset. The -Q option forces dnssec-signzone to remove signatures
228              from  keys  that are no longer active. This enables ZSK rollover
229              using the procedure described in RFC 4641#4.2.1.1  ("Pre-Publish
230              Key Rollover").
231
232       -q     This  option  enables  quiet  mode, which suppresses unnecessary
233              output. Without this option,  when  dnssec-signzone  is  run  it
234              prints  three pieces of information to standard output: the num‐
235              ber of keys in use; the algorithms used to verify the  zone  was
236              signed  correctly and other status information; and the filename
237              containing the signed zone. With the option that output is  sup‐
238              pressed, leaving only the filename.
239
240       -R     This option removes signatures from keys that are no longer pub‐
241              lished.
242
243              This option is similar to -Q, except it  forces  dnssec-signzone
244              to  remove  signatures  from  keys that are no longer published.
245              This enables ZSK rollover using the procedure described  in  RFC
246              4641#4.2.1.2 ("Double Signature Zone Signing Key Rollover").
247
248       -S     This  option enables smart signing, which instructs dnssec-sign‐
249              zone to search the key repository for keys that match  the  zone
250              being signed, and to include them in the zone if appropriate.
251
252              When  a  key is found, its timing metadata is examined to deter‐
253              mine how it should be used, according to  the  following  rules.
254              Each successive rule takes priority over the prior ones:
255                 If  no  timing  metadata has been set for the key, the key is
256                 published in the zone and used to sign the zone.
257
258                 If the key's publication date is set and is in the past,  the
259                 key is published in the zone.
260
261                 If  the  key's activation date is set and is in the past, the
262                 key is published (regardless of publication date) and used to
263                 sign the zone.
264
265                 If  the  key's revocation date is set and is in the past, and
266                 the key is published, then the key is revoked,  and  the  re‐
267                 voked key is used to sign the zone.
268
269                 If either the key's unpublication or deletion date is set and
270                 in the past, the key is NOT published or  used  to  sign  the
271                 zone, regardless of any other metadata.
272
273                 If the key's sync publication date is set and is in the past,
274                 synchronization records (type CDS and/or  CDNSKEY)  are  cre‐
275                 ated.
276
277                 If  the  key's  sync deletion date is set and is in the past,
278                 synchronization records (type CDS  and/or  CDNSKEY)  are  re‐
279                 moved.
280
281       -T ttl This  option  specifies  a TTL to be used for new DNSKEY records
282              imported into the zone from the key repository.  If  not  speci‐
283              fied,  the  default is the TTL value from the zone's SOA record.
284              This option is ignored when signing  without  -S,  since  DNSKEY
285              records  are  not imported from the key repository in that case.
286              It is also ignored if there are any pre-existing DNSKEY  records
287              at  the zone apex, in which case new records' TTL values are set
288              to match them, or if any of the imported DNSKEY  records  had  a
289              default TTL value. In the event of a conflict between TTL values
290              in imported keys, the shortest one is used.
291
292       -t     This option prints statistics at completion.
293
294       -u     This option updates the NSEC/NSEC3 chain when re-signing a  pre‐
295              viously  signed zone.  With this option, a zone signed with NSEC
296              can be switched to NSEC3, or a zone signed  with  NSEC3  can  be
297              switched  to NSEC or to NSEC3 with different parameters. Without
298              this option, dnssec-signzone retains  the  existing  chain  when
299              re-signing.
300
301       -v level
302              This option sets the debugging level.
303
304       -x     This  option  indicates that BIND 9 should only sign the DNSKEY,
305              CDNSKEY, and CDS RRsets with key-signing keys, and  should  omit
306              signatures  from  zone-signing  keys.  (This  is  similar to the
307              dnssec-dnskey-kskonly yes; zone option in named.)
308
309       -z     This option indicates that BIND 9 should ignore the KSK flag  on
310              keys when determining what to sign. This causes KSK-flagged keys
311              to sign all records, not just the DNSKEY RRset.  (This is  simi‐
312              lar to the update-check-ksk no; zone option in named.)
313
314       -3 salt
315              This  option generates an NSEC3 chain with the given hex-encoded
316              salt. A dash (-) can be used to indicate that no salt is  to  be
317              used when generating the NSEC3 chain.
318
319              NOTE:
320                 -3  -  is the recommended configuration. Adding salt provides
321                 no practical benefits.
322
323       -H iterations
324              This option indicates that, when generating an NSEC3 chain, BIND
325              9 should use this many iterations. The default is 0.
326
327              WARNING:
328                 Values  greater than 0 cause interoperability issues and also
329                 increase the risk of CPU-exhausting DoS attacks.
330
331       -A     This option indicates that, when generating an NSEC3 chain, BIND
332              9 should set the OPTOUT flag on all NSEC3 records and should not
333              generate NSEC3 records for insecure delegations.
334
335              WARNING:
336                 Do not use this option unless all its implications are  fully
337                 understood.  This option is intended only for extremely large
338                 zones (comparable to com.) with sparse secure delegations.
339
340       -AA    This option turns the OPTOUT flag off for all records.  This  is
341              useful  when  using the -u option to modify an NSEC3 chain which
342              previously had OPTOUT set.
343
344       zonefile
345              This option sets the file containing the zone to be signed.
346
347       key    This option specifies which keys should  be  used  to  sign  the
348              zone.  If no keys are specified, the zone is examined for DNSKEY
349              records at the zone apex. If these records are found  and  there
350              are  matching  private  keys  in the current directory, they are
351              used for signing.
352

EXAMPLE

354       The  following  command  signs  the  example.com  zone  with  the  ECD‐
355       SAP256SHA256  key generated by dnssec-keygen (Kexample.com.+013+17247).
356       Because the -S option is not being used, the zone's keys must be in the
357       master  file (db.example.com). This invocation looks for dsset files in
358       the current directory, so that DS records can be imported from them  (‐
359       -g).
360
361          % dnssec-signzone -g -o example.com db.example.com \
362          Kexample.com.+013+17247
363          db.example.com.signed
364          %
365
366       In  the  above  example,  dnssec-signzone  creates  the  file  db.exam‐
367       ple.com.signed. This file should be referenced in a zone  statement  in
368       the named.conf file.
369
370       This example re-signs a previously signed zone with default parameters.
371       The private keys are assumed to be in the current directory.
372
373          % cp db.example.com.signed db.example.com
374          % dnssec-signzone -o example.com db.example.com
375          db.example.com.signed
376          %
377

SEE ALSO

379       dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033,  RFC
380       4641.
381

AUTHOR

383       Internet Systems Consortium
384
386       2023, Internet Systems Consortium
387
388
389
390
3919.18.11                                                     DNSSEC-SIGNZONE(1)
Impressum