1DNSSEC-SIGNZONE(1)                  BIND 9                  DNSSEC-SIGNZONE(1)
2
3
4

NAME

6       dnssec-signzone - DNSSEC zone signing tool
7

SYNOPSIS

9       dnssec-signzone  [-a]  [-c  class]  [-d directory] [-D] [-E engine] [-e
10       end-time] [-f output-file] [-F] [-g] [-G sync-records] [-h] [-i  inter‐
11       val]  [-I input-format] [-j jitter] [-K directory] [-k key] [-L serial]
12       [-M maxttl] [-N soa-serial-format] [-o origin] [-O output-format]  [-P]
13       [-Q]  [-q] [-R] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V]
14       [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A]  {zone‐
15       file} [key...]
16

DESCRIPTION

18       dnssec-signzone  signs  a zone; it generates NSEC and RRSIG records and
19       produces a signed version of the zone. The security status  of  delega‐
20       tions  from  the  signed zone (that is, whether the child zones are se‐
21       cure) is determined by the presence or absence of  a  keyset  file  for
22       each child zone.
23

OPTIONS

25       -a     This option verifies all generated signatures.
26
27       -c class
28              This option specifies the DNS class of the zone.
29
30       -C     This  option sets compatibility mode, in which a keyset-zonename
31              file is generated in addition to dsset-zonename when  signing  a
32              zone, for use by older versions of dnssec-signzone.
33
34       -d directory
35              This option indicates the directory where BIND 9 should look for
36              dsset- or keyset- files.
37
38       -D     This option indicates that only those record types automatically
39              managed   by  dnssec-signzone,  i.e.,  RRSIG,  NSEC,  NSEC3  and
40              NSEC3PARAM records, should be included in the output.  If  smart
41              signing (-S) is used, DNSKEY records are also included.  The re‐
42              sulting file can be included in the original zone file with $IN‐
43              CLUDE. This option cannot be combined with -O raw or serial-num‐
44              ber updating.
45
46       -E engine
47              This option specifies the hardware to use for cryptographic  op‐
48              erations,  such as a secure key store used for signing, when ap‐
49              plicable.
50
51              When BIND 9 is built with OpenSSL, this needs to be set  to  the
52              OpenSSL engine identifier that drives the cryptographic acceler‐
53              ator or hardware service module (usually pkcs11).
54
55       -F     This options turns on FIPS (US  Federal  Information  Processing
56              Standards)  mode if the underlying crytographic library supports
57              running in FIPS mode.
58
59       -g     This option indicates that DS records for child zones should  be
60              generated from a dsset- or keyset- file. Existing DS records are
61              removed.
62
63       -G sync-records
64              This option indicates which CDS and CDNSKEY  records  should  be
65              generated.  sync-records  is  a  comma-separated string with the
66              following allowed items: cdnskey, and  cds:<digest-type>,  where
67              digest-type  is  an  allowed  algorithm  such as SHA-256 (2), or
68              SHA-384 (4).  Only works in combination with smart signing (-S).
69
70       -K directory
71              This option specifies the directory to search for  DNSSEC  keys.
72              If not specified, it defaults to the current directory.
73
74       -k key This  option  tells  BIND  9  to  treat  the  specified key as a
75              key-signing key, ignoring any key  flags.  This  option  may  be
76              specified multiple times.
77
78       -M maxttl
79              This  option  sets  the maximum TTL for the signed zone. Any TTL
80              higher than maxttl in the input zone is reduced to maxttl in the
81              output.  This  provides certainty as to the largest possible TTL
82              in the signed zone, which is useful to know when  rolling  keys.
83              The  maxttl  is the longest possible time before signatures that
84              have been retrieved by resolvers expire  from  resolver  caches.
85              Zones  that  are signed with this option should be configured to
86              use a matching max-zone-ttl in named.conf. (Note: This option is
87              incompatible with -D, because it modifies non-DNSSEC data in the
88              output zone.)
89
90       -s start-time
91              This option specifies the date and time when the generated RRSIG
92              records become valid. This can be either an absolute or relative
93              time. An absolute start time is indicated by a number in  YYYYM‐
94              MDDHHMMSS  notation;  20000530144500 denotes 14:45:00 UTC on May
95              30th, 2000. A relative start time is indicated by +N, which is N
96              seconds  from  the  current time. If no start-time is specified,
97              the current time minus 1 hour (to allow for clock skew) is used.
98
99       -e end-time
100              This option specifies the date and time when the generated RRSIG
101              records  expire.  As  with start-time, an absolute time is indi‐
102              cated in YYYYMMDDHHMMSS notation. A time relative to  the  start
103              time  is  indicated  with  +N, which is N seconds from the start
104              time. A time relative to the  current  time  is  indicated  with
105              now+N.  If no end-time is specified, 30 days from the start time
106              is the default.  end-time must be later than start-time.
107
108       -X extended end-time
109              This option specifies the date and time when the generated RRSIG
110              records for the DNSKEY RRset expire. This is to be used in cases
111              when the DNSKEY signatures need to persist  longer  than  signa‐
112              tures  on other records; e.g., when the private component of the
113              KSK is kept offline and the KSK signature  is  to  be  refreshed
114              manually.
115
116              As  with  end-time, an absolute time is indicated in YYYYMMDDHH‐
117              MMSS notation. A time relative to the start  time  is  indicated
118              with +N, which is N seconds from the start time. A time relative
119              to the current time is indicated  with  now+N.  If  no  extended
120              end-time  is specified, the value of end-time is used as the de‐
121              fault. (end-time, in turn, defaults to 30 days  from  the  start
122              time.) extended end-time must be later than start-time.
123
124       -f output-file
125              This option indicates the name of the output file containing the
126              signed zone. The default is to append .signed to the input file‐
127              name.  If output-file is set to -, then the signed zone is writ‐
128              ten to the standard output, with  a  default  output  format  of
129              full.
130
131       -h     This  option prints a short summary of the options and arguments
132              to dnssec-signzone.
133
134       -V     This option prints version information.
135
136       -i interval
137              This option indicates that, when a  previously  signed  zone  is
138              passed  as  input, records may be re-signed. The interval option
139              specifies the cycle interval as an offset from the current time,
140              in  seconds. If a RRSIG record expires after the cycle interval,
141              it is retained; otherwise, it is considered to be expiring  soon
142              and it is replaced.
143
144              The  default cycle interval is one quarter of the difference be‐
145              tween the signature end and start times. So if neither  end-time
146              nor  start-time  is  specified, dnssec-signzone generates signa‐
147              tures that are valid for 30 days, with a cycle interval  of  7.5
148              days. Therefore, if any existing RRSIG records are due to expire
149              in less than 7.5 days, they are replaced.
150
151       -I input-format
152              This option sets the format of the  input  zone  file.  Possible
153              formats  are text (the default), and raw. This option is primar‐
154              ily intended to be used for dynamic signed zones,  so  that  the
155              dumped  zone file in a non-text format containing updates can be
156              signed directly.  This option  is  not  useful  for  non-dynamic
157              zones.
158
159       -j jitter
160              When  signing  a zone with a fixed signature lifetime, all RRSIG
161              records issued at the time of signing expire simultaneously.  If
162              the zone is incrementally signed, i.e., a previously signed zone
163              is passed as input to the signer, all expired signatures must be
164              regenerated  at  approximately  the same time. The jitter option
165              specifies a jitter window that is used to randomize  the  signa‐
166              ture expire time, thus spreading incremental signature regenera‐
167              tion over time.
168
169              Signature lifetime jitter also, to some extent, benefits valida‐
170              tors  and  servers  by  spreading out cache expiration, i.e., if
171              large numbers of RRSIGs do not expire at the same time from  all
172              caches,  there is less congestion than if all validators need to
173              refetch at around the same time.
174
175       -L serial
176              When writing a signed zone to "raw" format, this option sets the
177              "source serial" value in the header to the specified serial num‐
178              ber. (This is expected to be used  primarily  for  testing  pur‐
179              poses.)
180
181       -n ncpus
182              This  option specifies the number of threads to use. By default,
183              one thread is started for each detected CPU.
184
185       -N soa-serial-format
186              This option sets the SOA serial  number  format  of  the  signed
187              zone.  Possible formats are keep (the default), increment, unix‐
188              time, and date.
189
190              keep   This format indicates that the SOA serial  number  should
191                     not be modified.
192
193              increment
194                     This  format  increments  the SOA serial number using RFC
195                     1982 arithmetic.
196
197              unixtime
198                     This format sets the SOA serial number to the  number  of
199                     seconds since the beginning of the Unix epoch, unless the
200                     serial number is already greater than or  equal  to  that
201                     value, in which case it is simply incremented by one.
202
203              date   This  format  sets the SOA serial number to today's date,
204                     in YYYYMMDDNN format, unless the serial number is already
205                     greater  than or equal to that value, in which case it is
206                     simply incremented by one.
207
208       -o origin
209              This option sets the zone origin. If not specified, the name  of
210              the zone file is assumed to be the origin.
211
212       -O output-format
213              This  option  sets  the format of the output file containing the
214              signed zone. Possible formats are text (the default),  which  is
215              the  standard textual representation of the zone; full, which is
216              text output in a format  suitable  for  processing  by  external
217              scripts;  and raw and raw=N, which store the zone in binary for‐
218              mats for rapid loading by named. raw=N specifies the format ver‐
219              sion  of  the raw zone file: if N is 0, the raw file can be read
220              by any version of named; if N is 1, the file can be read by  re‐
221              lease 9.9.0 or higher. The default is 1.
222
223       -P     This option disables post-sign verification tests.
224
225              The  post-sign verification tests ensure that for each algorithm
226              in use there is at least one non-revoked  self-signed  KSK  key,
227              that  all revoked KSK keys are self-signed, and that all records
228              in the zone are signed by the algorithm. This option skips these
229              tests.
230
231       -Q     This  option removes signatures from keys that are no longer ac‐
232              tive.
233
234              Normally, when a previously signed zone is passed  as  input  to
235              the  signer,  and  a DNSKEY record has been removed and replaced
236              with a new one, signatures from  the  old  key  that  are  still
237              within  their validity period are retained. This allows the zone
238              to continue to validate with cached copies  of  the  old  DNSKEY
239              RRset. The -Q option forces dnssec-signzone to remove signatures
240              from keys that are no longer active. This enables  ZSK  rollover
241              using  the procedure described in RFC 4641#4.2.1.1 ("Pre-Publish
242              Key Rollover").
243
244       -q     This option enables quiet  mode,  which  suppresses  unnecessary
245              output.  Without  this  option,  when  dnssec-signzone is run it
246              prints three pieces of information to standard output: the  num‐
247              ber  of  keys in use; the algorithms used to verify the zone was
248              signed correctly and other status information; and the  filename
249              containing  the signed zone. With the option that output is sup‐
250              pressed, leaving only the filename.
251
252       -R     This option removes signatures from keys that are no longer pub‐
253              lished.
254
255              This  option  is similar to -Q, except it forces dnssec-signzone
256              to remove signatures from keys that  are  no  longer  published.
257              This  enables  ZSK rollover using the procedure described in RFC
258              4641#4.2.1.2 ("Double Signature Zone Signing Key Rollover").
259
260       -S     This option enables smart signing, which instructs  dnssec-sign‐
261              zone  to  search the key repository for keys that match the zone
262              being signed, and to include them in the zone if appropriate.
263
264              When a key is found, its timing metadata is examined  to  deter‐
265              mine  how  it  should be used, according to the following rules.
266              Each successive rule takes priority over the prior ones:
267                 If no timing metadata has been set for the key,  the  key  is
268                 published in the zone and used to sign the zone.
269
270                 If  the key's publication date is set and is in the past, the
271                 key is published in the zone.
272
273                 If the key's activation date is set and is in the  past,  the
274                 key is published (regardless of publication date) and used to
275                 sign the zone.
276
277                 If the key's revocation date is set and is in the  past,  and
278                 the  key  is  published, then the key is revoked, and the re‐
279                 voked key is used to sign the zone.
280
281                 If either the key's unpublication or deletion date is set and
282                 in  the  past,  the  key is NOT published or used to sign the
283                 zone, regardless of any other metadata.
284
285                 If the key's sync publication date is set and is in the past,
286                 synchronization  records  (type  CDS and/or CDNSKEY) are cre‐
287                 ated.
288
289                 If the key's sync deletion date is set and is  in  the  past,
290                 synchronization  records  (type  CDS  and/or CDNSKEY) are re‐
291                 moved.
292
293       -T ttl This option specifies a TTL to be used for  new  DNSKEY  records
294              imported  into  the  zone from the key repository. If not speci‐
295              fied, the default is the TTL value from the zone's  SOA  record.
296              This  option  is  ignored  when signing without -S, since DNSKEY
297              records are not imported from the key repository in  that  case.
298              It  is also ignored if there are any pre-existing DNSKEY records
299              at the zone apex, in which case new records' TTL values are  set
300              to  match  them,  or if any of the imported DNSKEY records had a
301              default TTL value. In the event of a conflict between TTL values
302              in imported keys, the shortest one is used.
303
304       -t     This option prints statistics at completion.
305
306       -u     This  option updates the NSEC/NSEC3 chain when re-signing a pre‐
307              viously signed zone.  With this option, a zone signed with  NSEC
308              can  be  switched  to  NSEC3, or a zone signed with NSEC3 can be
309              switched to NSEC or to NSEC3 with different parameters.  Without
310              this  option,  dnssec-signzone  retains  the existing chain when
311              re-signing.
312
313       -v level
314              This option sets the debugging level.
315
316       -x     This option indicates that BIND 9 should only sign  the  DNSKEY,
317              CDNSKEY,  and  CDS RRsets with key-signing keys, and should omit
318              signatures from zone-signing keys.
319
320       -z     This option indicates that BIND 9 should ignore the KSK flag  on
321              keys when determining what to sign. This causes KSK-flagged keys
322              to sign all records, not just the DNSKEY RRset.
323
324       -3 salt
325              This option generates an NSEC3 chain with the given  hex-encoded
326              salt.  A  dash (-) can be used to indicate that no salt is to be
327              used when generating the NSEC3 chain.
328
329              NOTE:
330                 -3 - is the recommended configuration. Adding  salt  provides
331                 no practical benefits.
332
333       -H iterations
334              This option indicates that, when generating an NSEC3 chain, BIND
335              9 should use this many iterations. The default is 0.
336
337              WARNING:
338                 Values greater than 0 cause interoperability issues and  also
339                 increase the risk of CPU-exhausting DoS attacks.
340
341       -A     This option indicates that, when generating an NSEC3 chain, BIND
342              9 should set the OPTOUT flag on all NSEC3 records and should not
343              generate NSEC3 records for insecure delegations.
344
345              WARNING:
346                 Do  not use this option unless all its implications are fully
347                 understood. This option is intended only for extremely  large
348                 zones (comparable to com.) with sparse secure delegations.
349
350       -AA    This  option  turns the OPTOUT flag off for all records. This is
351              useful when using the -u option to modify an NSEC3  chain  which
352              previously had OPTOUT set.
353
354       zonefile
355              This option sets the file containing the zone to be signed.
356
357       key    This  option  specifies  which  keys  should be used to sign the
358              zone. If no keys are specified, the zone is examined for  DNSKEY
359              records  at  the zone apex. If these records are found and there
360              are matching private keys in the  current  directory,  they  are
361              used for signing.
362

EXAMPLE

364       The  following  command  signs  the  example.com  zone  with  the  ECD‐
365       SAP256SHA256 key generated by dnssec-keygen  (Kexample.com.+013+17247).
366       Because the -S option is not being used, the zone's keys must be in the
367       master file (db.example.com). This invocation looks for dsset files  in
368       the  current directory, so that DS records can be imported from them (‐
369       -g).
370
371          % dnssec-signzone -g -o example.com db.example.com \
372          Kexample.com.+013+17247
373          db.example.com.signed
374          %
375
376       In  the  above  example,  dnssec-signzone  creates  the  file  db.exam‐
377       ple.com.signed.  This  file should be referenced in a zone statement in
378       the named.conf file.
379
380       This example re-signs a previously signed zone with default parameters.
381       The private keys are assumed to be in the current directory.
382
383          % cp db.example.com.signed db.example.com
384          % dnssec-signzone -o example.com db.example.com
385          db.example.com.signed
386          %
387

SEE ALSO

389       dnssec-keygen(8),  BIND 9 Administrator Reference Manual, RFC 4033, RFC
390       4641.
391

AUTHOR

393       Internet Systems Consortium
394
396       2023, Internet Systems Consortium
397
398
399
400
4019.19.18                                                     DNSSEC-SIGNZONE(1)
Impressum