1DNSSEC-SIGNZONE(1) BIND 9 DNSSEC-SIGNZONE(1)
2
6 dnssec-signzone - DNSSEC zone signing tool
7
9 dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e
10 end-time] [-f output-file] [-F] [-g] [-G sync-records] [-h] [-i inter‐
11 val] [-I input-format] [-j jitter] [-K directory] [-k key] [-L serial]
12 [-M maxttl] [-N soa-serial-format] [-o origin] [-O output-format] [-P]
13 [-Q] [-q] [-R] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V]
14 [-X extended end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zone‐
15 file} [key...]
16
18 dnssec-signzone signs a zone; it generates NSEC and RRSIG records and
19 produces a signed version of the zone. The security status of delega‐
20 tions from the signed zone (that is, whether the child zones are se‐
21 cure) is determined by the presence or absence of a keyset file for
22 each child zone.
23
25 -a This option verifies all generated signatures.
26 -c class
28 This option specifies the DNS class of the zone.
29 -C This option sets compatibility mode, in which a keyset-zonename
31 file is generated in addition to dsset-zonename when signing a
32 zone, for use by older versions of dnssec-signzone.
33 -d directory
35 This option indicates the directory where BIND 9 should look for
36 dsset- or keyset- files.
37 -D This option indicates that only those record types automatically
39 managed by dnssec-signzone, i.e., RRSIG, NSEC, NSEC3 and
40 NSEC3PARAM records, should be included in the output. If smart
41 signing (-S) is used, DNSKEY records are also included. The re‐
42 sulting file can be included in the original zone file with $IN‐
43 CLUDE. This option cannot be combined with -O raw or serial-num‐
44 ber updating.
45 -E engine
47 This option specifies the hardware to use for cryptographic op‐
48 erations, such as a secure key store used for signing, when ap‐
49 plicable.
50 When BIND 9 is built with OpenSSL, this needs to be set to the
52 OpenSSL engine identifier that drives the cryptographic acceler‐
53 ator or hardware service module (usually pkcs11).
54 -F This options turns on FIPS (US Federal Information Processing
56 Standards) mode if the underlying crytographic library supports
57 running in FIPS mode.
58 -g This option indicates that DS records for child zones should be
60 generated from a dsset- or keyset- file. Existing DS records are
61 removed.
62 -G sync-records
64 This option indicates which CDS and CDNSKEY records should be
65 generated. sync-records is a comma-separated string with the
66 following allowed items: cdnskey, and cds:<digest-type>, where
67 digest-type is an allowed algorithm such as SHA-256 (2), or
68 SHA-384 (4). Only works in combination with smart signing (-S).
69 -K directory
71 This option specifies the directory to search for DNSSEC keys.
72 If not specified, it defaults to the current directory.
73 -k key This option tells BIND 9 to treat the specified key as a
75 key-signing key, ignoring any key flags. This option may be
76 specified multiple times.
77 -M maxttl
79 This option sets the maximum TTL for the signed zone. Any TTL
80 higher than maxttl in the input zone is reduced to maxttl in the
81 output. This provides certainty as to the largest possible TTL
82 in the signed zone, which is useful to know when rolling keys.
83 The maxttl is the longest possible time before signatures that
84 have been retrieved by resolvers expire from resolver caches.
85 Zones that are signed with this option should be configured to
86 use a matching max-zone-ttl in named.conf. (Note: This option is
87 incompatible with -D, because it modifies non-DNSSEC data in the
88 output zone.)
89 -s start-time
91 This option specifies the date and time when the generated RRSIG
92 records become valid. This can be either an absolute or relative
93 time. An absolute start time is indicated by a number in YYYYM‐
94 MDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May
95 30th, 2000. A relative start time is indicated by +N, which is N
96 seconds from the current time. If no start-time is specified,
97 the current time minus 1 hour (to allow for clock skew) is used.
98 -e end-time
100 This option specifies the date and time when the generated RRSIG
101 records expire. As with start-time, an absolute time is indi‐
102 cated in YYYYMMDDHHMMSS notation. A time relative to the start
103 time is indicated with +N, which is N seconds from the start
104 time. A time relative to the current time is indicated with
105 now+N. If no end-time is specified, 30 days from the start time
106 is the default. end-time must be later than start-time.
107 -X extended end-time
109 This option specifies the date and time when the generated RRSIG
110 records for the DNSKEY RRset expire. This is to be used in cases
111 when the DNSKEY signatures need to persist longer than signa‐
112 tures on other records; e.g., when the private component of the
113 KSK is kept offline and the KSK signature is to be refreshed
114 manually.
115 As with end-time, an absolute time is indicated in YYYYMMDDHH‐
117 MMSS notation. A time relative to the start time is indicated
118 with +N, which is N seconds from the start time. A time relative
119 to the current time is indicated with now+N. If no extended
120 end-time is specified, the value of end-time is used as the de‐
121 fault. (end-time, in turn, defaults to 30 days from the start
122 time.) extended end-time must be later than start-time.
123 -f output-file
125 This option indicates the name of the output file containing the
126 signed zone. The default is to append .signed to the input file‐
127 name. If output-file is set to -, then the signed zone is writ‐
128 ten to the standard output, with a default output format of
129 full.
130 -h This option prints a short summary of the options and arguments
132 to dnssec-signzone.
133 -V This option prints version information.
135 -i interval
137 This option indicates that, when a previously signed zone is
138 passed as input, records may be re-signed. The interval option
139 specifies the cycle interval as an offset from the current time,
140 in seconds. If a RRSIG record expires after the cycle interval,
141 it is retained; otherwise, it is considered to be expiring soon
142 and it is replaced.
143 The default cycle interval is one quarter of the difference be‐
145 tween the signature end and start times. So if neither end-time
146 nor start-time is specified, dnssec-signzone generates signa‐
147 tures that are valid for 30 days, with a cycle interval of 7.5
148 days. Therefore, if any existing RRSIG records are due to expire
149 in less than 7.5 days, they are replaced.
150 -I input-format
152 This option sets the format of the input zone file. Possible
153 formats are text (the default), and raw. This option is primar‐
154 ily intended to be used for dynamic signed zones, so that the
155 dumped zone file in a non-text format containing updates can be
156 signed directly. This option is not useful for non-dynamic
157 zones.
158 -j jitter
160 When signing a zone with a fixed signature lifetime, all RRSIG
161 records issued at the time of signing expire simultaneously. If
162 the zone is incrementally signed, i.e., a previously signed zone
163 is passed as input to the signer, all expired signatures must be
164 regenerated at approximately the same time. The jitter option
165 specifies a jitter window that is used to randomize the signa‐
166 ture expire time, thus spreading incremental signature regenera‐
167 tion over time.
168 Signature lifetime jitter also, to some extent, benefits valida‐
170 tors and servers by spreading out cache expiration, i.e., if
171 large numbers of RRSIGs do not expire at the same time from all
172 caches, there is less congestion than if all validators need to
173 refetch at around the same time.
174 -L serial
176 When writing a signed zone to "raw" format, this option sets the
177 "source serial" value in the header to the specified serial num‐
178 ber. (This is expected to be used primarily for testing pur‐
179 poses.)
180 -n ncpus
182 This option specifies the number of threads to use. By default,
183 one thread is started for each detected CPU.
184 -N soa-serial-format
186 This option sets the SOA serial number format of the signed
187 zone. Possible formats are keep (the default), increment, unix‐
188 time, and date.
189 keep This format indicates that the SOA serial number should
191 not be modified.
192 increment
194 This format increments the SOA serial number using RFC
195 1982 arithmetic.
196 unixtime
198 This format sets the SOA serial number to the number of
199 seconds since the beginning of the Unix epoch, unless the
200 serial number is already greater than or equal to that
201 value, in which case it is simply incremented by one.
202 date This format sets the SOA serial number to today's date,
204 in YYYYMMDDNN format, unless the serial number is already
205 greater than or equal to that value, in which case it is
206 simply incremented by one.
207 -o origin
209 This option sets the zone origin. If not specified, the name of
210 the zone file is assumed to be the origin.
211 -O output-format
213 This option sets the format of the output file containing the
214 signed zone. Possible formats are text (the default), which is
215 the standard textual representation of the zone; full, which is
216 text output in a format suitable for processing by external
217 scripts; and raw and raw=N, which store the zone in binary for‐
218 mats for rapid loading by named. raw=N specifies the format ver‐
219 sion of the raw zone file: if N is 0, the raw file can be read
220 by any version of named; if N is 1, the file can be read by re‐
221 lease 9.9.0 or higher. The default is 1.
222 -P This option disables post-sign verification tests.
224 The post-sign verification tests ensure that for each algorithm
226 in use there is at least one non-revoked self-signed KSK key,
227 that all revoked KSK keys are self-signed, and that all records
228 in the zone are signed by the algorithm. This option skips these
229 tests.
230 -Q This option removes signatures from keys that are no longer ac‐
232 tive.
233 Normally, when a previously signed zone is passed as input to
235 the signer, and a DNSKEY record has been removed and replaced
236 with a new one, signatures from the old key that are still
237 within their validity period are retained. This allows the zone
238 to continue to validate with cached copies of the old DNSKEY
239 RRset. The -Q option forces dnssec-signzone to remove signatures
240 from keys that are no longer active. This enables ZSK rollover
241 using the procedure described in RFC 4641#4.2.1.1 ("Pre-Publish
242 Key Rollover").
243 -q This option enables quiet mode, which suppresses unnecessary
245 output. Without this option, when dnssec-signzone is run it
246 prints three pieces of information to standard output: the num‐
247 ber of keys in use; the algorithms used to verify the zone was
248 signed correctly and other status information; and the filename
249 containing the signed zone. With the option that output is sup‐
250 pressed, leaving only the filename.
251 -R This option removes signatures from keys that are no longer pub‐
253 lished.
254 This option is similar to -Q, except it forces dnssec-signzone
256 to remove signatures from keys that are no longer published.
257 This enables ZSK rollover using the procedure described in RFC
258 4641#4.2.1.2 ("Double Signature Zone Signing Key Rollover").
259 -S This option enables smart signing, which instructs dnssec-sign‐
261 zone to search the key repository for keys that match the zone
262 being signed, and to include them in the zone if appropriate.
263 When a key is found, its timing metadata is examined to deter‐
265 mine how it should be used, according to the following rules.
266 Each successive rule takes priority over the prior ones:
267 If no timing metadata has been set for the key, the key is
268 published in the zone and used to sign the zone.
269 If the key's publication date is set and is in the past, the
271 key is published in the zone.
272 If the key's activation date is set and is in the past, the
274 key is published (regardless of publication date) and used to
275 sign the zone.
276 If the key's revocation date is set and is in the past, and
278 the key is published, then the key is revoked, and the re‐
279 voked key is used to sign the zone.
280 If either the key's unpublication or deletion date is set and
282 in the past, the key is NOT published or used to sign the
283 zone, regardless of any other metadata.
284 If the key's sync publication date is set and is in the past,
286 synchronization records (type CDS and/or CDNSKEY) are cre‐
287 ated.
288 If the key's sync deletion date is set and is in the past,
290 synchronization records (type CDS and/or CDNSKEY) are re‐
291 moved.
292 -T ttl This option specifies a TTL to be used for new DNSKEY records
294 imported into the zone from the key repository. If not speci‐
295 fied, the default is the TTL value from the zone's SOA record.
296 This option is ignored when signing without -S, since DNSKEY
297 records are not imported from the key repository in that case.
298 It is also ignored if there are any pre-existing DNSKEY records
299 at the zone apex, in which case new records' TTL values are set
300 to match them, or if any of the imported DNSKEY records had a
301 default TTL value. In the event of a conflict between TTL values
302 in imported keys, the shortest one is used.
303 -t This option prints statistics at completion.
305 -u This option updates the NSEC/NSEC3 chain when re-signing a pre‐
307 viously signed zone. With this option, a zone signed with NSEC
308 can be switched to NSEC3, or a zone signed with NSEC3 can be
309 switched to NSEC or to NSEC3 with different parameters. Without
310 this option, dnssec-signzone retains the existing chain when
311 re-signing.
312 -v level
314 This option sets the debugging level.
315 -x This option indicates that BIND 9 should only sign the DNSKEY,
317 CDNSKEY, and CDS RRsets with key-signing keys, and should omit
318 signatures from zone-signing keys.
319 -z This option indicates that BIND 9 should ignore the KSK flag on
321 keys when determining what to sign. This causes KSK-flagged keys
322 to sign all records, not just the DNSKEY RRset.
323 -3 salt
325 This option generates an NSEC3 chain with the given hex-encoded
326 salt. A dash (-) can be used to indicate that no salt is to be
327 used when generating the NSEC3 chain.
328 NOTE:
330 -3 - is the recommended configuration. Adding salt provides
331 no practical benefits.
332 -H iterations
334 This option indicates that, when generating an NSEC3 chain, BIND
335 9 should use this many iterations. The default is 0.
336 WARNING:
338 Values greater than 0 cause interoperability issues and also
339 increase the risk of CPU-exhausting DoS attacks.
340 -A This option indicates that, when generating an NSEC3 chain, BIND
342 9 should set the OPTOUT flag on all NSEC3 records and should not
343 generate NSEC3 records for insecure delegations.
344 WARNING:
346 Do not use this option unless all its implications are fully
347 understood. This option is intended only for extremely large
348 zones (comparable to com.) with sparse secure delegations.
349 -AA This option turns the OPTOUT flag off for all records. This is
351 useful when using the -u option to modify an NSEC3 chain which
352 previously had OPTOUT set.
353 zonefile
355 This option sets the file containing the zone to be signed.
356 key This option specifies which keys should be used to sign the
358 zone. If no keys are specified, the zone is examined for DNSKEY
359 records at the zone apex. If these records are found and there
360 are matching private keys in the current directory, they are
361 used for signing.
362
364 The following command signs the example.com zone with the ECD‐
365 SAP256SHA256 key generated by dnssec-keygen (Kexample.com.+013+17247).
366 Because the -S option is not being used, the zone's keys must be in the
367 master file (db.example.com). This invocation looks for dsset files in
368 the current directory, so that DS records can be imported from them (‐
369 -g).
370 % dnssec-signzone -g -o example.com db.example.com \
372 Kexample.com.+013+17247
373 db.example.com.signed
374 %
375 In the above example, dnssec-signzone creates the file db.exam‐
377 ple.com.signed. This file should be referenced in a zone statement in
378 the named.conf file.
379 This example re-signs a previously signed zone with default parameters.
381 The private keys are assumed to be in the current directory.
382 % cp db.example.com.signed db.example.com
384 % dnssec-signzone -o example.com db.example.com
385 db.example.com.signed
386 %
387
389 dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033, RFC
390 4641.
391
393 Internet Systems Consortium
394
396 2023, Internet Systems Consortium
3979.19.18 DNSSEC-SIGNZONE(1)