1ZONESIGNER(1) User Contributed Perl Documentation ZONESIGNER(1)
2
6 zonesigner - Generates encryption keys and signs a DNS zone
7
9 zonesigner [options] <zone-file> <signed-zone-file>
10 # get started immediately examples:
12 # first run on a zone for example.com:
14 zonesigner -genkeys -endtime +2678400 example.com
15 # future runs before expiration time (reuses the same keys):
17 zonesigner -endtime +2678400 example.com
18
20 This script combines into a single command many actions that are
21 required to sign a DNS zone. It generates the required KSK and ZSK
22 keys, adds the key data to a zone record file, signs the zone file, and
23 runs checks to ensure that everything worked properly. It also keeps
24 records about the keys and how the zone was signed in order to
25 facilitate re-signing of the zone in the future.
26 The zonesigner-specific zone-signing records are kept in keyrec files.
28 Using keyrec files, defined and maintained by DNSSEC-Tools, zonesigner
29 can automatically gather many of the options used to previously sign
30 and generate a zone and its keys. This allows the zone to be
31 maintained using the same key lengths and expiration times, for
32 example, without an administrator needing to manually track these
33 fields.
34
36 The following are examples that will allow a quick start on using
37 zonesigner:
38 first run on example.com
40 The following command will generate keys and sign the zone file for
41 example.com, giving an expiration date 31 days in the future. The
42 zone file is named example.com and the signed zone file will be
43 named example.com.signed.
44 zonesigner -genkeys -endtime +2678400 example.com
46 subsequent runs on example.com
48 The following command will re-sign example.com's zone file, but
49 will not generate new keys. The files and all key-generation and
50 zone-signing arguments will remain the same.
51 zonesigner example.com
53
55 zonesigner is used in this way:
56 zonesigner [options] <zone-file> <signed-zone-file>
58 The zone-file argument is required.
60 zone-file is the name of the zone file from which a signed zone file
62 will be created. If the -zone option is not given, then zone-file will
63 be used as the name of the zone that will be signed. Generated keys
64 are given this name as their base.
65 The zone file is modified to have include commands, which will include
67 the KSK and ZSK keys. These lines are placed at the end of the file
68 and should not be modified by the user. If the zone file already
69 includes any key files, those inclusions will be deleted. These lines
70 are distinguished by starting with "$INCLUDE" and end with ".key".
71 Only the actual include lines are deleted; any related comment lines
72 are left untouched.
73 An intermediate file is used in signing the zone. zone-file is copied
75 to the intermediate file and is modified in preparation of signing the
76 zone file. Several $INCLUDE lines will be added at the end of the file
77 and the SOA serial number will be incremented.
78 signed-zone is the name of the signed zone file. If it is not given on
80 the command line, the default signed zone filename is the zone-file
81 appended with ".signed". Thus, executing zonesigner example.com will
82 result in the signed zone being stored in example.com.signed.
83 Unless the -genkeys, -genksk, -genzsk, or -newpubksk options are
85 specified, the last keys generated for a particular zone will be used
86 in subsequent zonesigner executions.
87
89 keyrec files retain information about previous key-generation and zone-
90 signing operations. If a keyrec file is not specified (by way of the
91 -krfile option), then a default keyrec file is used. If this default
92 is not specified in the system's DNSSEC-Tools configuration file, the
93 filename will be the zone name appended with .krf. If the -nokrfile
94 option is given, then no keyrec file will be consulted or saved.
95 Each keyrec contains a set of "key/value" entries, one per line.
97 Example 4 below contains the contents of a sample keyrec file.
98 keyrec files contain three types of entries: zone keyrecs, set
100 keyrecs, and key keyrecs. Zone keyrecs contain information
101 specifically about the zone, such as the number of ZSKs used to sign
102 the zone, the end-time for the zone, and the key signing set names
103 (names of set keyrecs.) Set keyrecs contain lists of key keyrec names
104 used for a specific purpose, such as the current ZSK keys or the
105 published ZSK keys. Key keyrecs contain information about the
106 generated keys themselves, such as encryption algorithm, key length,
107 and key lifetime.
108 Keyrec Files and RFC5011 KSK Revocation
110 If RFC5011 processing is enabled, there is special handling of the
111 zone's set keyrec of revoked KSK keys. The "kskrev" field in the
112 zone's keyrec points to a set keyrec, marked as being of type "kskrev".
113 This set keyrec, in turn, points to a number of other set keyrecs, all
114 of which are also marked as being of type "kskrev". The group of all
115 revoked KSK keys is found by consulting that subsidiary set of "kskrev"
116 set keyrecs. When the ages of these revoked keys exceeds their
117 revocation periods, they are marked as being obsolete ("kskobs"). If
118 this happens as part of normal rollover, these revoked key and set
119 keyrecs are all removed from the chain of active, revoked keyrecs. If
120 this happens to a key that's part of a larger set of keys, it is
121 removed from that signing set and put in its own new signing set.
122
124 On some systems, the implementation of the pseudo-random number
125 generator requires keyboard activity. This keyboard activity is used
126 to fill a buffer in the system's random number generator. If
127 zonesigner appears hung, you may have to add entropy to the random
128 number generator by randomly striking keys until the program completes.
129 Display of this message is controlled by the entropy_msg configuration
130 file parameter.
131
133 zonesigner checks four places in order to determine option values. In
134 descending order of precedence, these places are:
135 command line options
137 keyrec file
139 DNSSEC-Tools configuration file
141 zonesigner defaults
143 Each is checked until a value is found. That value is then used for
145 that zonesigner execution and the value is stored in the keyrec file.
146 Example
148 For example, the KSK length has the following values:
149 -ksklength command line option: 8192
151 keyrec file: 1024
153 DNSSEC-Tools configuration file: 512
155 zonesigner defaults: 2048
157 If all are present, then the KSK length will be 8192.
159 If the -ksklength command line option wasn't given, the KSK length will
161 be 1024.
162 If the KSK length wasn't given in the configuration file, it will be
164 8192.
165 If the KSK length wasn't in the keyrec file or the configuration file,
167 the KSK length will be 8192.
168 If the -ksklength command line option wasn't given and the KSK length
170 wasn't in the configuration file, it'll be 1024.
171 If the command line option wasn't given, the KSK length wasn't in the
173 keyrec file, and it wasn't in the configuration file, then the KSK
174 length will be 512.
175
177 Three types of options may be given, based on the command for which
178 they are intended. These commands are dnssec-keygen, dnssec-signzone,
179 and zonesigner.
180 zonesigner-specific Options
182 -archivedir
183 The key archive directory. If a key archive directory hasn't been
184 specified (on the command line or in the DNSSEC-Tools configuration
185 file) and the -nosave option was not given, then zonesigner will
186 leave the keys in the current directory.
187 When the files are saved into the archive directory, the existing
189 file names are prepended with a timestamp. The timestamp indicates
190 when the files are archived.
191 This directory may not be the root directory.
193 -droprevoked
195 Explicitly obsolete currently revoked KSKs and remove them from the
196 signing set before resigning. This is mutually exclusive from
197 -nodroprevoked. If neither -droprevoked nor -nodroprevoked are
198 given, then -droprevoked functionality is assumed..
199 -dsdir
201 Specify a directory for storing dssets. This directory will be
202 created if it does not exist.
203 The directory must be writable and may not be the root directory.
205 -genkeys
207 Generate new KSKs and ZSKs for the zone.
208 -genksk
210 Generate new Current KSKs for the zone. Any existing Current KSKs
211 will be marked as obsolete. If this option is not given, the last
212 KSKs generated for this zone will be used.
213 -genzsk
215 Generate new ZSKs for the zone. By default, the last ZSKs
216 generated for this zone will be used.
217 -help
219 Display a usage message.
220 -intermediate
222 Filename to use for the temporary zone file. The zone file will be
223 copied to this file and then the key names appended.
224 -keydirectory
226 The directory in which KSK and ZSK keys will be stored. The
227 default is to store the keys in the directory in which zonesigner
228 is executed.
229 This directory may not be the root directory.
231 -krfile
233 keyrec file to use in processing options. See the man page for
234 Net::DNS::SEC::Tools::tooloptions.pm for more details about this
235 file.
236 -ksignset
238 The name of the KSK signing set to use. If the signing set does
239 not exist, then this must be used in conjunction with either
240 -genkeys or -genksk. The name may contain alphanumerics,
241 underscores, hyphens, periods, and commas.
242 The name may contain alphanumerics, underscores, hyphens, periods,
244 and commas. The default signing set name is "zone-signset-N",
245 where zone is the zone being signed and N is a number.
246 If -ksignset is not specified, then zonesigner will use the default
248 and increment the number for subsequent signing sets.
249 -kskcount
251 The number of KSK keys to generate and with which to sign the zone.
252 The default is to use a single KSK key.
253 -kskdirectory
255 The directory in which KSK keys will be stored. The default is to
256 store the keys in the directory in which zonesigner is executed.
257 This directory may not be the root directory.
259 -ksklife
261 The time between KSK rollovers. This is measured in seconds.
262 -newpubksk
264 Generate new Published KSKs for the zone. Any existing Published
265 KSKs will be marked as obsolete.
266 -nodroprevoked
268 Explicitly turn off obsoleting currently revoked KSKs and remove
269 them from the signing set before resigning. This is mutually
270 exclusive from -droprevoked. If neither -droprevoked nor
271 -nodroprevoked are given, then -droprevoked functionality is
272 assumed..
273 -nokrfile
275 No keyrec file will be consulted or created.
276 -norfc5011
278 Disable RFC5011 KSK revocation when rolling or replacing existing
279 KSK key sets. By default, zonesigner performs RFC5011 KSK
280 revocation and this option supersedes this behavior and any option
281 setting within the keyrec file.
282 -nosave
284 Do not save obsolete keys to the key archive directory. The
285 default behavior is to save obsolete keys.
286 -phase
288 Specify an rollover option based on the rollover phase, as opposed
289 to using the option naming the specific action to be performed.
290 The purpose of this option is to bring clarity and greater
291 understanding to how zonesigner is used in the rollover process.
292 The following are the mappings between the -phase options and the
294 action options.
295 Phase Option Action-based Option
297 -phase ksk2 -newpubksk
298 -phase ksk4 -rollksk
299 -phase zsk2 -usezskpub
300 -phase zsk4b -rollzsk
301 -phase zsk4b (no option)
302 Warning: The -phase option should only be used if you know what
304 you're doing.
305 -rollksk
307 Force a rollover of the KSK keys. The Current KSK keys are marked
308 as Obsolete and the Published KSK keys are marked as Current. The
309 zone is then signed with the new set of Current KSK keys. If the
310 zone's keyrec does not list a Current or Published KSK, an error
311 message is printed and zonesigner stops execution.
312 The zone's keyrec file is updated to show the new key state.
314 The keyrecs of the KSK keys are adjusted as follows:
316 The Current KSK keys are marked as Obsolete.
318 The Published KSK keys are marked as Current.
319 The Obsolete KSK keys are moved to the archive directory.
320 If RFC5011 processing is enabled, then the KSK rollover sequence is
322 modified as follows:
323 The Current KSK keys are marked as Revoked.
325 The Published KSK keys are marked as Current.
326 The Revoked KSK keys are checked to see if they are still
327 within their revocation period. If not, they are marked
328 as Obsolete.
329 The Obsolete KSK keys are moved to the archive directory.
330 Warning: The timing of key-rolling is critical. Great care must
332 be taken when using this option. In the future, rollerd will
333 automate the KSK rollover process and may be used to safely take
334 care of this aspect of DNSSEC management.
335 Warning: Using the -rollksk option should only be used if you know
337 what you're doing.
338 Warning: This is may be a temporary method of KSK rollover. It
340 may be changed in the future.
341 -rollzsk
343 Force a rollover of the ZSK keys using the Pre-Publish Key Rollover
344 method. The rollover process adjusts the keys used to sign the
345 specified zone, generates new keys, signs the zone with the
346 appropriate keys, and updates the keyrec file. The Pre-Publish Key
347 Rollover process is described in the DNSSEC Operational Practices
348 document.
349 Three sets of ZSK keys are used in the rollover process: Current,
351 Published, and New. Current ZSKs are those which are used to sign
352 the zone. Published ZSKs are available in the zone data, and
353 therefore in cached zone data, but are not yet used to sign the
354 zone. New ZSKs are not available in zone data nor yet used to sign
355 the zone, but are waiting in the wings for future use.
356 The keyrecs of the ZSK keys are adjusted as follows:
358 The Current ZSK keys are marked as obsolete.
360 The Published ZSK keys are marked as Current.
361 The New ZSK keys, if they exist, are marked as Published.
362 Another set of ZSK keys are generated, which will be
363 marked as the New ZSK keys.
364 The Published ZSK keys' zsklife field is copied to the
365 new ZSK keys' keyrecs.
366 The obsolete ZSK keys are moved to the archive directory.
367 The quick summary of proper ZSK rolling (which rollerd does for you
369 if you use it):
370 - wait 2 * max(TTL in zone)
372 - run zonesigner using -usezskpub
373 - wait 2 * max(TTL in zone)
374 - run zonesigner using -rollzsk
375 - wait 2 * max(TTL in zone)
376 Warning: The timing of key-rolling is critical. Great care must
378 be taken when using this option. rollerd automates the rollover
379 process and may be used to safely take care of this aspect of
380 DNSSEC management. Using the -rollzsk option should only be used
381 if you know what you're doing.
382 -showkeycmd
384 Display the actual key-generation command (with options and
385 arguments) that is executed. This is a small subset of verbose
386 level 3 output.
387 -showsigncmd
389 Display the actual zone-signing command (with options and
390 arguments) that is executed. This is a small subset of verbose
391 level 3 output.
392 -signset
394 The name of the ZSK signing set to use as the Current ZSK signing
395 set. The zone is signed and the given signing set becomes the
396 zone's new Current ZSK signing set. If the signing set does not
397 exist, then this must be used in conjunction with either -genkeys
398 or -genzsk.
399 The name may contain alphanumerics, underscores, hyphens, periods,
401 and commas. The default signing set name is "zonesignset-N", where
402 zone is the zone being signed and N is a number.
403 If -signset is not specified, then zonesigner will use the default
405 and increment the number for subsequent signing sets.
406 -useboth
408 Use the existing Current and Published ZSKs to sign the zone.
409 -usezskpub
411 Use the existing Published ZSKs to sign the zone.
412 -Version
414 Display the version information for zonesigner and the DNSSEC-Tools
415 package.
416 -verbose
418 Verbose output will be given. As more instances of -verbose are
419 given on the command line, additional levels of verbosity are
420 achieved.
421 level output
423 ----- ------
424 1 operations being performed
425 (e.g., generating key files, signing zone)
426 2 details on operations and some operation results
427 (e.g., new key names, zone serial number)
428 3 operations' parameters and additional details
429 (e.g., key lengths, encryption algorithm,
430 executed commands)
431 Higher levels of verbosity are cumulative. Specifying two
433 instances of -verbose will get the output from the first and second
434 levels of output.
435 -xc Display a message associated with a zonesigner exit value. This
437 option is intended for use by those programs who wish for
438 zonesigner to run silently, but need a description for why
439 zonesigner has exited with an error.
440 The following are the exit codes and their associated messages.
442 0 - successful execution
444 1 - -rfc5011 and -norfc5011 may not be specified together
445 2 - -droprevoked and -nodroprevoked may not be specified together
446 3 - -keydirectory and -kskdirectory may not be specified together
447 4 - -keydirectory and -zskdirectory may not be specified together
448 5 - KSK count must be positive
449 6 - ZSK count must be positive
450 7 - no key archive directory was specified
451 8 - key archive directory is not a directory
452 9 - key archive directory must not be /
453 10 - -savekeys and -nosave may not be specified together
454 11 - either a KSK or a ZSK directory was incorrectly specified
455 12 - either a specified KSK or a specified ZSK directory is not a
456 directory
457 13 - neither the KSK nor the ZSK directory may be the root
458 directory
459 14 - zone file, output file, and intermediate file must all have
460 distinct names
461 15 - zone file does not exist
462 16 - zone file is empty
463 17 - zone file already signed
464 18 - specified signing set does not exist
465 19 - specified Current ZSK signing set does not exist
466 20 - specified Published ZSK signing set does not exist
467 21 - specified new signing-set name already exists
468 22 - specified KSK signing set already exists
469 23 - no KSK signing set was specified
470 24 - specified Current KSK signing set does not exist
471 25 - specified Published KSK signing set does not exist
472 26 - unable to generate KSK key file
473 27 - ZSK keyrec does not exist in keyrec file
474 28 - unable to generate ZSK key file
475 29 - unable to archive keys because key archive directory is not a
476 directory
477 30 - KSK repository is not a directory
478 31 - ZSK repository is not a directory
479 32 - unable to update serial number in zonefile
480 33 - zone file's modified contents are empty
481 34 - unable to sign zone
482 35 - no Published KSKs have been created
483 36 - zone has no Published ZSKs to rollover to Current ZSKs
484 37 - no keys defined for a particular signing set for zone
485 38 - no keyrec exists for required signing set
486 39 - error in keyrec file -- a particular signing set keyrec is not
487 a set keyrec
488 40 - specified signing set does not contain any keys
489 41 - no key keyrec exists for a particular key
490 42 - keyrec of specified key has an unexpected type
491 43 - usage message printed
492 44 - invalid exit code given to -xc
493 45 - named-checkzone returned an error
494 46 - unable to create dsset archive directory
495 47 - dsset archive directory is not a directory
496 48 - dsset archive directory is not writable
497 49 - dsset archive directory must not be /
498 An error message will be printed if an invalid exit code is given.
500 -zone
502 Name of the zone that will be signed. This zone name may be given
503 with this option or as the first non-option command line argument.
504 In the second case, if the argument contains directory separators,
505 then final element of the path will be used for the zone name.
506 -zskcount
508 The number of ZSK keys to generate and with which to sign the zone.
509 The default is to use a single ZSK key.
510 -zskdirectory
512 The directory in which ZSK keys will be stored. The default is to
513 store the keys in the directory in which zonesigner is executed.
514 This directory may not be the root directory.
516 -zsklife
518 The time between ZSK rollovers. This is measured in seconds.
519 dnssec-keygen-specific Options
521 -algorithm
522 Cryptographic algorithm used to generate the zone's keys. The
523 default value is RSASHA1. The option value is passed to dnssec-
524 keygen as the -a flag. Consult dnssec-keygen's manual page to
525 determine legal values.
526 -kgopts
528 Additional options for dnssec-keygen may be specified using this
529 option. The additional options are passed as a single string value
530 as an argument to the -kgopts option.
531 -ksklength
533 Bit length of the zone's KSK key. The default is 2048.
534 -nsec3optout
536 When this flag and the -usensec3 flag are set, the zone will be
537 signed using the Opt-Out support described in RFC5155. A quick
538 summary is that only sub-domains with valid DS or public keys
539 available will be signed and the rest will not be. This greatly
540 reduces the computational and memory requirements of extremely
541 large zones with lots of unsigned children.
542 -random
544 Source of randomness used to generate the zone's keys. This is
545 assumed to be a file, for example /dev/urandom.
546 -usensec3
548 Signs the zone using NSEC3 (see RFC5155) proof-of-non-existence
549 records rather than NSEC records. The keys used to sign the zone
550 must support the use of NSEC3 or else zone-signing will fail.
551 Zonesigner will automatically generate new keys of the correct type
552 if one of the -genkeys or similar options is used.
553 -zsklength
555 Bit length of the zone's ZSK key. The default is 1024.
556 dnssec-signzone-specific Options
558 -endtime
559 Time that the zone expires, measured in seconds. See the man page
560 for dnssec-signzone for the valid format of this field. The
561 default value is 2764800 seconds (32 days.)
562 -gends
564 Force dnssec-signzone to generate DS records for the zone. This
565 option is translated into -g when passed to dnssec-signzone.
566 This option is obsolete. DS records are generated by default. Use
568 the -nogends option if DS records should not be generated.
569 -ksdir
571 Specify a directory for storing keysets. This is passed to dnssec-
572 signzone as the -d option.
573 -nogends
575 Prevent dnssec-signzone from generating DS records for the zone.
576 -szopts
578 Additional options for dnssec-signzone may be specified using this
579 option. The additional options are passed as a single string value
580 as an argument to the -szopts option.
581 Other Options
583 -zcopts
584 Additional options for named-checkzone may be specified using this
585 option. The additional options are passed as a single string value
586 as an argument to the -zcopts option.
587
589 Example 1.
590 In the first example, an existing keyrec file is used to assist in
592 signing the example.com domain. Zone data are stored in example.com,
593 and the keyrec is in example.krf. The final signed zone file will be
594 db.example.com.signed. Using this execution:
595 # zonesigner -krfile example.krf example.com db.example.com.signed
597 the following files are created:
599 Kexample.com.+005+45842.private
601 Kexample.com.+005+45842.key
602 Kexample.com.+005+50186.private
603 Kexample.com.+005+50186.key
604 Kexample.com.+005+59143.private
605 Kexample.com.+005+59143.key
606 dsset-example.com.
608 keyset-example.com.
609 db.example.com.signed
611 The first six files are the KSK and ZSK keys required for the zone.
613 The next two files are created by the zone-signing process. The last
614 file is the final signed zone file.
615 Example 2.
617 In the second example, an existing keyrec file is used to assist in
619 signing the example.com domain. Zone data are stored in example.com,
620 and the keyrec is in example.krf. The generated keys, an intermediate
621 zone file, and final signed zone file will use example.com as a base.
622 Using this execution:
623 # zonesigner -krfile example.krf -intermediate example.zs example.com
625 the following files are created:
627 Kdb.example.com.+005+12354.key
629 Kdb.example.com.+005+12354.private
630 Kdb.example.com.+005+82197.key
631 Kdb.example.com.+005+82197.private
632 Kdb.example.com.+005+55888.key
633 Kdb.example.com.+005+55888.private
634 dsset-db.example.com.
636 keyset-db.example.com.
637 example.zs
639 example.com.signed
640 The first six files are the KSK and ZSK keys required for the zone.
642 The next two files are created by the zone-signing process. The second
643 last file is an intermediate file that will be signed. The last file
644 is file is the final signed zone.
645 Example 3.
647 In the third example, no keyrec file is specified for the signing of
649 the example.com domain. In addition to files created as shown in
650 previous examples, a new keyrec file is created. The new keyrec file
651 uses the domain name as its base. Using this execution:
652 # zonesigner example.com db.example.com
654 the following keyrec file is created:
656 example.com.krf
658 The signed zone file is created in:
660 db.example.com
662 Example 4.
664 This example shows a keyrec file generated by zonesigner.
666 The command executed is:
668 # zonesigner example.com db.example.com
670 The generated keyrec file contains six keyrecs: a zone keyrec, two set
672 keyrecs, one KSK keyrec, and two ZSK keyrecs.
673 zone "example.com"
675 zonefile "example.com"
676 signedzone "db.example.com"
677 endtime "+2764800"
678 kskcur "example.com.signset-24"
679 kskdirectory "."
680 zskcur "example.com.signset-42"
681 zskpub "example.com.signset-43"
682 zskdirectory "."
683 keyrec_type "zone"
684 keyrec_signsecs "1115166642"
685 keyrec_signdate "Wed May 4 00:30:42 2005"
686 set "example.com.signset-24"
688 zonename "example.com"
689 keys "Kexample.com.+005+24082"
690 keyrec_setsecs "1110000042"
691 keyrec_setdate "Sat Mar 5 05:20:42 2005"
692 set "example.com.signset-42"
694 zonename "example.com"
695 keys "Kexample.com.+005+53135"
696 keyrec_setsecs "1115166640"
697 keyrec_setdate "Wed May 4 00:30:40 2005"
698 set "example.com.signset-43"
700 zonename "example.com"
701 keys "Kexample.com.+005+13531"
702 keyrec_setsecs "1115166641"
703 keyrec_setdate "Wed May 4 00:30:41 2005"
704 key "Kexample.com.+005+24082"
706 zonename "example.com"
707 keyrec_type "kskcur"
708 algorithm "rsasha1"
709 random "/dev/urandom"
710 keypath "./Kexample.com.+005+24082.key"
711 ksklength "2048"
712 ksklife "15768000"
713 keyrec_gensecs "1110000042"
714 keyrec_gendate "Sat Mar 5 05:20:42 2005"
715 key "Kexample.com.+005+53135"
717 zonename "example.com"
718 keyrec_type "zskcur"
719 algorithm "rsasha1"
720 random "/dev/urandom"
721 keypath "./Kexample.com.+005+53135.key"
722 zsklength "1024"
723 zsklife "604800"
724 keyrec_gensecs "1115166638"
725 keyrec_gendate "Wed May 4 00:30:38 2005"
726 key "Kexample.com.+005+13531"
728 zonename "example.com"
729 keyrec_type "zskpub"
730 algorithm "rsasha1"
731 random "/dev/urandom"
732 keypath "./Kexample.com.+005+13531.key"
733 zsklength "1024"
734 zsklife "604800"
735 keyrec_gensecs "1115166638"
736 keyrec_gendate "Wed May 4 00:30:38 2005"
737
739 1. One Zone in a keyrec File
740 There is a bug in the signing-set code that necessitates only
741 storing one zone in a keyrec file.
742 2. SOA Serial Numbers
744 Serial numbers in SOA records are merely incremented in this
745 version. Future plans are to allow for more flexible serial number
746 manipulation.
747
749 Copyright 2004-2011 SPARTA, Inc. All rights reserved. See the COPYING
750 file included with the DNSSEC-Tools package for details.
751
753 Wayne Morrison, tewok@users.sourceforge.net
754
756 lskrf(1)
757 dnssec-keygen(8), dnssec-signzone(8)
759 Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
761 Net::DNS::SEC::Tools::keyrec.pm(3),
762 Net::DNS::SEC::Tools::tooloptions.pm(3)
763 keyrec(5)
765perl v5.12.4 2011-09-30 ZONESIGNER(1)