1ldns-signzone(1)            General Commands Manual           ldns-signzone(1)
2
3
4

NAME

6       ldns-signzone - sign a zonefile with DNSSEC data
7

SYNOPSIS

9       ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ...  ]
10
11

DESCRIPTION

13       ldns-signzone  is  used  to  generate a DNSSEC signed zone. When run it
14       will create a new  zonefile  that  contains  RRSIG  and  NSEC  resource
15       records, as specified in RFC 4033, RFC 4034 and RFC 4035.
16
17       Keys  must  be specified by their base name (i.e. without .private). If
18       the DNSKEY that belongs to the key in the .private file is not  present
19       in  the  zone,  it  will be read from the file <base name>.key. If that
20       file does not exist, the DNSKEY value will be generated from  the  pri‐
21       vate key.
22
23       Multiple  keys can be specified, Key Signing Keys are used as such when
24       they are either already present in the zone, or  specified  in  a  .key
25       file, and have the KSK bit set.
26
27

OPTIONS

29       -b     Augments  the  zone  and the RR's with extra comment texts for a
30              more readable layout, easier to debug. DS records  will  have  a
31              bubblebabble  version  of  the  data  in the comment text, NSEC3
32              records will have the original NSEC3 in the comment text.
33
34              Without this option, only DNSKEY RR's will have  their  Key  Tag
35              annotated in the comment text.
36
37
38       -d     Normally,  if  the  DNSKEY RR for a key that is used to sign the
39              zone is not found in the zone file, it will be read  from  .key,
40              or  derived  from  the  private key (in that order). This option
41              turns that feature off, so that only the signatures are added to
42              the zone.
43
44
45       -e date
46              Set  expiration  date of the signatures to this date, the format
47              can be YYYYMMDD[hhmmss], or a timestamp.
48
49
50       -f file
51              Use this file to store the signed zone  in  (default  <original‐
52              file>.signed)
53
54
55       -i date
56              Set  inception  date  of the signatures to this date, the format
57              can be YYYYMMDD[hhmmss], or a timestamp.
58
59
60       -o origin
61              Use this as the origin of the zone
62
63
64       -v     Print the version and exit
65
66
67       -A     Sign the DNSKEY record with all keys.  By default it  is  signed
68              with a minimal number of keys, to keep the response size for the
69              DNSKEY query small, and only the SEP keys that  are  passed  are
70              used.  If there are no SEP keys, the DNSKEY RRset is signed with
71              the non-SEP keys.  This option turns off  the  default  and  all
72              keys are used to sign the DNSKEY RRset.
73
74
75       -E name
76              Use  the  EVP cryptographic engine with the given name for sign‐
77              ing. This can have some extra options; see  ENGINE  OPTIONS  for
78              more information.
79
80
81       -K algorithm-id,key-id
82
83              Use  the  key  `key-id'  as the signing key for algorithm `algo‐
84              rithm-id' as a Key Signing Key (KSK). This option is  used  when
85              you  use an OpenSSL engine, see ENGINE OPTIONS for more informa‐
86              tion.
87
88
89       -k algorithm-id,key-id
90              Use the key `key-id' as the signing  key  for  algorithm  `algo‐
91              rithm-id'  as a Zone Signing Key (ZSK). This option is used when
92              you use an OpenSSL engine, see ENGINE OPTIONS for more  informa‐
93              tion.
94
95
96       -n     Use NSEC3 instead of NSEC.
97
98
99       If you use NSEC3, you can specify the following extra options:
100
101
102       -a algorithm
103              Algorithm used to create the hashed NSEC3 owner names
104
105
106       -p     Opt-out.  All  NSEC3  records  in the zone will have the Opt-out
107              flag set. After signing, you can add insecure delegations to the
108              signed zone.
109
110
111       -s string
112              Salt
113
114
115       -t number
116              Number of hash iterations
117
118

ENGINE OPTIONS

120       You  can  modify  the  possible  engines,  if  supported, by setting an
121       OpenSSL configuration file. This is done through the environment  vari‐
122       able OPENSSL_CONF.
123
124       The key options (-k and -K) work as follows: you specify a DNSSEC algo‐
125       rithm (using its symbolic name, for instance, RSASHA256 or its  numeric
126       identifier,  for instance, 8), followed by a comma and a key identifier
127       (white space is not allowed between the algorithm and the comma and be‐
128       tween the comma and the key identifier).
129
130       The key identifier can be any of the following:
131
132           <id>
133           <slot>:<id>
134           id_<id>
135           slot_<slot>-id_<id>
136           label_<label>
137           slot_<slot>-label_<label>
138
139       Where  '<id>'  is  the PKCS #11 key identifier in hexadecimal notation,
140       '<label>' is the PKCS #11 human-readable label,  and  '<slot>'  is  the
141       slot number where the token is present.
142
143       More  recent  versions  of OpenSSL engines may support the PKCS #11 URI
144       scheme (RFC 7512), please consult your engine's documentation.
145
146       If not already present, a DNSKEY RR is generated from the key data, and
147       added to the zone.
148
149

EXAMPLES

151       ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
152              Sign  the  zone  in  the file 'nlnetlabs.nl' with the key in the
153              files 'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY  is  not
154              present   in  the  zone,  use  the  key  in  the  file  'Knlnet‐
155              labs.nl.+005+12273.key'. If that is not  present,  generate  one
156              with default values from 'Knlnetlabs.nl.+005+12273.private'.
157
158
159

AUTHORS

161       Written by the ldns team as an example for ldns usage.
162       Portions of engine support by Vadim Penzin <vadim@penzin.net>.
163
164

REPORTING BUGS

166       Report bugs to <ldns-team@nlnetlabs.nl>.
167
168
170       Copyright  (C) 2005-2008 NLnet Labs. This is free software. There is NO
171       warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
172       POSE.
173
174
175
176                                 13 March 2018                ldns-signzone(1)
Impressum