1DNSSEC-SIGNZONE(1) BIND 9 DNSSEC-SIGNZONE(1)
2
6 dnssec-signzone - DNSSEC zone signing tool
7
9 dnssec-signzone [-a] [-c class] [-d directory] [-D] [-E engine] [-e
10 end-time] [-f output-file] [-g] [-h] [-i interval] [-I input-format]
11 [-j jitter] [-K directory] [-k key] [-L serial] [-M maxttl] [-N soa-se‐
12 rial-format] [-o origin] [-O output-format] [-P] [-Q] [-q] [-R] [-S]
13 [-s start-time] [-T ttl] [-t] [-u] [-v level] [-V] [-X extended
14 end-time] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
15
17 dnssec-signzone signs a zone; it generates NSEC and RRSIG records and
18 produces a signed version of the zone. The security status of delega‐
19 tions from the signed zone (that is, whether the child zones are se‐
20 cure) is determined by the presence or absence of a keyset file for
21 each child zone.
22
24 -a This option verifies all generated signatures.
25 -c class
27 This option specifies the DNS class of the zone.
28 -C This option sets compatibility mode, in which a keyset-zonename
30 file is generated in addition to dsset-zonename when signing a
31 zone, for use by older versions of dnssec-signzone.
32 -d directory
34 This option indicates the directory where BIND 9 should look for
35 dsset- or keyset- files.
36 -D This option indicates that only those record types automatically
38 managed by dnssec-signzone, i.e., RRSIG, NSEC, NSEC3 and
39 NSEC3PARAM records, should be included in the output. If smart
40 signing (-S) is used, DNSKEY records are also included. The re‐
41 sulting file can be included in the original zone file with $IN‐
42 CLUDE. This option cannot be combined with -O raw or serial-num‐
43 ber updating.
44 -E engine
46 This option specifies the hardware to use for cryptographic op‐
47 erations, such as a secure key store used for signing, when ap‐
48 plicable.
49 When BIND 9 is built with OpenSSL, this needs to be set to the
51 OpenSSL engine identifier that drives the cryptographic acceler‐
52 ator or hardware service module (usually pkcs11).
53 -g This option indicates that DS records for child zones should be
55 generated from a dsset- or keyset- file. Existing DS records are
56 removed.
57 -K directory
59 This option specifies the directory to search for DNSSEC keys.
60 If not specified, it defaults to the current directory.
61 -k key This option tells BIND 9 to treat the specified key as a
63 key-signing key, ignoring any key flags. This option may be
64 specified multiple times.
65 -M maxttl
67 This option sets the maximum TTL for the signed zone. Any TTL
68 higher than maxttl in the input zone is reduced to maxttl in the
69 output. This provides certainty as to the largest possible TTL
70 in the signed zone, which is useful to know when rolling keys.
71 The maxttl is the longest possible time before signatures that
72 have been retrieved by resolvers expire from resolver caches.
73 Zones that are signed with this option should be configured to
74 use a matching max-zone-ttl in named.conf. (Note: This option is
75 incompatible with -D, because it modifies non-DNSSEC data in the
76 output zone.)
77 -s start-time
79 This option specifies the date and time when the generated RRSIG
80 records become valid. This can be either an absolute or relative
81 time. An absolute start time is indicated by a number in YYYYM‐
82 MDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May
83 30th, 2000. A relative start time is indicated by +N, which is N
84 seconds from the current time. If no start-time is specified,
85 the current time minus 1 hour (to allow for clock skew) is used.
86 -e end-time
88 This option specifies the date and time when the generated RRSIG
89 records expire. As with start-time, an absolute time is indi‐
90 cated in YYYYMMDDHHMMSS notation. A time relative to the start
91 time is indicated with +N, which is N seconds from the start
92 time. A time relative to the current time is indicated with
93 now+N. If no end-time is specified, 30 days from the start time
94 is the default. end-time must be later than start-time.
95 -X extended end-time
97 This option specifies the date and time when the generated RRSIG
98 records for the DNSKEY RRset expire. This is to be used in cases
99 when the DNSKEY signatures need to persist longer than signa‐
100 tures on other records; e.g., when the private component of the
101 KSK is kept offline and the KSK signature is to be refreshed
102 manually.
103 As with end-time, an absolute time is indicated in YYYYMMDDHH‐
105 MMSS notation. A time relative to the start time is indicated
106 with +N, which is N seconds from the start time. A time relative
107 to the current time is indicated with now+N. If no extended
108 end-time is specified, the value of end-time is used as the de‐
109 fault. (end-time, in turn, defaults to 30 days from the start
110 time.) extended end-time must be later than start-time.
111 -f output-file
113 This option indicates the name of the output file containing the
114 signed zone. The default is to append .signed to the input file‐
115 name. If output-file is set to -, then the signed zone is writ‐
116 ten to the standard output, with a default output format of
117 full.
118 -h This option prints a short summary of the options and arguments
120 to dnssec-signzone.
121 -V This option prints version information.
123 -i interval
125 This option indicates that, when a previously signed zone is
126 passed as input, records may be re-signed. The interval option
127 specifies the cycle interval as an offset from the current time,
128 in seconds. If a RRSIG record expires after the cycle interval,
129 it is retained; otherwise, it is considered to be expiring soon
130 and it is replaced.
131 The default cycle interval is one quarter of the difference be‐
133 tween the signature end and start times. So if neither end-time
134 nor start-time is specified, dnssec-signzone generates signa‐
135 tures that are valid for 30 days, with a cycle interval of 7.5
136 days. Therefore, if any existing RRSIG records are due to expire
137 in less than 7.5 days, they are replaced.
138 -I input-format
140 This option sets the format of the input zone file. Possible
141 formats are text (the default), and raw. This option is primar‐
142 ily intended to be used for dynamic signed zones, so that the
143 dumped zone file in a non-text format containing updates can be
144 signed directly. This option is not useful for non-dynamic
145 zones.
146 -j jitter
148 When signing a zone with a fixed signature lifetime, all RRSIG
149 records issued at the time of signing expire simultaneously. If
150 the zone is incrementally signed, i.e., a previously signed zone
151 is passed as input to the signer, all expired signatures must be
152 regenerated at approximately the same time. The jitter option
153 specifies a jitter window that is used to randomize the signa‐
154 ture expire time, thus spreading incremental signature regenera‐
155 tion over time.
156 Signature lifetime jitter also, to some extent, benefits valida‐
158 tors and servers by spreading out cache expiration, i.e., if
159 large numbers of RRSIGs do not expire at the same time from all
160 caches, there is less congestion than if all validators need to
161 refetch at around the same time.
162 -L serial
164 When writing a signed zone to "raw" format, this option sets the
165 "source serial" value in the header to the specified serial num‐
166 ber. (This is expected to be used primarily for testing pur‐
167 poses.)
168 -n ncpus
170 This option specifies the number of threads to use. By default,
171 one thread is started for each detected CPU.
172 -N soa-serial-format
174 This option sets the SOA serial number format of the signed
175 zone. Possible formats are keep (the default), increment, unix‐
176 time, and date.
177 keep This format indicates that the SOA serial number should
179 not be modified.
180 increment
182 This format increments the SOA serial number using RFC
183 1982 arithmetic.
184 unixtime
186 This format sets the SOA serial number to the number of
187 seconds since the beginning of the Unix epoch, unless the
188 serial number is already greater than or equal to that
189 value, in which case it is simply incremented by one.
190 date This format sets the SOA serial number to today's date,
192 in YYYYMMDDNN format, unless the serial number is already
193 greater than or equal to that value, in which case it is
194 simply incremented by one.
195 -o origin
197 This option sets the zone origin. If not specified, the name of
198 the zone file is assumed to be the origin.
199 -O output-format
201 This option sets the format of the output file containing the
202 signed zone. Possible formats are text (the default), which is
203 the standard textual representation of the zone; full, which is
204 text output in a format suitable for processing by external
205 scripts; and raw and raw=N, which store the zone in binary for‐
206 mats for rapid loading by named. raw=N specifies the format ver‐
207 sion of the raw zone file: if N is 0, the raw file can be read
208 by any version of named; if N is 1, the file can be read by re‐
209 lease 9.9.0 or higher. The default is 1.
210 -P This option disables post-sign verification tests.
212 The post-sign verification tests ensure that for each algorithm
214 in use there is at least one non-revoked self-signed KSK key,
215 that all revoked KSK keys are self-signed, and that all records
216 in the zone are signed by the algorithm. This option skips these
217 tests.
218 -Q This option removes signatures from keys that are no longer ac‐
220 tive.
221 Normally, when a previously signed zone is passed as input to
223 the signer, and a DNSKEY record has been removed and replaced
224 with a new one, signatures from the old key that are still
225 within their validity period are retained. This allows the zone
226 to continue to validate with cached copies of the old DNSKEY
227 RRset. The -Q option forces dnssec-signzone to remove signatures
228 from keys that are no longer active. This enables ZSK rollover
229 using the procedure described in RFC 4641#4.2.1.1 ("Pre-Publish
230 Key Rollover").
231 -q This option enables quiet mode, which suppresses unnecessary
233 output. Without this option, when dnssec-signzone is run it
234 prints three pieces of information to standard output: the num‐
235 ber of keys in use; the algorithms used to verify the zone was
236 signed correctly and other status information; and the filename
237 containing the signed zone. With the option that output is sup‐
238 pressed, leaving only the filename.
239 -R This option removes signatures from keys that are no longer pub‐
241 lished.
242 This option is similar to -Q, except it forces dnssec-signzone
244 to remove signatures from keys that are no longer published.
245 This enables ZSK rollover using the procedure described in RFC
246 4641#4.2.1.2 ("Double Signature Zone Signing Key Rollover").
247 -S This option enables smart signing, which instructs dnssec-sign‐
249 zone to search the key repository for keys that match the zone
250 being signed, and to include them in the zone if appropriate.
251 When a key is found, its timing metadata is examined to deter‐
253 mine how it should be used, according to the following rules.
254 Each successive rule takes priority over the prior ones:
255 If no timing metadata has been set for the key, the key is
256 published in the zone and used to sign the zone.
257 If the key's publication date is set and is in the past, the
259 key is published in the zone.
260 If the key's activation date is set and is in the past, the
262 key is published (regardless of publication date) and used to
263 sign the zone.
264 If the key's revocation date is set and is in the past, and
266 the key is published, then the key is revoked, and the re‐
267 voked key is used to sign the zone.
268 If either the key's unpublication or deletion date is set and
270 in the past, the key is NOT published or used to sign the
271 zone, regardless of any other metadata.
272 If the key's sync publication date is set and is in the past,
274 synchronization records (type CDS and/or CDNSKEY) are cre‐
275 ated.
276 If the key's sync deletion date is set and is in the past,
278 synchronization records (type CDS and/or CDNSKEY) are re‐
279 moved.
280 -T ttl This option specifies a TTL to be used for new DNSKEY records
282 imported into the zone from the key repository. If not speci‐
283 fied, the default is the TTL value from the zone's SOA record.
284 This option is ignored when signing without -S, since DNSKEY
285 records are not imported from the key repository in that case.
286 It is also ignored if there are any pre-existing DNSKEY records
287 at the zone apex, in which case new records' TTL values are set
288 to match them, or if any of the imported DNSKEY records had a
289 default TTL value. In the event of a conflict between TTL values
290 in imported keys, the shortest one is used.
291 -t This option prints statistics at completion.
293 -u This option updates the NSEC/NSEC3 chain when re-signing a pre‐
295 viously signed zone. With this option, a zone signed with NSEC
296 can be switched to NSEC3, or a zone signed with NSEC3 can be
297 switched to NSEC or to NSEC3 with different parameters. Without
298 this option, dnssec-signzone retains the existing chain when
299 re-signing.
300 -v level
302 This option sets the debugging level.
303 -x This option indicates that BIND 9 should only sign the DNSKEY,
305 CDNSKEY, and CDS RRsets with key-signing keys, and should omit
306 signatures from zone-signing keys. (This is similar to the
307 dnssec-dnskey-kskonly yes; zone option in named.)
308 -z This option indicates that BIND 9 should ignore the KSK flag on
310 keys when determining what to sign. This causes KSK-flagged keys
311 to sign all records, not just the DNSKEY RRset. (This is simi‐
312 lar to the update-check-ksk no; zone option in named.)
313 -3 salt
315 This option generates an NSEC3 chain with the given hex-encoded
316 salt. A dash (-) can be used to indicate that no salt is to be
317 used when generating the NSEC3 chain.
318 NOTE:
320 -3 - is the recommended configuration. Adding salt provides
321 no practical benefits.
322 -H iterations
324 This option indicates that, when generating an NSEC3 chain, BIND
325 9 should use this many iterations. The default is 0.
326 WARNING:
328 Values greater than 0 cause interoperability issues and also
329 increase the risk of CPU-exhausting DoS attacks.
330 -A This option indicates that, when generating an NSEC3 chain, BIND
332 9 should set the OPTOUT flag on all NSEC3 records and should not
333 generate NSEC3 records for insecure delegations.
334 WARNING:
336 Do not use this option unless all its implications are fully
337 understood. This option is intended only for extremely large
338 zones (comparable to com.) with sparse secure delegations.
339 -AA This option turns the OPTOUT flag off for all records. This is
341 useful when using the -u option to modify an NSEC3 chain which
342 previously had OPTOUT set.
343 zonefile
345 This option sets the file containing the zone to be signed.
346 key This option specifies which keys should be used to sign the
348 zone. If no keys are specified, the zone is examined for DNSKEY
349 records at the zone apex. If these records are found and there
350 are matching private keys in the current directory, they are
351 used for signing.
352
354 The following command signs the example.com zone with the ECD‐
355 SAP256SHA256 key generated by dnssec-keygen (Kexample.com.+013+17247).
356 Because the -S option is not being used, the zone's keys must be in the
357 master file (db.example.com). This invocation looks for dsset files in
358 the current directory, so that DS records can be imported from them (‐
359 -g).
360 % dnssec-signzone -g -o example.com db.example.com \
362 Kexample.com.+013+17247
363 db.example.com.signed
364 %
365 In the above example, dnssec-signzone creates the file db.exam‐
367 ple.com.signed. This file should be referenced in a zone statement in
368 the named.conf file.
369 This example re-signs a previously signed zone with default parameters.
371 The private keys are assumed to be in the current directory.
372 % cp db.example.com.signed db.example.com
374 % dnssec-signzone -o example.com db.example.com
375 db.example.com.signed
376 %
377
379 dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033, RFC
380 4641.
381
383 Internet Systems Consortium
384
386 2023, Internet Systems Consortium
3879.18.11 DNSSEC-SIGNZONE(1)