1KZONESIGN(1) Knot DNS KZONESIGN(1)
2
6 kzonesign - DNSSEC signing utility
7
9 kzonesign [config_option config_argument] [options] zone_name
10
12 This utility reads the zone's zone file, signs the zone according to
13 given configuration, and writes the signed zone file back. An alterna‐
14 tive mode is DNSSEC validation of the given zone. The signing or vali‐
15 dation can run in parallel if enabled in the configuration (see pol‐
16 icy.signing-threads and zone.adjust-threads).
17 Config options
19 -c, --config file
20 Use a textual configuration file (default is
21 /etc/knot/knot.conf).
22 -C, --confdb directory
24 Use a binary configuration database directory (default is
25 /var/lib/knot/confdb). The default configuration database, if
26 exists, has a preference to the default configuration file.
27 Options
29 -o, --outdir dir_name
30 Write the output zone file to the specified directory instead of
31 the configured one.
32 -r, --rollover
34 Allow key roll-overs and NSEC3 re-salt. In order to finish pos‐
35 sible KSK submission, set the KSK's active timestamp to now (+0)
36 using keymgr.
37 -v, --verify
39 Instead of (re-)signing the zone, just verify that the zone is
40 correctly signed.
41 -t, --time timestamp
43 Sign/verify the zone (and roll the keys if necessary) as if it
44 was at the time specified by timestamp.
45 -h, --help
47 Print the program help.
48 -V, --version
50 Print the program version.
51 Parameters
53 zone_name
54 A name of the zone to be signed.
55
57 Exit status of 0 means successful operation. Any other exit status in‐
58 dicates an error.
59
61 knot.conf(5), keymgr(8).
62
64 CZ.NIC Labs <https://www.knot-dns.cz>
65
67 Copyright 2010–2022, CZ.NIC, z.s.p.o.
683.2.4 2022-12-12 KZONESIGN(1)