1ZONESIGNER(1)         User Contributed Perl Documentation        ZONESIGNER(1)
2
3
4

NAME

6       zonesigner - Generates encryption keys and signs a DNS zone
7

SYNOPSIS

9         zonesigner [options] <zone-file> <signed-zone-file>
10
11         # get started immediately examples:
12
13         # first run on a zone for example.com:
14         zonesigner -genkeys -endtime +2678400 example.com
15
16         # future runs before expiration time (reuses the same keys):
17         zonesigner -endtime +2678400 example.com
18

DESCRIPTION

20       This script combines into a single command many actions that are
21       required to sign a DNS zone.  It generates the required KSK and ZSK
22       keys, adds the key data to a zone record file, signs the zone file, and
23       runs checks to ensure that everything worked properly.  It also keeps
24       records about the keys and how the zone was signed in order to
25       facilitate re-signing of the zone in the future.
26
27       The zonesigner-specific zone-signing records are kept in keyrec files.
28       Using keyrec files, defined and maintained by DNSSEC-Tools, zonesigner
29       can automatically gather many of the options used to previously sign
30       and generate a zone and its keys.  This allows the zone to be
31       maintained using the same key lengths and expiration times, for
32       example, without an administrator needing to manually track these
33       fields.
34

QUICK START

36       The following are examples that will allow a quick start on using
37       zonesigner:
38
39       first run on example.com
40           The following command will generate keys and sign the zone file for
41           example.com, giving an expiration date 31 days in the future.  The
42           zone file is named example.com and the signed zone file will be
43           named example.com.signed.
44
45               zonesigner -genkeys -endtime +2678400 example.com
46
47       subsequent runs on example.com
48           The following command will re-sign example.com's zone file, but
49           will not generate new keys.  The files and all key-generation and
50           zone-signing arguments will remain the same.
51
52               zonesigner example.com
53

USING ZONESIGNER

55       zonesigner is used in this way:
56
57           zonesigner [options] <zone-file> <signed-zone-file>
58
59       The zone-file argument is required.
60
61       zone-file is the name of the zone file from which a signed zone file
62       will be created.  If the -zone option is not given, then zone-file will
63       be used as the name of the zone that will be signed.  Generated keys
64       are given this name as their base.
65
66       Once zonesigner has created a set of keys for a zone and signed the
67       zone, it may be used to re-sign the as the zonefile changes.  When run
68       without any options, zonesigner will consult the zone's keyrec to find
69       the appropriate set of keys and will then sign the specified zone with
70       them.
71
72       The zone file is modified to have include commands, which will include
73       the KSK and ZSK keys.  These lines are placed at the end of the file
74       and should not be modified by the user.  If the zone file already
75       includes any key files, those inclusions will be deleted.  These lines
76       are distinguished by starting with "$INCLUDE" and end with ".key".
77       Only the actual include lines are deleted; any related comment lines
78       are left untouched.
79
80       An intermediate file is used in signing the zone.  zone-file is copied
81       to the intermediate file and is modified in preparation of signing the
82       zone file.  Several $INCLUDE lines will be added at the end of the file
83       and the SOA serial number will be incremented.
84
85       signed-zone is the name of the signed zone file.  If it is not given on
86       the command line, the default signed zone filename is the zone-file
87       appended with ".signed".  Thus, executing zonesigner example.com will
88       result in the signed zone being stored in example.com.signed.
89
90       Unless the -genkeys, -genksk, -genzsk, or -newpubksk options are
91       specified, the last keys generated for a particular zone will be used
92       in subsequent zonesigner executions.  DS records will be included in
93       signing operations unless the -nogends option is used.
94
95       zonesigner can be used with a rollover manager, such as rollerd, to
96       provide automated management of a zone, its keys, and the signing of
97       the zone.  If a rollerd-managed zonefile changes while rollerd is
98       waiting for a zone rollover to begin or a rollover phase to complete,
99       zonesigner may be used to sign the zone with the proper set of keys;
100       rollerd will not be disrupted by this.
101

KEYREC FILES

103       keyrec files retain information about previous key-generation and zone-
104       signing operations.  If a keyrec file is not specified (by way of the
105       -krfile option), then a default keyrec file is used.  If this default
106       is not specified in the system's DNSSEC-Tools configuration file, the
107       filename will be the zone name appended with .krf.  If the -nokrfile
108       option is given, then no keyrec file will be consulted or saved.
109
110       Each keyrec contains a set of "key/value" entries, one per line.
111       Example 4 below contains the contents of a sample keyrec file.
112
113       keyrec files contain three types of entries:  zone keyrecs, set
114       keyrecs, and key keyrecs.  Zone keyrecs contain information
115       specifically about the zone, such as the number of ZSKs used to sign
116       the zone, the end-time for the zone, and the key signing set names
117       (names of set keyrecs.)  Set keyrecs contain lists of key keyrec names
118       used for a specific purpose, such as the current ZSK keys or the
119       published ZSK keys.  Key keyrecs contain information about the
120       generated keys themselves, such as encryption algorithm, key length,
121       and key lifetime.
122
123       As a zone proceeds through key rollover, new cryptographic keys will be
124       generated for the zone.  The various key parameters (e.g., key length
125       and crypto algorithm) will be the same as the parameters previously
126       used to generate keys for that zone.  The keymod command allows these
127       key parameters to be modified as needs change.  If a particular
128       parameter is changed, such as the KSK length changing from 1024 to
129       2048, then future keys will reflect that change; current and past keys
130       will not be modified.
131
132   Keyrec Files and RFC5011 KSK Revocation
133       If RFC5011 processing is enabled, there is special handling of the
134       zone's set keyrec of revoked KSK keys.  The "kskrev" field in the
135       zone's keyrec points to a set keyrec, marked as being of type "kskrev".
136       This set keyrec, in turn, points to a number of other set keyrecs, all
137       of which are also marked as being of type "kskrev".  The group of all
138       revoked KSK keys is found by consulting that subsidiary set of "kskrev"
139       set keyrecs.  When the ages of these revoked keys exceeds their
140       revocation periods, they are marked as being obsolete ("kskobs").  If
141       this happens as part of normal rollover, these revoked key and set
142       keyrecs are all removed from the chain of active, revoked keyrecs.  If
143       this happens to a key that's part of a larger set of keys, it is
144       removed from that signing set and put in its own new signing set.
145

ENTROPY

147       On some systems, the implementation of the pseudo-random number
148       generator requires keyboard activity.  This keyboard activity is used
149       to fill a buffer in the system's random number generator.  If
150       zonesigner appears hung, you may have to add entropy to the random
151       number generator by randomly striking keys until the program completes.
152       Display of this message is controlled by the entropy_msg configuration
153       file parameter.
154

DETERMINING OPTION VALUES

156       zonesigner checks four places in order to determine option values.  In
157       descending order of precedence, these places are:
158
159           command line options
160
161           keyrec file
162
163           DNSSEC-Tools configuration file
164
165           zonesigner defaults
166
167       Each is checked until a value is found.  That value is then used for
168       that zonesigner execution and the value is stored in the keyrec file.
169
170   Example
171       For example, the KSK length has the following values:
172
173           -ksklength command line option:     8192
174
175           keyrec file:                        1024
176
177           DNSSEC-Tools configuration file:     512
178
179           zonesigner defaults:                2048
180
181       If all are present, then the KSK length will be 8192.
182
183       If the -ksklength command line option wasn't given, the KSK length will
184       be 1024.
185
186       If the KSK length wasn't given in the configuration file, it will be
187       8192.
188
189       If the KSK length wasn't in the keyrec file or the configuration file,
190       the KSK length will be 8192.
191
192       If the -ksklength command line option wasn't given and the KSK length
193       wasn't in the configuration file, it'll be 1024.
194
195       If the command line option wasn't given, the KSK length wasn't in the
196       keyrec file, and it wasn't in the configuration file, then the KSK
197       length will be 512.
198

OPTIONS

200       Three types of options may be given, based on the command for which
201       they are intended.  These commands are  dnssec-keygen, dnssec-signzone,
202       and zonesigner.
203
204   zonesigner-specific Options
205       -archivedir
206           The key archive directory.  If a key archive directory hasn't been
207           specified (on the command line or in the DNSSEC-Tools configuration
208           file) and the -nosave option was not given, then zonesigner will
209           leave the keys in the current directory.
210
211           When the files are saved into the archive directory, the existing
212           file names are prepended with a timestamp.  The timestamp indicates
213           when the files are archived.
214
215           This directory may not be the root directory.
216
217       -droprevoked
218           Explicitly obsolete currently revoked KSKs and remove them from the
219           signing set before resigning.  This is mutually exclusive from
220           -nodroprevoked.  If neither -droprevoked nor -nodroprevoked are
221           given, then -droprevoked functionality is assumed..
222
223       -dsdir
224           Specify a directory for storing dssets.  This directory will be
225           created if it does not exist.
226
227           The directory must be writable and may not be the root directory.
228
229       -genkeys
230           Generate new KSKs and ZSKs for the zone.
231
232       -genksk
233           Generate new Current KSKs for the zone.  Any existing Current KSKs
234           will be marked as obsolete.  If this option is not given, the last
235           KSKs generated for this zone will be used.
236
237       -genzsk
238           Generate new ZSKs for the zone.  By default, the last ZSKs
239           generated for this zone will be used.
240
241       -help
242           Display a usage message.
243
244       -intermediate
245           Filename to use for the temporary zone file.  The zone file will be
246           copied to this file and then the key names appended.
247
248       -keydirectory
249           The directory in which KSK and ZSK keys will be stored.  The
250           default is to store the keys in the directory in which zonesigner
251           is executed.
252
253           This directory may not be the root directory.
254
255       -krfile
256           keyrec file to use in processing options.  See the man page for
257           Net::DNS::SEC::Tools::tooloptions.pm for more details about this
258           file.
259
260       -ksignset
261           The name of the KSK signing set to use.  If the signing set does
262           not exist, then this must be used in conjunction with either
263           -genkeys or -genksk.  The name may contain alphanumerics,
264           underscores, hyphens, periods, and commas.
265
266           The name may contain alphanumerics, underscores, hyphens, periods,
267           and commas.  The default signing set name is "zone-signset-N",
268           where zone is the zone being signed and N is a number.
269
270           If -ksignset is not specified, then zonesigner will use the default
271           and increment the number for subsequent signing sets.
272
273       -kskcount
274           The number of KSK keys to generate and with which to sign the zone.
275           The default is to use a single KSK key.
276
277       -kskdirectory
278           The directory in which KSK keys will be stored.  The default is to
279           store the keys in the directory in which zonesigner is executed.
280
281           This directory may not be the root directory.
282
283       -ksklife
284           The time between KSK rollovers.  This is measured in seconds.
285
286       -newpubksk
287           Generate new Published KSKs for the zone.  Any existing Published
288           KSKs will be marked as obsolete.
289
290       -nodroprevoked
291           Explicitly turn off obsoleting currently revoked KSKs and remove
292           them from the signing set before resigning.  This is mutually
293           exclusive from -droprevoked.  If neither -droprevoked nor
294           -nodroprevoked are given, then -droprevoked functionality is
295           assumed..
296
297       -nokrfile
298           No keyrec file will be consulted or created.
299
300       -norfc5011
301           Disable RFC5011 KSK revocation when rolling or replacing existing
302           KSK key sets.  By default, zonesigner performs RFC5011 KSK
303           revocation and this option supersedes this behavior and any option
304           setting within the keyrec file.
305
306       -nosave
307           Do not save obsolete keys to the key archive directory.  The
308           default behavior is to save obsolete keys.
309
310       -phase
311           Specify an rollover option based on the rollover phase, as opposed
312           to using the option naming the specific action to be performed.
313           The purpose of this option is to bring clarity and greater
314           understanding to how zonesigner is used in the rollover process.
315
316           The following are the mappings between the -phase options and the
317           action options.
318
319               Phase Option             Action-based Option
320               -phase ksk2              -newpubksk
321               -phase ksk4              -rollksk
322               -phase zsk2              -usezskpub
323               -phase zsk4b             -rollzsk
324               -phase zsk4b             (no option)
325
326           Warning:  The -phase option should only be used if you know what
327           you're doing.
328
329       -rollksk
330           Force a rollover of the KSK keys.  The Current KSK keys are marked
331           as Obsolete and the Published KSK keys are marked as Current.  The
332           zone is then signed with the new set of Current KSK keys.  If the
333           zone's keyrec does not list a Current or Published KSK, an error
334           message is printed and zonesigner stops execution.
335
336           The zone's keyrec file is updated to show the new key state.
337
338           The keyrecs of the KSK keys are adjusted as follows:
339
340               The Current KSK keys are marked as Obsolete.
341               The Published KSK keys are marked as Current.
342               The Obsolete KSK keys are moved to the archive directory.
343
344           If RFC5011 processing is enabled, then the KSK rollover sequence is
345           modified as follows:
346
347               The Current KSK keys are marked as Revoked.
348               The Published KSK keys are marked as Current.
349               The Revoked KSK keys are checked to see if they are still
350               within their revocation period.  If not, they are marked
351               as Obsolete.
352               The Obsolete KSK keys are moved to the archive directory.
353
354           Warning:  The timing of key-rolling is critical.  Great care must
355           be taken when using this option.  In the future, rollerd will
356           automate the KSK rollover process and may be used to safely take
357           care of this aspect of DNSSEC management.
358
359           Warning:  Using the -rollksk option should only be used if you know
360           what you're doing.
361
362           Warning:  This is may be a temporary method of KSK rollover.  It
363           may be changed in the future.
364
365       -rollmgr
366           The zone's rollover manager.  This indicates that the zone is under
367           control of a rollover manager.  If a user wishes to sign a zone in
368           the middle of a rollover wait phase, this field helps zonesigner
369           and the rollover manager to determine how best to handle the zone-
370           signing operation.
371
372       -rollzsk
373           Force a rollover of the ZSK keys using the Pre-Publish Key Rollover
374           method.  The rollover process adjusts the keys used to sign the
375           specified zone, generates new keys, signs the zone with the
376           appropriate keys, and updates the keyrec file.  The Pre-Publish Key
377           Rollover process is described in the DNSSEC Operational Practices
378           document.
379
380           Three sets of ZSK keys are used in the rollover process:  Current,
381           Published, and New.  Current ZSKs are those which are used to sign
382           the zone.  Published ZSKs are available in the zone data, and
383           therefore in cached zone data, but are not yet used to sign the
384           zone.  New ZSKs are not available in zone data nor yet used to sign
385           the zone, but are waiting in the wings for future use.
386
387           The keyrecs of the ZSK keys are adjusted as follows:
388
389               The Current ZSK keys are marked as obsolete.
390               The Published ZSK keys are marked as Current.
391               The New ZSK keys, if they exist, are marked as Published.
392               Another set of ZSK keys are generated, which will be
393                   marked as the New ZSK keys.
394               The Published ZSK keys' zsklife field is copied to the
395                   new ZSK keys' keyrecs.
396               The obsolete ZSK keys are moved to the archive directory.
397
398           The quick summary of proper ZSK rolling (which rollerd does for you
399           if you use it):
400
401               - wait 2 * max(TTL in zone)
402               - run zonesigner using -usezskpub
403               - wait 2 * max(TTL in zone)
404               - run zonesigner using -rollzsk
405               - wait 2 * max(TTL in zone)
406
407           Warning:  The timing of key-rolling is critical.  Great care must
408           be taken when using this option.  rollerd automates the rollover
409           process and may be used to safely take care of this aspect of
410           DNSSEC management.  Using the -rollzsk option should only be used
411           if you know what you're doing.
412
413       -showkeycmd
414           Display the actual key-generation command (with options and
415           arguments) that is executed.  This is a small subset of verbose
416           level 3 output.
417
418       -showsigncmd
419           Display the actual zone-signing command (with options and
420           arguments) that is executed.  This is a small subset of verbose
421           level 3 output.
422
423       -signonly
424           Sign the zone without performing any key generation or key rollover
425           operations.  The keys used in the most recent zonesigner signing of
426           this zone will be the keys used for this signing.
427
428       -signset
429           The name of the ZSK signing set to use as the Current ZSK signing
430           set.  The zone is signed and the given signing set becomes the
431           zone's new Current ZSK signing set.  If the signing set does not
432           exist, then this must be used in conjunction with either -genkeys
433           or -genzsk.
434
435           The name may contain alphanumerics, underscores, hyphens, periods,
436           and commas.  The default signing set name is "zonesignset-N", where
437           zone is the zone being signed and N is a number.
438
439           If -signset is not specified, then zonesigner will use the default
440           and increment the number for subsequent signing sets.
441
442       -threshold
443           Sign the zone if a threshold condition is met.  Depending on how
444           the threshold is specified, it may be relative to the last time the
445           zone was signed or to the zone's expiration date.
446
447           threshold-time is the threshold value, given as a numeric value,
448           with an optional unit specifier.  The unit may be 's', 'm', 'h', or
449           'd', for seconds, minutes, hours, or days.  If the unit is not
450           given, then the value is in seconds.  The threshold value must have
451           either the '-' prefix or the '+' prefix to indicate which threshold
452           to measure.  The threshold value +10d refers to ten days prior to a
453           zone's expiration date.
454
455           If the '-' prefix is used, then the zone will be re-signed if
456           zonesigner is executed no more than threshold-time after the last
457           time the zone was signed.  threshold-time is determined by
458           subtracting the threshold value from the upcoming midnight.  If
459           this would put the threshold time in the future, then it is
460           calculated from the current time.
461
462           If the '+' prefix is used, then the zone will be re-signed if
463           zonesigner is executed no more than threshold-time before the
464           zone's expiration date.  threshold-time is determined by
465           subtracting the threshold value from the previous midnight.  If
466           this would put threshold-time in the past, then it is calculated
467           from the current time.
468
469       -useboth
470           Use the existing Current and Published ZSKs to sign the zone.
471
472       -usezskpub
473           Use the existing Published ZSKs to sign the zone.
474
475       -Version
476           Display the version information for zonesigner and the DNSSEC-Tools
477           package.
478
479       -verbose
480           Verbose output will be given.  As more instances of -verbose are
481           given on the command line, additional levels of verbosity are
482           achieved.
483
484               level       output
485               -----       ------
486                 1         operations being performed
487                             (e.g., generating key files, signing zone)
488                 2         details on operations and some operation results
489                             (e.g., new key names, zone serial number)
490                 3         operations' parameters and additional details
491                             (e.g., key lengths, encryption algorithm,
492                             executed commands)
493
494           Higher levels of verbosity are cumulative.  Specifying two
495           instances of -verbose will get the output from the first and second
496           levels of output.
497
498       -xc Display a message associated with a zonesigner exit value.  This
499           option is intended for use by those programs who wish for
500           zonesigner to run silently, but need a description for why
501           zonesigner has exited with an error.
502
503           The following are the exit codes and their associated messages.
504
505           0 - successful execution
506           1 - -rfc5011 and -norfc5011 may not be specified together
507           2 - -droprevoked and -nodroprevoked may not be specified together
508           3 - -keydirectory and -kskdirectory may not be specified together
509           4 - -keydirectory and -zskdirectory may not be specified together
510           5 - KSK count must be positive
511           6 - ZSK count must be positive
512           7 - no key archive directory was specified
513           8 - key archive directory is not a directory
514           9 - key archive directory must not be /
515           10 - -savekeys and -nosave may not be specified together
516           11 - either a KSK or a ZSK directory was incorrectly specified
517           12 - either a specified KSK or a specified ZSK directory is not a
518           directory
519           13 - neither the KSK nor the ZSK directory may be the root
520           directory
521           14 - zone file, output file, and intermediate file must all have
522           distinct names
523           15 - zone file does not exist
524           16 - zone file is empty
525           17 - zone file already signed
526           18 - specified signing set does not exist
527           19 - specified Current ZSK signing set does not exist
528           20 - specified Published ZSK signing set does not exist
529           21 - specified new signing-set name already exists
530           22 - specified KSK signing set already exists
531           23 - no KSK signing set was specified
532           24 - specified Current KSK signing set does not exist
533           25 - specified Published KSK signing set does not exist
534           26 - unable to generate KSK key file
535           27 - ZSK keyrec does not exist in keyrec file
536           28 - unable to generate ZSK key file
537           29 - unable to archive keys because key archive directory is not a
538           directory
539           30 - KSK repository is not a directory
540           31 - ZSK repository is not a directory
541           32 - unable to update serial number in zonefile
542           33 - zone file's modified contents are empty
543           34 - unable to sign zone
544           35 - no Published KSKs have been created
545           36 - zone has no Published ZSKs to rollover to Current ZSKs
546           37 - no keys defined for a particular signing set for zone
547           38 - no keyrec exists for required signing set
548           39 - error in keyrec file -- a particular signing set keyrec is not
549           a set keyrec
550           40 - specified signing set does not contain any keys
551           41 - no key keyrec exists for a particular key
552           42 - keyrec of specified key has an unexpected type
553           43 - usage message printed
554           44 - invalid exit code given to -xc
555           45 - named-checkzone returned an error
556           46 - unable to create dsset archive directory
557           47 - dsset archive directory is not a directory
558           48 - dsset archive directory is not writable
559           49 - dsset archive directory must not be /
560           50 - invalid threshold
561           51 - invalid format end-date
562
563           An error message will be printed if an invalid exit code is given.
564
565       -Cthulhu
566           This option is for internal use only and should never be used by a
567           user.  If this warning is ignored, then undefined, unnameable
568           eldritch horrors may be visited upon your zone files.  Do not use.
569
570       -zone
571           Name of the zone that will be signed.  This zone name may be given
572           with this option or as the first non-option command line argument.
573           In the second case, if the argument contains directory separators,
574           then final element of the path will be used for the zone name.
575
576       -zskcount
577           The number of ZSK keys to generate and with which to sign the zone.
578           The default is to use a single ZSK key.
579
580       -zskdirectory
581           The directory in which ZSK keys will be stored.  The default is to
582           store the keys in the directory in which zonesigner is executed.
583
584           This directory may not be the root directory.
585
586       -zsklife
587           The time between ZSK rollovers.  This is measured in seconds.
588
589   dnssec-keygen-specific Options
590       -algorithm
591           Cryptographic algorithm used to generate the zone's keys.  The
592           default value is RSASHA1.  The option value is passed to dnssec-
593           keygen as the -a flag.  Consult dnssec-keygen's manual page to
594           determine legal values.
595
596       -kgopts
597           Additional options for dnssec-keygen may be specified using this
598           option.  The additional options are passed as a single string value
599           as an argument to the -kgopts option.
600
601       -ksklength
602           Bit length of the zone's KSK key.  The default is 2048.
603
604       -nsec3optout
605           When this flag and the -usensec3 flag are set, the zone will be
606           signed using the Opt-Out support described in RFC5155.  A quick
607           summary is that only sub-domains with valid DS or public keys
608           available will be signed and the rest will not be.  This greatly
609           reduces the computational and memory requirements of extremely
610           large zones with lots of unsigned children.
611
612       -random
613           Source of randomness used to generate the zone's keys. This is
614           assumed to be a file, for example /dev/urandom.
615
616       -usensec3
617           Signs the zone using NSEC3 (see RFC5155) proof-of-non-existence
618           records rather than NSEC records.  The keys used to sign the zone
619           must support the use of NSEC3 or else zone-signing will fail.
620           Zonesigner will automatically generate new keys of the correct type
621           if one of the -genkeys or similar options is used.
622
623       -zsklength
624           Bit length of the zone's ZSK key.  The default is 1024.
625
626   dnssec-signzone-specific Options
627       -endtime
628           Time that the zone expires, as measured from the current time.  If
629           given as a number, it is a count of seconds.  If it is given as a
630           number followed by 's', 'm', 'h', or 'd', then it is the number of
631           seconds, minutes, hours, or days.  The default value is 2764800
632           seconds (32 days.)
633
634       -gends
635           Force dnssec-signzone to generate DS records for the zone.  This
636           option is translated into -g when passed to dnssec-signzone.
637
638           This option is obsolete.  DS records are generated by default.  Use
639           the -nogends option if DS records should not be generated.
640
641       -ksdir
642           Specify a directory for storing keysets.  This is passed to dnssec-
643           signzone as the -d option.
644
645       -nogends
646           Prevent dnssec-signzone from generating DS records for the zone.
647
648       -szopts
649           Additional options for dnssec-signzone may be specified using this
650           option.  The additional options are passed as a single string value
651           as an argument to the -szopts option.
652
653           The default value for this option is "-i local", set in
654           defaults.pm.  This value has been found to greatly improve the
655           amount of time it takes named-checkzone to run.
656
657   Other Options
658       -zcopts
659           Additional options for named-checkzone may be specified using this
660           option.  The additional options are passed as a single string value
661           as an argument to the -zcopts option.
662

EXAMPLES

664       Example 1.
665
666       In the first example, an existing keyrec file is used to assist in
667       signing the example.com domain.  Zone data are stored in example.com,
668       and the keyrec is in example.krf.  The final signed zone file will be
669       db.example.com.signed.  Using this execution:
670
671           # zonesigner -krfile example.krf example.com db.example.com.signed
672
673       the following files are created:
674
675           Kexample.com.+005+45842.private
676           Kexample.com.+005+45842.key
677           Kexample.com.+005+50186.private
678           Kexample.com.+005+50186.key
679           Kexample.com.+005+59143.private
680           Kexample.com.+005+59143.key
681
682           dsset-example.com.
683           keyset-example.com.
684
685           db.example.com.signed
686
687       The first six files are the KSK and ZSK keys required for the zone.
688       The next two files are created by the zone-signing process.  The last
689       file is the final signed zone file.
690
691       Example 2.
692
693       In the second example, an existing keyrec file is used to assist in
694       signing the example.com domain.  Zone data are stored in example.com,
695       and the keyrec is in example.krf.  The generated keys, an intermediate
696       zone file, and final signed zone file will use example.com as a base.
697       Using this execution:
698
699           # zonesigner -krfile example.krf -intermediate example.zs example.com
700
701       the following files are created:
702
703           Kdb.example.com.+005+12354.key
704           Kdb.example.com.+005+12354.private
705           Kdb.example.com.+005+82197.key
706           Kdb.example.com.+005+82197.private
707           Kdb.example.com.+005+55888.key
708           Kdb.example.com.+005+55888.private
709
710           dsset-db.example.com.
711           keyset-db.example.com.
712
713           example.zs
714           example.com.signed
715
716       The first six files are the KSK and ZSK keys required for the zone.
717       The next two files are created by the zone-signing process.  The second
718       last file is an intermediate file that will be signed.  The last file
719       is file is the final signed zone.
720
721       Example 3.
722
723       In the third example, no keyrec file is specified for the signing of
724       the example.com domain.  In addition to files created as shown in
725       previous examples, a new keyrec file is created.  The new keyrec file
726       uses the domain name as its base.  Using this execution:
727
728           # zonesigner example.com db.example.com
729
730       the following keyrec file is created:
731
732           example.com.krf
733
734       The signed zone file is created in:
735
736           db.example.com
737
738       Example 4.
739
740       This example shows a keyrec file generated by zonesigner.
741
742       The command executed is:
743
744           # zonesigner example.com db.example.com
745
746       The generated keyrec file contains six keyrecs:  a zone keyrec, two set
747       keyrecs, one KSK keyrec, and two ZSK keyrecs.
748
749           zone        "example.com"
750               zonefile        "example.com"
751               signedzone      "db.example.com"
752               endtime         "+2764800"
753               kskcur          "example.com.signset-24"
754               kskdirectory    "."
755               zskcur          "example.com.signset-42"
756               zskpub          "example.com.signset-43"
757               zskdirectory    "."
758               keyrec_type     "zone"
759               keyrec_signsecs "1115166642"
760               keyrec_signdate "Wed May  4 00:30:42 2005"
761
762           set         "example.com.signset-24"
763               zonename        "example.com"
764               keys            "Kexample.com.+005+24082"
765               keyrec_setsecs  "1110000042"
766               keyrec_setdate  "Sat Mar  5 05:20:42 2005"
767
768           set         "example.com.signset-42"
769               zonename        "example.com"
770               keys            "Kexample.com.+005+53135"
771               keyrec_setsecs  "1115166640"
772               keyrec_setdate  "Wed May  4 00:30:40 2005"
773
774           set         "example.com.signset-43"
775               zonename        "example.com"
776               keys            "Kexample.com.+005+13531"
777               keyrec_setsecs  "1115166641"
778               keyrec_setdate  "Wed May  4 00:30:41 2005"
779
780           key         "Kexample.com.+005+24082"
781               zonename        "example.com"
782               keyrec_type     "kskcur"
783               algorithm       "rsasha1"
784               random          "/dev/urandom"
785               keypath         "./Kexample.com.+005+24082.key"
786               ksklength       "2048"
787               ksklife         "15768000"
788               keyrec_gensecs  "1110000042"
789               keyrec_gendate  "Sat Mar  5 05:20:42 2005"
790
791           key         "Kexample.com.+005+53135"
792               zonename        "example.com"
793               keyrec_type     "zskcur"
794               algorithm       "rsasha1"
795               random          "/dev/urandom"
796               keypath         "./Kexample.com.+005+53135.key"
797               zsklength       "1024"
798               zsklife         "604800"
799               keyrec_gensecs  "1115166638"
800               keyrec_gendate  "Wed May  4 00:30:38 2005"
801
802           key         "Kexample.com.+005+13531"
803               zonename        "example.com"
804               keyrec_type     "zskpub"
805               algorithm       "rsasha1"
806               random          "/dev/urandom"
807               keypath         "./Kexample.com.+005+13531.key"
808               zsklength       "1024"
809               zsklife         "604800"
810               keyrec_gensecs  "1115166638"
811               keyrec_gendate  "Wed May  4 00:30:38 2005"
812

NOTES

814       1.  One Zone in a keyrec File
815           There is a bug in the signing-set code that necessitates only
816           storing one zone in a keyrec file.
817
818       2.  SOA Serial Numbers
819           Serial numbers in SOA records are merely incremented in this
820           version.  Future plans are to allow for more flexible serial number
821           manipulation.
822
824       Copyright 2004-2014 SPARTA, Inc.  All rights reserved.  See the COPYING
825       file included with the DNSSEC-Tools package for details.
826

AUTHOR

828       Wayne Morrison, tewok@tislabs.com
829

SEE ALSO

831       keymod(8), lskrf(1), rollerd(1)
832
833       dnssec-keygen(8), dnssec-signzone(8)
834
835       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
836       Net::DNS::SEC::Tools::keyrec.pm(3),
837       Net::DNS::SEC::Tools::tooloptions.pm(3)
838
839       keyrec(5)
840
841
842
843perl v5.36.0                      2022-07-21                     ZONESIGNER(1)
Impressum