1ldns-signzone(1) General Commands Manual ldns-signzone(1)
2
6 ldns-signzone - sign a zonefile with DNSSEC data
7
9 ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ... ]
10
13 ldns-signzone is used to generate a DNSSEC signed zone. When run it
14 will create a new zonefile that contains RRSIG and NSEC resource
15 records, as specified in RFC 4033, RFC 4034 and RFC 4035.
16 Keys must be specified by their base name (i.e. without .private). If
18 the DNSKEY that belongs to the key in the .private file is not present
19 in the zone, it will be read from the file <base name>.key. If that
20 file does not exist, the DNSKEY value will be generated from the pri‐
21 vate key.
22 Multiple keys can be specified, Key Signing Keys are used as such when
24 they are either already present in the zone, or specified in a .key
25 file, and have the KSK bit set.
26
29 -b Augments the zone and the RR's with extra comment texts for a
30 more readable layout, easier to debug. DS records will have a
31 bubblebabble version of the data in the comment text, NSEC3
32 records will have the unhashed owner names in the comment text.
33 Without this option, only DNSKEY RR's will have their Key Tag
35 annotated in the comment text.
36 -d Normally, if the DNSKEY RR for a key that is used to sign the
39 zone is not found in the zone file, it will be read from .key,
40 or derived from the private key (in that order). This option
41 turns that feature off, so that only the signatures are added to
42 the zone.
43 -e date
46 Set expiration date of the signatures to this date, the format
47 can be YYYYMMDD[hhmmss], or a timestamp.
48 -f file
51 Use this file to store the signed zone in (default <original‐
52 file>.signed)
53 -i date
56 Set inception date of the signatures to this date, the format
57 can be YYYYMMDD[hhmmss], or a timestamp.
58 -o origin
61 Use this as the origin of the zone
62 -u set SOA serial to the number of seconds since 1-1-1970
65 -v Print the version and exit
68 -z [scheme:]hash
71 Calculate the zone's digest and add those as ZONEMD RRs. The
72 (optional) `scheme' must be `simple` (or 1) and `hash' should be
73 `sha384' (or 1) or `sha512' (or 2). This option can be given
74 more than once.
75 -Z Allow ZONEMDs to be added without signing
78 -A Sign the DNSKEY record with all keys. By default it is signed
81 with a minimal number of keys, to keep the response size for the
82 DNSKEY query small, and only the SEP keys that are passed are
83 used. If there are no SEP keys, the DNSKEY RRset is signed with
84 the non-SEP keys. This option turns off the default and all
85 keys are used to sign the DNSKEY RRset.
86 -U Sign with every unique algorithm in the provided keys. The
89 DNSKEY set is signed with all the SEP keys, plus all the non-SEP
90 keys that have an algorithm that was not presen in the SEP key
91 set.
92 -E name
95 Use the EVP cryptographic engine with the given name for sign‐
96 ing. This can have some extra options; see ENGINE OPTIONS for
97 more information.
98 -K algorithm-id,key-id
101 Use the key `key-id' as the signing key for algorithm `algo‐
103 rithm-id' as a Key Signing Key (KSK). This option is used when
104 you use an OpenSSL engine, see ENGINE OPTIONS for more informa‐
105 tion.
106 -k algorithm-id,key-id
109 Use the key `key-id' as the signing key for algorithm `algo‐
110 rithm-id' as a Zone Signing Key (ZSK). This option is used when
111 you use an OpenSSL engine, see ENGINE OPTIONS for more informa‐
112 tion.
113 -n Use NSEC3 instead of NSEC.
116 If you use NSEC3, you can specify the following extra options:
119 -a algorithm
122 Algorithm used to create the hashed NSEC3 owner names
123 -p Opt-out. All NSEC3 records in the zone will have the Opt-out
126 flag set. After signing, you can add insecure delegations to the
127 signed zone.
128 -s string
131 Salt
132 -t number
135 Number of hash iterations
136
139 You can modify the possible engines, if supported, by setting an
140 OpenSSL configuration file. This is done through the environment vari‐
141 able OPENSSL_CONF.
142 The key options (-k and -K) work as follows: you specify a DNSSEC algo‐
144 rithm (using its symbolic name, for instance, RSASHA256 or its numeric
145 identifier, for instance, 8), followed by a comma and a key identifier
146 (white space is not allowed between the algorithm and the comma and be‐
147 tween the comma and the key identifier).
148 The key identifier can be any of the following:
150 <id>
152 <slot>:<id>
153 id_<id>
154 slot_<slot>-id_<id>
155 label_<label>
156 slot_<slot>-label_<label>
157 Where '<id>' is the PKCS #11 key identifier in hexadecimal notation,
159 '<label>' is the PKCS #11 human-readable label, and '<slot>' is the
160 slot number where the token is present.
161 More recent versions of OpenSSL engines may support the PKCS #11 URI
163 scheme (RFC 7512), please consult your engine's documentation.
164 If not already present, a DNSKEY RR is generated from the key data, and
166 added to the zone.
167
170 ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
171 Sign the zone in the file 'nlnetlabs.nl' with the key in the
172 files 'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY is not
173 present in the zone, use the key in the file 'Knlnet‐
174 labs.nl.+005+12273.key'. If that is not present, generate one
175 with default values from 'Knlnetlabs.nl.+005+12273.private'.
176
180 Written by the ldns team as an example for ldns usage.
181 Portions of engine support by Vadim Penzin <vadim@penzin.net>.
182
185 Report bugs to <ldns-team@nlnetlabs.nl>.
186
189 Copyright (C) 2005-2008 NLnet Labs. This is free software. There is NO
190 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
191 POSE.
192 13 March 2018 ldns-signzone(1)