1KZONESIGN(1) Knot DNS KZONESIGN(1)
2
6 kzonesign - DNSSEC signing utility
7
9 kzonesign [config_option] [options] zone_name
10
12 This utility reads the zone's zone file, signs the zone according to
13 given configuration, and writes the signed zone file back. An alterna‐
14 tive mode is DNSSEC validation of the given zone. The signing or vali‐
15 dation can run in parallel if enabled in the configuration (see pol‐
16 icy.signing-threads and zone.adjust-threads).
17 Parameters
19 zone_name
20 A name of the zone to be signed.
21 Config options
23 -c, --config file
24 Use a textual configuration file (default is
25 /etc/knot/knot.conf).
26 -C, --confdb directory
28 Use a binary configuration database directory (default is
29 /var/lib/knot/confdb). The default configuration database, if
30 exists, has a preference to the default configuration file.
31 Options
33 -o, --outdir dir_name
34 Write the output zone file to the specified directory instead of
35 the configured one.
36 -r, --rollover
38 Allow key roll-overs and NSEC3 re-salt. In order to finish pos‐
39 sible KSK submission, set the KSK's active timestamp to now (+0)
40 using keymgr.
41 -v, --verify
43 Instead of (re-)signing the zone, just verify that the zone is
44 correctly signed.
45 -t, --time timestamp
47 Sign/verify the zone (and roll the keys if necessary) as if it
48 was at the time specified by timestamp.
49 -h, --help
51 Print the program help.
52 -V, --version
54 Print the program version.
55
57 Exit status of 0 means successful operation. Any other exit status in‐
58 dicates an error.
59
61 knot.conf(5), keymgr(8).
62
64 CZ.NIC Labs <https://www.knot-dns.cz>
65
67 Copyright 2010–2023, CZ.NIC, z.s.p.o.
683.3.2 2023-10-20 KZONESIGN(1)