1dnssec-signzone(1M)     System Administration Commands     dnssec-signzone(1M)
2
3
4

NAME

6       dnssec-signzone - DNSSEC zone signing tool
7

SYNOPSIS

9       dnssec-signzone [-aghptz] [-c class] [-d directory]
10            [-e end-time] [-f output-file] [-i interval] [-k key]
11            [-l domain] [-n nthreads] [-o origin] [-r randomdev]
12            [-s start-time] [-v level] zonefile [key]...
13
14

DESCRIPTION

16       The  dnssec-signzone  utility signs a zone. It generates NSEC and RRSIG
17       records and produces a signed version of the zone. The security  status
18       of  delegations  from the signed zone (that is, whether the child zones
19       are secure or not) is determined by the presence or absence of a keyset
20       file for each child zone.
21

OPTIONS

23       The following options are supported:
24
25       -a                Verify all generated signatures.
26
27
28       -c class          Specify the DNS class of the zone.
29
30
31       -d directory      Look for keyset files in directory.
32
33
34       -e end-time       Specify  the  date  and time when the generated RRSIG
35                         records expire. As with start-time, an absolute  time
36                         is indicated in YYYYMMDDHHMMSS notation. A time rela‐
37                         tive to the start time is indicated with +N, which is
38                         N seconds from the start time. A time relative to the
39                         current time is indicated with now+N. If no  end-time
40                         is  specified, 30 days from the start time is used as
41                         a default.
42
43
44       -f output-file    The name of the output  file  containing  the  signed
45                         zone.  The  default is to append .signed to the input
46                         file name.
47
48
49       -g                Generate DS  records  for  child  zones  from  keyset
50                         files. Existing DS records will be removed.
51
52
53       -h                Prints  a  short summary of the options and arguments
54                         to dnssec-signzone().
55
56
57       -i interval       Specify the cycle interval as an offset from the cur‐
58                         rent time (in seconds). When a previously signed zone
59                         is passed as input, records could be resigned.  If  a
60                         SIG  record  expires  after the cycle interval, it is
61                         retained. Otherwise, it is considered to be  expiring
62                         soon  and will be replaced.  The default cycle inter‐
63                         val is one quarter of the difference between the sig‐
64                         nature  end  and  start times. If neither end-time or
65                         start-time are specified,  dnssec-signzone  generates
66                         signatures  that  are valid for 30 days, with a cycle
67                         interval of 7.5 days. Any existing SIG records due to
68                         expire in less than 7.5 days would be replaced.
69
70
71       -k key            Treat  specified  key  as a key-signing key, ignoring
72                         any key flags. This option can be specified  multiple
73                         times.
74
75
76       -k key            Treat  specified  key  as a key-signing key, ignoring
77                         any key flags. This option can be specified  multiple
78                         times.
79
80
81       -l domain         Generate  a  DLV  set in addition to the key (DNSKEY)
82                         and DS sets. The domain is appended to  the  name  of
83                         the records.
84
85
86       -n nthreads       Specifies  the  number of threads to use. By default,
87                         one thread is started for each detected CPU.
88
89
90       -o origin         Specify the zone origin. If not specified,  the  name
91                         of the zone file is assumed to be the origin.
92
93
94       -p                Use pseudo-random data when signing the zone. This is
95                         faster, but less secure, than using real random data.
96                         This option may be useful when signing large zones or
97                         when the entropy source is limited.
98
99
100       -r randomdev      Specify  the  source  of  randomness.   By   default,
101                         /dev/random is used. The randomdev argument specifies
102                         the name of a character  device  or  file  containing
103                         random  data  to  be used instead of the default. The
104                         special value keyboard indicates that keyboard  input
105                         should be used.
106
107
108       -s start-time     Specify  the  date  and time when the generated RRSIG
109                         records become valid. This can be either an  absolute
110                         or relative time. An absolute start time is indicated
111                         by   a    number    in    YYYYMMDDHHMMSS    notation;
112                         20000530144500  denotes  14:45:00  UTC  on  May 30th,
113                         2000. A relative start time is indicated by +N, which
114                         is  N seconds from the current time. If no start-time
115                         is specified, the current time  minus  one  hour  (to
116                         allow for clock skew) is used.
117
118
119       -t                Print statistics at completion.
120
121
122       -v level          Set the debugging level.
123
124
125       -z                Ignore KSK flag on key when determining what to sign.
126
127

OPERANDS

129       The following operands are supported:
130
131       zonefile    The file containing the zone to be signed.
132
133
134       key         Specify  which  keys should be used to sign the zone. If no
135                   keys are specified, then the  zone  will  be  examined  for
136                   DNSKEY  records  at  the  zone apex. If these are found and
137                   there are matching private keys in the  current  directory,
138                   these will be used for signing.
139
140

EXAMPLES

142       Example 1 Signing a Zone with a DSA Key
143
144
145       The  following command signs the example.com zone with the DSA key gen‐
146       erated in the example in  the  dnssec-keygen(1M)  manual  page  (Kexam‐
147       ple.com.+003+17247).  The  zone's  keys  must  be  in  the  master file
148       (db.example.com). This invocation looks for keyset files in the current
149       directory, so that DS records can be generated from them (-g).
150
151
152         % dnssec-signzone -g -o example.com db.example.com \
153         Kexample.com.+003+17247
154         db.example.com.signed
155         %
156
157
158
159
160       In  the  above  example,  dnssec-signzone  creates  the  file  db.exam‐
161       ple.com.signed. This file should be referenced in a zone statement in a
162       named.conf file.
163
164
165       Example 2 Re-signing a Previously Signed Zone
166
167
168       The  following  commands  re-sign a previously signed zone with default
169       parameters. The private keys are assumed to be in  the  current  direc‐
170       tory.
171
172
173         % cp db.example.com.signed db.example.com
174         % dnssec-signzone -o example.com db.example.com
175         db.example.com.signed
176         %
177
178
179
180
181       In  the  above  example,  dnssec-signzone  creates  the  file  db.exam‐
182       ple.com.signed. This file should be referenced in a zone statement in a
183       named.conf file.
184
185

ATTRIBUTES

187       See attributes(5) for descriptions of the following attributes:
188
189
190
191
192       ┌─────────────────────────────┬─────────────────────────────┐
193       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
194       ├─────────────────────────────┼─────────────────────────────┤
195       │Availability                 │SUNWbind                     │
196       ├─────────────────────────────┼─────────────────────────────┤
197       │Interface Stability          │Volatile                     │
198       └─────────────────────────────┴─────────────────────────────┘
199

SEE ALSO

201       dnssec-keygen(1M), attributes(5)
202
203
204       RFC 2535
205
206
207       BIND 9 Administrator Reference Manual
208
209
210
211SunOS 5.11                        24 Dec 2008              dnssec-signzone(1M)
Impressum