1dnssec-signzone(1M) System Administration Commands dnssec-signzone(1M)
2
3
4
6 dnssec-signzone - DNSSEC zone signing tool
7
9 dnssec-signzone [-aghptz] [-c class] [-d directory]
10 [-e end-time] [-f output-file] [-i interval] [-k key]
11 [-l domain] [-n nthreads] [-o origin] [-r randomdev]
12 [-s start-time] [-v level] zonefile [key]...
13
14
16 The dnssec-signzone utility signs a zone. It generates NSEC and RRSIG
17 records and produces a signed version of the zone. The security status
18 of delegations from the signed zone (that is, whether the child zones
19 are secure or not) is determined by the presence or absence of a keyset
20 file for each child zone.
21
23 The following options are supported:
24
25 -a Verify all generated signatures.
26
27
28 -c class Specify the DNS class of the zone.
29
30
31 -d directory Look for keyset files in directory.
32
33
34 -e end-time Specify the date and time when the generated RRSIG
35 records expire. As with start-time, an absolute time
36 is indicated in YYYYMMDDHHMMSS notation. A time rela‐
37 tive to the start time is indicated with +N, which is
38 N seconds from the start time. A time relative to the
39 current time is indicated with now+N. If no end-time
40 is specified, 30 days from the start time is used as
41 a default.
42
43
44 -f output-file The name of the output file containing the signed
45 zone. The default is to append .signed to the input
46 file name.
47
48
49 -g Generate DS records for child zones from keyset
50 files. Existing DS records will be removed.
51
52
53 -h Prints a short summary of the options and arguments
54 to dnssec-signzone().
55
56
57 -i interval Specify the cycle interval as an offset from the cur‐
58 rent time (in seconds). When a previously signed zone
59 is passed as input, records could be resigned. If a
60 SIG record expires after the cycle interval, it is
61 retained. Otherwise, it is considered to be expiring
62 soon and will be replaced. The default cycle inter‐
63 val is one quarter of the difference between the sig‐
64 nature end and start times. If neither end-time or
65 start-time are specified, dnssec-signzone generates
66 signatures that are valid for 30 days, with a cycle
67 interval of 7.5 days. Any existing SIG records due to
68 expire in less than 7.5 days would be replaced.
69
70
71 -k key Treat specified key as a key-signing key, ignoring
72 any key flags. This option can be specified multiple
73 times.
74
75
76 -k key Treat specified key as a key-signing key, ignoring
77 any key flags. This option can be specified multiple
78 times.
79
80
81 -l domain Generate a DLV set in addition to the key (DNSKEY)
82 and DS sets. The domain is appended to the name of
83 the records.
84
85
86 -n nthreads Specifies the number of threads to use. By default,
87 one thread is started for each detected CPU.
88
89
90 -o origin Specify the zone origin. If not specified, the name
91 of the zone file is assumed to be the origin.
92
93
94 -p Use pseudo-random data when signing the zone. This is
95 faster, but less secure, than using real random data.
96 This option may be useful when signing large zones or
97 when the entropy source is limited.
98
99
100 -r randomdev Specify the source of randomness. By default,
101 /dev/random is used. The randomdev argument specifies
102 the name of a character device or file containing
103 random data to be used instead of the default. The
104 special value keyboard indicates that keyboard input
105 should be used.
106
107
108 -s start-time Specify the date and time when the generated RRSIG
109 records become valid. This can be either an absolute
110 or relative time. An absolute start time is indicated
111 by a number in YYYYMMDDHHMMSS notation;
112 20000530144500 denotes 14:45:00 UTC on May 30th,
113 2000. A relative start time is indicated by +N, which
114 is N seconds from the current time. If no start-time
115 is specified, the current time minus one hour (to
116 allow for clock skew) is used.
117
118
119 -t Print statistics at completion.
120
121
122 -v level Set the debugging level.
123
124
125 -z Ignore KSK flag on key when determining what to sign.
126
127
129 The following operands are supported:
130
131 zonefile The file containing the zone to be signed.
132
133
134 key Specify which keys should be used to sign the zone. If no
135 keys are specified, then the zone will be examined for
136 DNSKEY records at the zone apex. If these are found and
137 there are matching private keys in the current directory,
138 these will be used for signing.
139
140
142 Example 1 Signing a Zone with a DSA Key
143
144
145 The following command signs the example.com zone with the DSA key gen‐
146 erated in the example in the dnssec-keygen(1M) manual page (Kexam‐
147 ple.com.+003+17247). The zone's keys must be in the master file
148 (db.example.com). This invocation looks for keyset files in the current
149 directory, so that DS records can be generated from them (-g).
150
151
152 % dnssec-signzone -g -o example.com db.example.com \
153 Kexample.com.+003+17247
154 db.example.com.signed
155 %
156
157
158
159
160 In the above example, dnssec-signzone creates the file db.exam‐
161 ple.com.signed. This file should be referenced in a zone statement in a
162 named.conf file.
163
164
165 Example 2 Re-signing a Previously Signed Zone
166
167
168 The following commands re-sign a previously signed zone with default
169 parameters. The private keys are assumed to be in the current direc‐
170 tory.
171
172
173 % cp db.example.com.signed db.example.com
174 % dnssec-signzone -o example.com db.example.com
175 db.example.com.signed
176 %
177
178
179
180
181 In the above example, dnssec-signzone creates the file db.exam‐
182 ple.com.signed. This file should be referenced in a zone statement in a
183 named.conf file.
184
185
187 See attributes(5) for descriptions of the following attributes:
188
189
190
191
192 ┌─────────────────────────────┬─────────────────────────────┐
193 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
194 ├─────────────────────────────┼─────────────────────────────┤
195 │Availability │SUNWbind │
196 ├─────────────────────────────┼─────────────────────────────┤
197 │Interface Stability │Volatile │
198 └─────────────────────────────┴─────────────────────────────┘
199
201 dnssec-keygen(1M), attributes(5)
202
203
204 RFC 2535
205
206
207 BIND 9 Administrator Reference Manual
208
209
210
211SunOS 5.11 24 Dec 2008 dnssec-signzone(1M)