dnssec-signzone(1M) System Administration Commands dnssec-signzone(1M)NAMEdnssec-signzone - DNSSEC zone signing tool
SYNOPSISdnssec-signzone [-Aaghptz] [-c class] [-d directory]
[-e end-time] [-f output-file] [-H iterations] [-I input_format]
[-i interval] [-k key] [-l domain] [-N soa-serial-format] [-n ncpus]
[-O output_format] [-o origin] [-r randomdev] [-s start-time]
[-v level] [-3 salt] zonefile [key]...
DESCRIPTION
The dnssec-signzone utility signs a zone. It generates NSEC and RRSIG
records and produces a signed version of the zone. The security status
of delegations from the signed zone (that is, whether the child zones
are secure or not) is determined by the presence or absence of a keyset
file for each child zone.
OPTIONS
The following options are supported:
-A
When generating an NSEC3 chain, set the OPTOUT flag on all NSEC3
records and do not generate NSEC3 records for insecure delegations.
-a
Verify all generated signatures.
-c class
Specify the DNS class of the zone.
-d directory
Look for keyset files in directory.
-e end-time
Specify the date and time when the generated RRSIG records expire.
As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS
notation. A time relative to the start time is indicated with +N,
which is N seconds from the start time. A time relative to the cur‐
rent time is indicated with now+N. If no end-time is specified, 30
days from the start time is used as a default.
-f output-file
The name of the output file containing the signed zone. The default
is to append .signed to the input file name.
-g
Generate DS records for child zones from keyset files. Existing DS
records will be removed.
-H iterations
When generating a NSEC3 chain use the number of interations speci‐
fied by iterations. The default is 100.
-h
Prints a short summary of the options and arguments to dnssec-sign‐
zone().
-I input-format
The format of the input zone file. Possible formats are text
(default) and raw. This option is primarily intended for dynamic
signed zones so that the dumped zone file in a non-text format con‐
taining updates can be signed directly. The use of this option
serves no purpose for non-dynamic zones.
-i interval
Specify the cycle interval as an offset from the current time (in
seconds). When a previously signed zone is passed as input, records
could be resigned. If an RRSIG record expires after the cycle
interval, it is retained. Otherwise, it is considered to be expir‐
ing soon and will be replaced.
The default cycle interval is one quarter of the difference between
the signature end and start times. If neither end-time or start-
time are specified, dnssec-signzone generates signatures that are
valid for 30 days, with a cycle interval of 7.5 days. Any existing
RRSIG records due to expire in less than 7.5 days would be
replaced.
-j jitter
When signing a zone with a fixed signature lifetime, all RRSIG
records issued at the time of signing expire simultaneously. If the
zone is incrementally signed, that is, a previously-signed zone is
passed as input to the signer, all expired signatures have to be
regenerated at about the same time. The jitter option specifies a
jitter window that will be used to randomize the signature-expire
time, thus spreading incremental signature regeneration over time.
Signature lifetime jitter also benefits, to some extent, validators
and servers by spreading out cache expiration. That is, if large
numbers of RRSIGs from all caches do not expire at the same time,
there will be less congestion than if all validators needed to
refetch at almost the same time.
-k key
Treat specified key as a key-signing key, ignoring any key flags.
This option can be specified multiple times.
-l domain
Generate a DLV set in addition to the key (DNSKEY) and DS sets. The
domain is appended to the name of the records.
-N soa-serial-format
The SOA serial number format of the signed zone. Possible formats
are keep (default), increment and unixtime, described as follows.
keep
Do not modify the SOA serial number.
increment
Increment the SOA serial number using RFC 1982 arithmetic.
unixtime
Set the SOA serial number to the number of seconds since epoch.
-n nthreads
Specifies the number of threads to use. By default, one thread is
started for each detected CPU.
-O output_format
The format of the output file containing the signed zone. Possible
formats are text (default) and raw.
-o origin
Specify the zone origin. If not specified, the name of the zone
file is assumed to be the origin.
-p
Use pseudo-random data when signing the zone. This is faster, but
less secure, than using real random data. This option may be useful
when signing large zones or when the entropy source is limited.
-r randomdev
Specifies the source of randomness. If the operating system does
not provide a /dev/random or equivalent device, the default source
of randomness is keyboard input. randomdev specifies the name of a
character device or file containing random data to be used instead
of the default /dev/random. The special value keyboard indicates
that keyboard input should be used.
-s start-time
Specify the date and time when the generated RRSIG records become
valid. This can be either an absolute or relative time. An absolute
start time is indicated by a number in YYYYMMDDHHMMSS notation;
20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
start time is indicated by +N, which is N seconds from the current
time. If no start-time is specified, the current time minus one
hour (to allow for clock skew) is used.
-t
Print statistics at completion.
-v level
Set the debugging level.
-z
Ignore KSK flag on key when determining what to sign.
-3 salt
Generate a NSEC3 chain with the specified hex-encoded salt. A dash
(-) can be used to indicate that no salt is to be used when gener‐
ating the NSEC3 chain.
OPERANDS
The following operands are supported:
zonefile
The file containing the zone to be signed.
key
Specify which keys should be used to sign the zone. If no keys are
specified, then the zone will be examined for DNSKEY records at the
zone apex. If these are found and there are matching private keys
in the current directory, these will be used for signing.
EXAMPLES
Example 1 Signing a Zone with a DSA Key
The following command signs the example.com zone with the DSA key gen‐
erated in the example in the dnssec-keygen(1M) manual page (Kexam‐
ple.com.+003+17247). The zone's keys must be in the master file
(db.example.com). This invocation looks for keyset files in the current
directory, so that DS records can be generated from them (-g).
% dnssec-signzone-g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%
In the above example, dnssec-signzone creates the file db.exam‐
ple.com.signed. This file should be referenced in a zone statement in a
named.conf file.
Example 2 Re-signing a Previously Signed Zone
The following commands re-sign a previously signed zone with default
parameters. The private keys are assumed to be in the current direc‐
tory.
% cp db.example.com.signed db.example.com
% dnssec-signzone-o example.com db.example.com \
db.example.com.signed
%
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │service/network/dns/bind │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Volatile │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOdnssec-keygen(1M), attributes(5)
RFC 4033
See the BIND 9 Administrator's Reference Manual. As of the date of pub‐
lication of this man page, this document is available at
https://www.isc.org/software/bind/documentation.
SunOS 5.11 11 Jan 2010 dnssec-signzone(1M)