dnssec-signzone.1 (2010 09)
d
dnssec-signzone(1) dnssec-signzone(1)
(BIND 9.3)
NAME
dnssec-signzone - DNSSEC zone signing tool
SYNOPSIS
dnssec-signzone
[-aghptz][-c class ][
-d directory ][-e end-time ][-f output-file ]
[
-k key]... [-l
domain][-i interval ][-n nthreads ][-o origin ][
-r randomdev ]
[
-s start-time ][-v
level ] zonefile key...
DESCRIPTION
dnssec-signzone
is used to sign a zone. It generates NSEC and RRSIG records and produces a
signed version of the zone. The security status of delegations from the signed zone (that is, whether the
child zones are secure or not) is determined by the presence or absence of a
keyset file for each child
zone.
If the zone to be signed has any secure subzones, the
.signedkey files for those subzones need to be
available in the current working directory used by
dnssec-signzone.
Options
dnssec-signzone
has the following options:
-a Force verification of the signatures generated by
dnssec-signzone
. By default, the signa-
ture files are not verified.
-c class Specify the DNS class of the zone.
-d directory
Look for keyset files in directory . The default is the current directory.
-e end-time
Set the expiration time for the RRSIG records. As with the start-time , end-time can represent
an absolute or relative date.
Use the YYYYMMDDhhmmss notation to indicate absolute date and time and the
+N notation
for relative time.
When end-time is
+N, it indicates that the RRSIG records will expire in N seconds after their
start time. A time relative to the current time is indicated with
now+N.If
-e is omitted, the
default is 30 days from the start time.
See also the
-s option.
-f output-file
Override the use of the default signed zone file, zonefile.signed
.
-g Generate DS records for child zones from keyset files. Existing DS records will be removed.
-h Print a short summary of the dnssec-signzone
options and operands.
-i interval
When a previously signed zone is passed as input, records may be re-signed. The -i option
specifies the cycle interval as an offset from the current time (in seconds). If an RRSIG record
expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon,
and it will be replaced.
The default cycle interval is one quarter of the difference between the signature end and start
times. So if neither
-s nor -e is specified, dnssec-signzone generates signatures that are
valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be replaced.
-k key Treat key as a key-signing key, ignoring any key flags. This option may be specified multiple
times.
-l domain
Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to
the name of the records.
-n ncpus Specify the number of CPUs to create threads for. By default, one thread is started for each
detected CPU.
-o origin
Specify the zone origin. If not specified, the zone origin defaults to the name of the zone file.
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1