dnssec-signzone.1 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

1

d

dnssec-signzone(1) dnssec-signzone(1)

(BIND 9.3)

-p Use pseudo-random data when signing the keys. This is faster, but less secure, than using

genuinely random data for signing. This option may be useful when there are many child zone

key sets to sign or if the entropy source is limited. It could also be used for short-lived keys

and signatures that don’t require as much protection against cryptanalysis, such as when the

key will be discarded long before it could be compromised.

-r randomdev

Override the behavior of dnssec-signzone

to use random numbers to seed the process of

signing the zone. If the system does not have a

/dev/random device to generate random

numbers,

dnssec-signzone

will prompt for keyboard input and use the time intervals

between keystrokes to provide randomness. With this option, it will use randomdev as a

source of random data.

-s start-time

Specify the date and time when the generated RRSIG records become valid. start-time can

either be an absolute or relative date.

An absolute start time is indicated by a number in YYYYMMDDhhmmss notation; for example,

20000530144500

denotes 14:45:00 UTC on May 30th, 2000.

A relative start time is supplied when start-time is given as

+N, specifying N seconds from the

current time.

If

-s is omitted, the default value is the current time minus 1 hour (to allow for clock skew).

See also the

-e option.

-t Print the statistics at the time of completion.

-v level Set the verbosity level. As the debugging/tracing level level increases,

dnssec-signzone

generates increasingly detailed reports about what it is doing. The default level is 0.

-z Ignore the KSK ﬂag on the key when determining what to sign.

Operands

dnssec-signzone has the following operands:

key A key used to sign the zone. If no keys are speciﬁed, the default is all zone keys that have

private key ﬁles in the current directory.

zonefile The name of the unsigned zone ﬁle.

EXAMPLES

This example shows how

dnssec-signzone

can be used to sign the example.com zone with the DSA

key that was generated in the example given in the manpage for

dnssec-keygen

(see dnssec-

keygen(1)). The zone’s keys must be in the zone. If there are

keyset ﬁles associated with child zones,

they must be in the current directory.

$ dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160

dnssec-signzone creates a ﬁle called example.com.signed

, the signed version of the

example.com zone. This ﬁle can then be referenced in a zone{} statement in /etc/named.conf so

that it can be loaded by the name server.

AUTHOR

dnssec-signzone was developed by the Internet Systems Consortium (ISC).

FILES

/dev/random

SEE ALSO

dnssec-keygen(1).

Requests for Comments (RFC): 2535, available online at

http://www.rfc-editor.org/.

HP-UX IP Address and Client Management Administrator’s Guide , available online at

http://www.hp.com/go/hpux-networking-docs.

BIND 9 Administrator Reference Manual , available from the Internet Systems Consortium at

http://www.isc.org/sw/bind/arm93.

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010