HP-UX Reference (11i v1 05/09) - 1 User Commands A-M (vol 1)

d
dnssec-signzone(1) dnssec-signzone(1)
NAME
dnssec-signzone - DNSSEC zone signing tool
SYNOPSIS
dnssec-signzone
[-a][-c cycle-time][-e end-time][
-f output-file][-o origin][-p]
[
-r randondev][-s start-time][
-v level] zonefile keyfile ....
DESCRIPTION
dnssec-signzone
is used to sign a zone. Any .signedkey files for the zone to be signed should be
present in the current directory, along with the keys that will be used to sign the zone.
Arguments
zonefile This is the name of the unsigned zone file.
keyfile If no keyfile arguments are supplied, the default behaviour is to use all of the zone’s keys
that are present in the current directory. Providing specific keyfile arguments constrains
dnssec-signzone
to only use those keys for signing the zone. Each keyfile argument
would be an identification string for a key created with
dnssec-keygen
.
If the zone to be signed has any secure subzones, the
.signedkey les for those subzones need to be
available in the current working directory used by dnssec-signzone
.
Options
-a This option is used to force verification of the signatures generated by
dnssec-
signzone
. By default the signature files are not verified.
-c cycle-time
This option is used to configure the cycle period which is used for resigning records when a
previously signed zone is passed as input to dnssec-signzone
. The cycle period is an
offset from the current time (in seconds). If a SIG record expires after the cycle period, it is
retained. Otherwise, it is considered to be expiring soon, and
dnssec-signzone
will
remove it and generate a new SIG record to replace it.
-e end-time
This option is used to set the expiration time for the SIG records. The expiration time
specifies when the SIG records are no longer valid, not when they are deleted from caches
on name servers. end-time can represent an absolute or relative date.
The YYYYMMDDHHMMSS notation is used to indicate an absolute date and time.
When end-time is
+N, it indicates that the SIG records will expire in N seconds after their
start time.
-f output-file
This option is used to override the use of the default signed zone file, zonefile.signed
by dnssec-signzone.
-o origin
This option is used to specify the fully qualified domain origin for the zone. This option is
used only when the zone file name and the name of the zone are identical.
-p This option instructs dnssec-signkey to use pseudo-random data when signing the
keys. This is faster, but less secure, than using genuinely random data for signing. This
option may be useful when there are many child zone key sets to sign or if the entropy
source is limited. It could also be used for short-lived keys and signatures that don’t
require as much protection against cryptanalysis, such as when the key will be discarded
long before it could be compromised.
-r randomdev
This option overrides the behaviour of dnssec-signzone to use random numbers to
seed the process of signing the zone. If the system does not have a /dev/random device
to generate random numbers, the dnssec-signzone program will prompt for keyboard
input and use the time intervals between keystrokes to provide randomness. With this
option, it will use randomdev as a source of random data.
-s start-time
This option is used to specify the date and time when the generated SIG records become
valid. start-time can either be an absolute or relative date.
Section 1190 Hewlett-Packard Company 1 HP-UX 11i Version 1: September 2005