HP-UX Reference (11i v2 03/08) - 1 User Commands A-M (vol 1)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

211

212

213

214

215

216

217

218

219

220

dnssec-signzone(1) dnssec-signzone(1)

NAME

dnssec-signzone - DNSSEC zone signing tool

SYNOPSIS

dnssec-signzone

[-a][-c cycle-time ][-d directory ][

-e end-time ][-f output-ﬁle][-h]

[

-i interval ][-n ncpus][

-o origin][-p][-r randomdev ][-s start-time ][-t]

[

-v level ] zoneﬁle keyﬁle ....

DESCRIPTION

dnssec-signzone

is used to sign a zone. Any .signedkey ﬁles for the zone to be signed should be

present in the current directory, along with the keys that will be used to sign the zone.

Arguments

zonefile This is the name of the unsigned zone ﬁle.

keyfile If no keyﬁle arguments are supplied, the default behaviour is to use all of the zone’s keys

that are present in the current directory. Providing speciﬁc keyﬁle arguments constrains

dnssec-signzone

to only use those keys for signing the zone. Each keyﬁle argument

would be an identiﬁcation string for a key created with

dnssec-keygen

If the zone to be signed has any secure subzones, the

.signedkey ﬁles for those subzones need to be

available in the current working directory used by

dnssec-signzone

Options

-a This option is used to force veriﬁcation of the signatures generated by dnssec-

signzone. By default the signature ﬁles are not veriﬁed.

-c cycle-time

This option is used to conﬁgure the cycle period which is used for resigning records when

a previously signed zone is passed as input to dnssec-signzone

. The cycle period is

an offset from the current time (in seconds). If a SIG record expires after the cycle

period, it is retained. Otherwise, it is considered to be expiring soon, and

dnssec-

signzone will remove it and generate a new SIG record to replace it.

-d directory

This option is used to look for signedkey ﬁles in directory as the directory.

-e end-time

This option is used to set the expiration time for the SIG records. The expiration time

speciﬁes when the SIG records are no longer valid, not when they are deleted from caches

on name servers. end-time can represent an absolute or relative date.

The YYYYMMDDHHMMSS notation is used to indicate an absolute date and time.

When end-time is

+N, it indicates that the SIG records will expire in N seconds after

their start time.

-f output-file

This option is used to override the use of the default signed zone ﬁle,

zonefile.signed by dnssec-signzone.

-h This option is used to print a short summary of the options and arguments to dnssec-

signzone.

-i interval

When a previously signed zone is passed as input, records may be resigned. The interval

option speciﬁes the cycle interval as an offset from the current time (in seconds). If a SIG

record expires after the cycle interval, it is retained. Otherwise, it is considered to be

expiring soon, and it will be replaced.

The default cycle interval is one quarter of the difference between the signature end and

start times. So if neither end-time nor start-time is speciﬁed,

dnssec-signzone gen-

erates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore,

if any existing SIG records are due to expire in less than 7.5 days, they would be

replaced.

-n ncpus This option can be used to create worker threads equal to ncpus to take advantage of

multiple CPUs. If no option is given, named will try to determine the number of CPUs

present and create one thread per CPU.

HP-UX 11i Version 2: August 2003 − 1 − Hewlett-Packard Company Section 1−−189