HP-UX Reference (11i v3 07/02) - 1 User Commands A-M (vol 1)
d
dnssec-signzone(1) dnssec-signzone(1)
(BIND 9.3)
NAME
dnssec-signzone - DNSSEC zone signing tool
SYNOPSIS
dnssec-signzone
[-aghptz][-c class][
-d directory][-e end-time][-f output-file][
-k key]...
[
-l domain][-i
interval][-n nthreads][-o origin][-r randomdev][
-s start-time]
[
-v level] zonefile key...
DESCRIPTION
dnssec-signzone
is used to sign a zone. It generates NSEC and RRSIG records and produces a signed
version of the zone. The security status of delegations from the signed zone (that is, whether the child
zones are secure or not) is determined by the presence or absence of a
keyset file for each child zone.
If the zone to be signed has any secure subzones, the
.signedkey files for those subzones need to be
available in the current working directory used by
dnssec-signzone.
Options
dnssec-signzone
has the following options:
-a Force verification of the signatures generated by dnssec-signzone
. By default, the signa-
ture files are not verified.
-c class Specify the DNS class of the zone.
-d directory
Look for keyset files in directory . The default is the current directory.
-e end-time
Set the expiration time for the RRSIG records. As with the start-time, end-time can represent
an absolute or relative date.
Use the YYYYMMDDhhmmss notation to indicate absolute date and time and the
+N notation
for relative time.
When end-time is
+N, it indicates that the RRSIG records will expire in N seconds after their
start time. A time relative to the current time is indicated with
now+N.If
-e is omitted, the
default is 30 days from the start time.
See also the
-s option.
-f output-file
Override the use of the default signed zone file, zonefile.signed
.
-g Generate DS records for child zones from keyset files. Existing DS records will be removed.
-h Print a short summary of the dnssec-signzone
options and operands.
-i interval
When a previously signed zone is passed as input, records may be re-signed. The -i option
specifies the cycle interval as an offset from the current time (in seconds). If an RRSIG record
expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon,
and it will be replaced.
The default cycle interval is one quarter of the difference between the signature end and start
times. So if neither
-s nor -e is specified, dnssec-signzone generates signatures that are
valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are
due to expire in less than 7.5 days, they would be replaced.
-k key Treat key as a key-signing key, ignoring any key flags. This option may be specified multiple
times.
-l domain
Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to
the name of the records.
-n ncpus
Specify the number of CPUs to create threads for. By default, one thread is started for each
detected CPU.
-o origin
Specify the zone origin. If not specified, the zone origin defaults to the name of the zone file.
HP-UX 11i Version 3: February 2007 − 1 − Hewlett-Packard Company 235