1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <refentry id="man.dnssec-signzone">
23 <date>February 18, 2014</date>
27 <refentrytitle><application>dnssec-signzone</application></refentrytitle>
28 <manvolnum>8</manvolnum>
29 <refmiscinfo>BIND9</refmiscinfo>
33 <refname><application>dnssec-signzone</application></refname>
34 <refpurpose>DNSSEC zone signing tool</refpurpose>
49 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
56 <holder>Internet Software Consortium.</holder>
62 <command>dnssec-signzone</command>
63 <arg><option>-a</option></arg>
64 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
65 <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
66 <arg><option>-D</option></arg>
67 <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
68 <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
69 <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
70 <arg><option>-g</option></arg>
71 <arg><option>-h</option></arg>
72 <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
73 <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
74 <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
75 <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
76 <arg><option>-M <replaceable class="parameter">domain</replaceable></option></arg>
77 <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
78 <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
79 <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
80 <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
81 <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
82 <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
83 <arg><option>-P</option></arg>
84 <arg><option>-p</option></arg>
85 <arg><option>-R</option></arg>
86 <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
87 <arg><option>-S</option></arg>
88 <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
89 <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
90 <arg><option>-t</option></arg>
91 <arg><option>-u</option></arg>
92 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
93 <arg><option>-V</option></arg>
94 <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
95 <arg><option>-x</option></arg>
96 <arg><option>-z</option></arg>
97 <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
98 <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
99 <arg><option>-A</option></arg>
100 <arg choice="req">zonefile</arg>
101 <arg rep="repeat">key</arg>
106 <title>DESCRIPTION</title>
107 <para><command>dnssec-signzone</command>
108 signs a zone. It generates
109 NSEC and RRSIG records and produces a signed version of the
110 zone. The security status of delegations from the signed zone
111 (that is, whether the child zones are secure or not) is
112 determined by the presence or absence of a
113 <filename>keyset</filename> file for each child zone.
118 <title>OPTIONS</title>
125 Verify all generated signatures.
131 <term>-c <replaceable class="parameter">class</replaceable></term>
134 Specifies the DNS class of the zone.
143 Compatibility mode: Generate a
144 <filename>keyset-<replaceable>zonename</replaceable></filename>
146 <filename>dsset-<replaceable>zonename</replaceable></filename>
147 when signing a zone, for use by older versions of
148 <command>dnssec-signzone</command>.
154 <term>-d <replaceable class="parameter">directory</replaceable></term>
157 Look for <filename>dsset-</filename> or
158 <filename>keyset-</filename> files in <option>directory</option>.
167 Output only those record types automatically managed by
168 <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
169 NSEC3 and NSEC3PARAM records. If smart signing
170 (<option>-S</option>) is used, DNSKEY records are also
171 included. The resulting file can be included in the original
172 zone file with <command>$INCLUDE</command>. This option
173 cannot be combined with <option>-O raw</option>,
174 <option>-O map</option>, or serial number updating.
180 <term>-E <replaceable class="parameter">engine</replaceable></term>
183 When applicable, specifies the hardware to use for
184 cryptographic operations, such as a secure key store used
188 When BIND is built with OpenSSL PKCS#11 support, this defaults
189 to the string "pkcs11", which identifies an OpenSSL engine
190 that can drive a cryptographic accelerator or hardware service
191 module. When BIND is built with native PKCS#11 cryptography
192 (--enable-native-pkcs11), it defaults to the path of the PKCS#11
193 provider library specified via "--with-pkcs11".
202 Generate DS records for child zones from
203 <filename>dsset-</filename> or <filename>keyset-</filename>
204 file. Existing DS records will be removed.
210 <term>-K <replaceable class="parameter">directory</replaceable></term>
213 Key repository: Specify a directory to search for DNSSEC keys.
214 If not specified, defaults to the current directory.
220 <term>-k <replaceable class="parameter">key</replaceable></term>
223 Treat specified key as a key signing key ignoring any
224 key flags. This option may be specified multiple times.
230 <term>-l <replaceable class="parameter">domain</replaceable></term>
233 Generate a DLV set in addition to the key (DNSKEY) and DS sets.
234 The domain is appended to the name of the records.
240 <term>-M <replaceable class="parameter">maxttl</replaceable></term>
243 Sets the maximum TTL for the signed zone.
244 Any TTL higher than <replaceable>maxttl</replaceable> in the
245 input zone will be reduced to <replaceable>maxttl</replaceable>
246 in the output. This provides certainty as to the largest
247 possible TTL in the signed zone, which is useful to know when
248 rolling keys because it is the longest possible time before
249 signatures that have been retrieved by resolvers will expire
250 from resolver caches. Zones that are signed with this
251 option should be configured to use a matching
252 <option>max-zone-ttl</option> in <filename>named.conf</filename>.
253 (Note: This option is incompatible with <option>-D</option>,
254 because it modifies non-DNSSEC data in the output zone.)
260 <term>-s <replaceable class="parameter">start-time</replaceable></term>
263 Specify the date and time when the generated RRSIG records
264 become valid. This can be either an absolute or relative
265 time. An absolute start time is indicated by a number
266 in YYYYMMDDHHMMSS notation; 20000530144500 denotes
267 14:45:00 UTC on May 30th, 2000. A relative start time is
268 indicated by +N, which is N seconds from the current time.
269 If no <option>start-time</option> is specified, the current
270 time minus 1 hour (to allow for clock skew) is used.
276 <term>-e <replaceable class="parameter">end-time</replaceable></term>
279 Specify the date and time when the generated RRSIG records
280 expire. As with <option>start-time</option>, an absolute
281 time is indicated in YYYYMMDDHHMMSS notation. A time relative
282 to the start time is indicated with +N, which is N seconds from
283 the start time. A time relative to the current time is
284 indicated with now+N. If no <option>end-time</option> is
285 specified, 30 days from the start time is used as a default.
286 <option>end-time</option> must be later than
287 <option>start-time</option>.
293 <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
296 Specify the date and time when the generated RRSIG records
297 for the DNSKEY RRset will expire. This is to be used in cases
298 when the DNSKEY signatures need to persist longer than
299 signatures on other records; e.g., when the private component
300 of the KSK is kept offline and the KSK signature is to be
304 As with <option>start-time</option>, an absolute
305 time is indicated in YYYYMMDDHHMMSS notation. A time relative
306 to the start time is indicated with +N, which is N seconds from
307 the start time. A time relative to the current time is
308 indicated with now+N. If no <option>extended end-time</option> is
309 specified, the value of <option>end-time</option> is used as
310 the default. (<option>end-time</option>, in turn, defaults to
311 30 days from the start time.) <option>extended end-time</option>
312 must be later than <option>start-time</option>.
318 <term>-f <replaceable class="parameter">output-file</replaceable></term>
321 The name of the output file containing the signed zone. The
322 default is to append <filename>.signed</filename> to
323 the input filename. If <option>output-file</option> is
324 set to <literal>"-"</literal>, then the signed zone is
325 written to the standard output, with a default output
335 Prints a short summary of the options and arguments to
336 <command>dnssec-signzone</command>.
345 Prints version information.
351 <term>-i <replaceable class="parameter">interval</replaceable></term>
354 When a previously-signed zone is passed as input, records
355 may be resigned. The <option>interval</option> option
356 specifies the cycle interval as an offset from the current
357 time (in seconds). If a RRSIG record expires after the
358 cycle interval, it is retained. Otherwise, it is considered
359 to be expiring soon, and it will be replaced.
362 The default cycle interval is one quarter of the difference
363 between the signature end and start times. So if neither
364 <option>end-time</option> or <option>start-time</option>
365 are specified, <command>dnssec-signzone</command>
367 signatures that are valid for 30 days, with a cycle
368 interval of 7.5 days. Therefore, if any existing RRSIG records
369 are due to expire in less than 7.5 days, they would be
376 <term>-I <replaceable class="parameter">input-format</replaceable></term>
379 The format of the input zone file.
380 Possible formats are <command>"text"</command> (default),
381 <command>"raw"</command>, and <command>"map"</command>.
382 This option is primarily intended to be used for dynamic
383 signed zones so that the dumped zone file in a non-text
384 format containing updates can be signed directly.
385 The use of this option does not make much sense for
392 <term>-j <replaceable class="parameter">jitter</replaceable></term>
395 When signing a zone with a fixed signature lifetime, all
396 RRSIG records issued at the time of signing expires
397 simultaneously. If the zone is incrementally signed, i.e.
398 a previously-signed zone is passed as input to the signer,
399 all expired signatures have to be regenerated at about the
400 same time. The <option>jitter</option> option specifies a
401 jitter window that will be used to randomize the signature
402 expire time, thus spreading incremental signature
403 regeneration over time.
406 Signature lifetime jitter also to some extent benefits
407 validators and servers by spreading out cache expiration,
408 i.e. if large numbers of RRSIGs don't expire at the same time
409 from all caches there will be less congestion than if all
410 validators need to refetch at mostly the same time.
416 <term>-L <replaceable class="parameter">serial</replaceable></term>
419 When writing a signed zone to "raw" or "map" format, set the
420 "source serial" value in the header to the specified serial
421 number. (This is expected to be used primarily for testing
428 <term>-n <replaceable class="parameter">ncpus</replaceable></term>
431 Specifies the number of threads to use. By default, one
432 thread is started for each detected CPU.
438 <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
441 The SOA serial number format of the signed zone.
442 Possible formats are <command>"keep"</command> (default),
443 <command>"increment"</command> and
444 <command>"unixtime"</command>.
449 <term><command>"keep"</command></term>
451 <para>Do not modify the SOA serial number.</para>
456 <term><command>"increment"</command></term>
458 <para>Increment the SOA serial number using RFC 1982
464 <term><command>"unixtime"</command></term>
466 <para>Set the SOA serial number to the number of seconds
476 <term>-o <replaceable class="parameter">origin</replaceable></term>
479 The zone origin. If not specified, the name of the zone file
480 is assumed to be the origin.
486 <term>-O <replaceable class="parameter">output-format</replaceable></term>
489 The format of the output file containing the signed zone.
490 Possible formats are <command>"text"</command> (default),
491 which is the standard textual representation of the zone;
492 <command>"full"</command>, which is text output in a
493 format suitable for processing by external scripts;
494 and <command>"map"</command>, <command>"raw"</command>,
495 and <command>"raw=N"</command>, which store the zone in
496 binary formats for rapid loading by <command>named</command>.
497 <command>"raw=N"</command> specifies the format version of
498 the raw zone file: if N is 0, the raw file can be read by
499 any version of <command>named</command>; if N is 1, the file
500 can be read by release 9.9.0 or higher; the default is 1.
509 Use pseudo-random data when signing the zone. This is faster,
510 but less secure, than using real random data. This option
511 may be useful when signing large zones or when the entropy
521 Disable post sign verification tests.
524 The post sign verification test ensures that for each algorithm
525 in use there is at least one non revoked self signed KSK key,
526 that all revoked KSK keys are self signed, and that all records
527 in the zone are signed by the algorithm.
528 This option skips these tests.
537 Remove signatures from keys that are no longer active.
540 Normally, when a previously-signed zone is passed as input
541 to the signer, and a DNSKEY record has been removed and
542 replaced with a new one, signatures from the old key
543 that are still within their validity period are retained.
544 This allows the zone to continue to validate with cached
545 copies of the old DNSKEY RRset. The <option>-Q</option>
546 forces <command>dnssec-signzone</command> to remove
547 signatures from keys that are no longer active. This
548 enables ZSK rollover using the procedure described in
549 RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
557 Remove signatures from keys that are no longer published.
560 This option is similar to <option>-Q</option>, except it
561 forces <command>dnssec-signzone</command> to signatures from
562 keys that are no longer published. This enables ZSK rollover
563 using the procedure described in RFC 4641, section 4.2.1.2
564 ("Double Signature Zone Signing Key Rollover").
569 <term>-r <replaceable class="parameter">randomdev</replaceable></term>
572 Specifies the source of randomness. If the operating
573 system does not provide a <filename>/dev/random</filename>
574 or equivalent device, the default source of randomness
575 is keyboard input. <filename>randomdev</filename>
577 the name of a character device or file containing random
578 data to be used instead of the default. The special value
579 <filename>keyboard</filename> indicates that keyboard
580 input should be used.
589 Smart signing: Instructs <command>dnssec-signzone</command> to
590 search the key repository for keys that match the zone being
591 signed, and to include them in the zone if appropriate.
594 When a key is found, its timing metadata is examined to
595 determine how it should be used, according to the following
596 rules. Each successive rule takes priority over the prior
603 If no timing metadata has been set for the key, the key is
604 published in the zone and used to sign the zone.
612 If the key's publication date is set and is in the past, the
613 key is published in the zone.
621 If the key's activation date is set and in the past, the
622 key is published (regardless of publication date) and
623 used to sign the zone.
631 If the key's revocation date is set and in the past, and the
632 key is published, then the key is revoked, and the revoked key
633 is used to sign the zone.
641 If either of the key's unpublication or deletion dates are set
642 and in the past, the key is NOT published or used to sign the
643 zone, regardless of any other metadata.
652 <term>-T <replaceable class="parameter">ttl</replaceable></term>
655 Specifies a TTL to be used for new DNSKEY records imported
656 into the zone from the key repository. If not
657 specified, the default is the TTL value from the zone's SOA
658 record. This option is ignored when signing without
659 <option>-S</option>, since DNSKEY records are not imported
660 from the key repository in that case. It is also ignored if
661 there are any pre-existing DNSKEY records at the zone apex,
662 in which case new records' TTL values will be set to match
663 them, or if any of the imported DNSKEY records had a default
664 TTL value. In the event of a a conflict between TTL values in
665 imported keys, the shortest one is used.
674 Print statistics at completion.
683 Update NSEC/NSEC3 chain when re-signing a previously signed
684 zone. With this option, a zone signed with NSEC can be
685 switched to NSEC3, or a zone signed with NSEC3 can
686 be switch to NSEC or to NSEC3 with different parameters.
687 Without this option, <command>dnssec-signzone</command> will
688 retain the existing chain when re-signing.
694 <term>-v <replaceable class="parameter">level</replaceable></term>
697 Sets the debugging level.
706 Only sign the DNSKEY RRset with key-signing keys, and omit
707 signatures from zone-signing keys. (This is similar to the
708 <command>dnssec-dnskey-kskonly yes;</command> zone option in
709 <command>named</command>.)
718 Ignore KSK flag on key when determining what to sign. This
719 causes KSK-flagged keys to sign all records, not just the
720 DNSKEY RRset. (This is similar to the
721 <command>update-check-ksk no;</command> zone option in
722 <command>named</command>.)
728 <term>-3 <replaceable class="parameter">salt</replaceable></term>
731 Generate an NSEC3 chain with the given hex encoded salt.
732 A dash (<replaceable class="parameter">salt</replaceable>) can
733 be used to indicate that no salt is to be used when generating the NSEC3 chain.
739 <term>-H <replaceable class="parameter">iterations</replaceable></term>
742 When generating an NSEC3 chain, use this many iterations. The
752 When generating an NSEC3 chain set the OPTOUT flag on all
753 NSEC3 records and do not generate NSEC3 records for insecure
757 Using this option twice (i.e., <option>-AA</option>)
758 turns the OPTOUT flag off for all records. This is useful
759 when using the <option>-u</option> option to modify an NSEC3
760 chain which previously had OPTOUT set.
766 <term>zonefile</term>
769 The file containing the zone to be signed.
778 Specify which keys should be used to sign the zone. If
779 no keys are specified, then the zone will be examined
780 for DNSKEY records at the zone apex. If these are found and
781 there are matching private keys, in the current directory,
782 then these will be used for signing.
791 <title>EXAMPLE</title>
793 The following command signs the <userinput>example.com</userinput>
794 zone with the DSA key generated by <command>dnssec-keygen</command>
795 (Kexample.com.+003+17247). Because the <command>-S</command> option
796 is not being used, the zone's keys must be in the master file
797 (<filename>db.example.com</filename>). This invocation looks
798 for <filename>dsset</filename> files, in the current directory,
799 so that DS records can be imported from them (<command>-g</command>).
801 <programlisting>% dnssec-signzone -g -o example.com db.example.com \
802 Kexample.com.+003+17247
803 db.example.com.signed
806 In the above example, <command>dnssec-signzone</command> creates
807 the file <filename>db.example.com.signed</filename>. This
808 file should be referenced in a zone statement in a
809 <filename>named.conf</filename> file.
812 This example re-signs a previously signed zone with default parameters.
813 The private keys are assumed to be in the current directory.
815 <programlisting>% cp db.example.com.signed db.example.com
816 % dnssec-signzone -o example.com db.example.com
817 db.example.com.signed
822 <title>SEE ALSO</title>
824 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
826 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
827 <citetitle>RFC 4033</citetitle>, <citetitle>RFC 4641</citetitle>.
832 <title>AUTHOR</title>
833 <para><corpauthor>Internet Systems Consortium</corpauthor>