1 <!-- Creator : groff version 1.20.1 -->
2 <!-- CreationDate: Tue Aug 4 21:33:41 2009 -->
3 <!DOCTYPE html PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN"
4 "http://www.w3.org/TR/html4/loose.dtd">
7 <meta name=
"generator" content=
"groff -Thtml, see www.gnu.org">
8 <meta http-equiv=
"Content-Type" content=
"text/html; charset=US-ASCII">
9 <meta name=
"Content-Style" content=
"text/css">
10 <style type=
"text/css">
11 p
{ margin-top: 0; margin-bottom: 0; vertical-align: top
}
12 pre
{ margin-top: 0; margin-bottom: 0; vertical-align: top
}
13 table
{ margin-top: 0; margin-bottom: 0; vertical-align: top
}
14 h1
{ text-align: center
}
16 <title>dnssec-signer
</title>
21 <h1 align=
"center">dnssec-signer
</h1>
23 <a href=
"#NAME">NAME
</a><br>
24 <a href=
"#SYNOPSYS">SYNOPSYS
</a><br>
25 <a href=
"#DESCRIPTION">DESCRIPTION
</a><br>
26 <a href=
"#OPTIONS">OPTIONS
</a><br>
27 <a href=
"#SAMPLE USAGE">SAMPLE USAGE
</a><br>
28 <a href=
"#Zone setup and initial preparation">Zone setup and initial preparation
</a><br>
29 <a href=
"#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES
</a><br>
30 <a href=
"#FILES">FILES
</a><br>
31 <a href=
"#BUGS">BUGS
</a><br>
32 <a href=
"#AUTHORS">AUTHORS
</a><br>
33 <a href=
"#COPYRIGHT">COPYRIGHT
</a><br>
34 <a href=
"#SEE ALSO">SEE ALSO
</a><br>
44 <p style=
"margin-left:11%; margin-top: 1em">dnssec-signer
45 — Secure DNS zone signing tool
</p>
48 <a name=
"SYNOPSYS"></a>
53 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-signer
</b>
54 [
<b>−L|--logfile
</b> <i>file
</i>]
55 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
56 <i>file
</i>] [
<b>−fhnr
</b>] [
<b>−v
</b>
57 [
<b>−v
</b>]]
<b>−N
</b> <i>named.conf
</i>
58 [
<i>zone ...
</i>]
<b><br>
59 dnssec-signer
</b> [
<b>−L|--logfile
</b> <i>file
</i>]
60 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
61 <i>file
</i>] [
<b>−fhnr
</b>] [
<b>−v
</b>
62 [
<b>−v
</b>]] [
<b>−D
</b> <i>directory
</i>]
63 [
<i>zone ...
</i>]
<b><br>
64 dnssec-signer
</b> [
<b>−L|--logfile
</b> <i>file
</i>]
65 [
<b>−V|--view
</b> <i>view
</i>] [
<b>−c
</b>
66 <i>file
</i>] [
<b>−fhnr
</b>] [
<b>−v
</b>
67 [
<b>−v
</b>]]
<b>−o
</b> <i>origin
</i>
71 <a name=
"DESCRIPTION"></a>
75 <p style=
"margin-left:11%; margin-top: 1em">The
76 <i>dnssec-signer
</i> command is a wrapper around
77 <i>dnssec-signzone(
8)
</i> and
<i>dnssec-keygen(
8)
</i> to
78 sign a zone and manage the necessary zone keys. It is able
79 to increment the serial number before signing the zone and
80 can trigger
<i>named(
8)
</i> to reload the signed zone file.
81 The command controls several secure zones and, if started in
82 regular intervals via
<i>cron(
8)
</i>, can do all that stuff
85 <p style=
"margin-left:11%; margin-top: 1em">In the most
86 useful usage scenario the command will be called with option
87 <b>−N
</b> to read the secure zones out of the given
88 <i>named.conf
</i> file. If you have a configuration file
89 with views, you have to use option -V viewname or --view
90 viewname to specify the name of the view. Alternatively you
91 could link the executable file to a second name like
92 <i>dnssec-signer-viewname
</i> and use that command to
93 specify the name of the view. All master zone statements
94 will be scanned for filenames ending with
95 ".signed
". These zones will be checked if the
96 necessary zone- and key signing keys are existent and fresh
97 enough to be used in the signing process. If one or more
98 out-dated keys are found, new keying material will be
99 generated via the
<i>dnssec-keygen(
8)
</i> command and the
100 old keys will be marked as depreciated. So the command do
101 anything needed for a zone key rollover as defined by
104 <p style=
"margin-left:11%; margin-top: 1em">If the
105 resigning interval is reached or any new key must be
106 announced, the serial number of the zone will be incremented
107 and the
<i>dnssec-signzone(
8)
</i> command will be evoked to
108 sign the zone. After that, if the option
<b>−r
</b> is
109 given, the
<i>rndc(
8)
</i> command will be called to reload
110 the zone on the nameserver.
</p>
112 <p style=
"margin-left:11%; margin-top: 1em">In the second
113 form of the command it is possible to specify a directory
114 tree with the option
<b>−D
</b> <i>dir
</i>. Every
115 secure zone found in a subdirectory below
<i>dir
</i> will be
116 signed. However, it is also possible to reduce the signing
117 to those zones given as arguments. In directory mode the
118 pre-requisite is, that the directory name is exactly
119 (including the trailing dot) the same as the zone name.
</p>
121 <p style=
"margin-left:11%; margin-top: 1em">In the last
122 form of the command, the functionality is more or less the
123 same as the
<i>dnssec-signzone (
8)
</i> command. The
124 parameter specifies the zone file name and the option
125 <b>−o
</b> takes the name of the zone.
</p>
127 <p style=
"margin-left:11%; margin-top: 1em">If neither
128 <b>−N
</b> nor
<b>−D
</b> nor
<b>−o
</b> is
129 given, then the default directory specified in the
130 <i>dnssec.conf
</i> file by the parameter
<i>zonedir
</i> will
131 be used as top level directory.
</p>
134 <a name=
"OPTIONS"></a>
139 <p style=
"margin-left:11%; margin-top: 1em"><b>−L
</b>
141 −−logfile=
</b><i>file|dir
</i></p>
143 <p style=
"margin-left:22%;">Specify the name of a log file
144 or a directory where logfiles are created with a name like
145 zkt-
<i>YYYY-MM-DD
</i>T
<i>hhmmss
</i>Z.log
<i>.
</i> If the
146 argument is not an absolute path name and a zone directory
147 is specified in the config file, this will be prepended to
148 the given name. This option is also settable in the
149 dnssec.conf file via the parameter
<b>LogFile
</b><i>.
</i>
151 The default is no file logging, but error logging to syslog
152 with facility
<b>USER
</b> at level
<b>ERROR
</b> is enabled
153 by default. These parameters are settable via the config
154 file parameter
<b>SyslogFacility:
</b><i>,
</i>
155 <b>SyslogLevel:
</b><i>,
</i> <b>LogFile:
</b> and
156 <b>Loglevel
</b><i>.
</i> <br>
157 There is an additional parameter
<b>VerboseLog:
</b> which
158 specifies the verbosity (
0|
1|
2) of messages that will be
159 logged with level
<b>DEBUG
</b> to file and syslog.
</p>
161 <p style=
"margin-left:11%;"><b>−V
</b> <i>view
</i><b>,
162 −−view=
</b><i>view
</i></p>
164 <p style=
"margin-left:22%;">Try to read the default
165 configuration out of a file named
166 <i>dnssec-
<view
>.conf .
</i> Instead of specifying the
167 −V or --view option every time, it is also possible to
168 create a hard- or softlink to the executable file with an
169 additional name like
<i>dnssec-zkt-
<view
> .
</i></p>
171 <p style=
"margin-left:11%;"><b>−c
</b> <i>file
</i><b>,
172 −−config=
</b><i>file
</i></p>
174 <p style=
"margin-left:22%;">Read configuration values out
175 of the specified file. Otherwise the default config file is
176 read or build-in defaults will be used.
</p>
178 <p style=
"margin-left:11%;"><b>−O
</b>
180 −−config-option=
</b><i>optstr
</i></p>
182 <p style=
"margin-left:22%;">Set any config file option via
183 the commandline. Several config file options can be
184 specified via the argument string but have to be delimited
185 by semicolon (or newline).
</p>
187 <p style=
"margin-left:11%;"><b>−f
</b>,
188 <b>−−force
</b></p>
190 <p style=
"margin-left:22%;">Force a resigning of the zone,
191 regardless if the resigning interval is reached, or any new
192 keys must be announced.
</p>
194 <p style=
"margin-left:11%;"><b>−n
</b>,
195 <b>−−noexec
</b></p>
197 <p style=
"margin-left:22%;">Don
’t execute the
198 <i>dnssec-signzone(
8)
</i> command. Currently this option is
199 of very limited usage.
</p>
201 <p style=
"margin-left:11%;"><b>−r
</b>,
202 <b>−−reload
</b></p>
204 <p style=
"margin-left:22%;">Reload the zone via
205 <i>rndc(
8)
</i> after successful signing. In a production
206 environment it is recommended to use this option to be sure
207 that a freshly signed zone will be immediately propagated.
208 However, that
’s only feasable if named runs on the
209 signing machine, which is not recommended. Otherwise the
210 signed zonefile must be copied to the production server
211 before reloading the zone. If this is the case, the
212 parameter
<i>propagation
</i> in the
<i>dnssec.conf
</i> file
213 must be set to a reasonable value.
</p>
215 <p style=
"margin-left:11%;"><b>−v
</b>,
216 <b>−−verbose
</b></p>
218 <p style=
"margin-left:22%;">Verbose mode (recommended). A
219 second
<b>−v
</b> will be a little more verbose.
</p>
221 <p style=
"margin-left:11%;"><b>−h
</b>,
222 <b>−−help
</b></p>
224 <p style=
"margin-left:22%;">Print out the online help.
</p>
227 <a name=
"SAMPLE USAGE"></a>
232 <p style=
"margin-left:11%; margin-top: 1em"><b>dnssec-signer
233 −N /var/named/named.conf
−r
−v
236 <p style=
"margin-left:22%;">Sign all secure zones found in
237 the named.conf file and, if necessary, trigger a reload of
238 the zone. Print some explanatory remarks on stdout.
</p>
240 <p style=
"margin-left:11%;"><b>dnssec-signer
−D
241 zonedir/example.net.
−f
−v
−v
</b></p>
243 <p style=
"margin-left:22%;">Force the signing of the zone
244 found in the directory
<i>zonedir/example.net .
</i> Do not
247 <p style=
"margin-left:11%;"><b>dnssec-signer
−D
248 zonedir
−f
−v
−v example.net.
</b></p>
250 <p style=
"margin-left:22%;">Same as above.
</p>
252 <p style=
"margin-left:11%;"><b>dnssec-signer
−f
253 −v
−v example.net.
</b></p>
255 <p style=
"margin-left:22%;">Same as above if the
256 <i>dnssec.conf
</i> file contains the path of the parent
257 directory of the
<i>example.net
</i> zone.
</p>
259 <p style=
"margin-left:11%;"><b>dnssec-signer
−f
260 −v
−v
−o example.net. zone.db
</b></p>
262 <p style=
"margin-left:22%;">Same as above if we are in the
263 directory containing the
<i>example.net
</i> files.
</p>
265 <p style=
"margin-left:11%;"><b>dnssec-signer
266 −−config-option=
’ResignInterval
1d;
267 Sigvalidity
28h; \
</b></p>
269 <p style=
"margin-left:22%;"><b>ZSK_lifetime
2d;
’
270 −v
−v
−o example.net. zone.db
</b> <br>
271 Sign the example.net zone but override some config file
272 values with parameters given on the commandline.
</p>
274 <h2>Zone setup and initial preparation
275 <a name=
"Zone setup and initial preparation"></a>
279 <p style=
"margin-left:11%; margin-top: 1em">Create a
280 separate directory for every secure zone.
</p>
282 <p style=
"margin-left:22%;">This is useful because there
283 are many additional files needed to secure a zone. Besides
284 the zone file (
<i>zone.db
</i>), there is a signed zone file
285 (
<i>zone.db.signed),
</i> a minimum of four files containing
286 the keying material, a file called
<i>dnskey.db
</i> with the
287 current used keys, and the
<i>dsset-
</i> and
288 <i>keyset-
</i>files created by the
<i>dnssec-signzone(
8)
</i>
289 command. So in summary there is a minimum of nine files used
290 per secure zone. For every additional key there are two
291 extra files and every delegated subzone creates also two or
294 <p style=
"margin-left:11%;">Name the directory just like
297 <p style=
"margin-left:22%;">That
’s only needed if you
298 want to use the dnssec-signer command in directory mode
299 (
<b>−D
</b>). Then the name of the zone will be parsed
300 out of the directory name.
</p>
302 <p style=
"margin-left:11%;">Change the name of the zone
303 file to
<i>zone.db
</i></p>
305 <p style=
"margin-left:22%;">Otherwise you have to set the
306 name via the
<i>dnssec.conf
</i> parameter
<i>zonefile
</i>,
307 or you have to use the option
<b>−o
</b> to name the
308 zone and specify the zone file as argument.
</p>
310 <p style=
"margin-left:11%;">Add the name of the signed
311 zonefile to the
<i>named.conf
</i> file
</p>
313 <p style=
"margin-left:22%;">The filename is the name of the
314 zone file with the extension
<i>.signed
</i>. Create an empty
315 file with the name
<i>zonefile
</i><b>.signed
</b> in the zone
318 <p style=
"margin-left:11%;">Include the keyfile in the
321 <p style=
"margin-left:22%;">The name of the keyfile is
322 settable by the
<i>dnssec.conf
</i> parameter
<i>keyfile
323 .
</i> The default is
<i>dnskey.db .
</i></p>
325 <p style=
"margin-left:11%;">Control the format of the
328 <p style=
"margin-left:22%;">For automatic incrementation of
329 the serial number, the SOA-Record must be formated, so that
330 the serial number is on a single line and left justified in
331 a field of at least
10 spaces! If you use BIND version
9.4
332 or later and use the unixtime format for the serial number
333 (See parameter Serialformat in
<i>dnssec.conf
</i>) than this
334 is not necessary.
</p>
336 <p style=
"margin-left:11%;">Try to sign the zone
</p>
338 <p style=
"margin-left:22%;">If the current working
339 directory is the directory of the zone
<i>example.net
</i>,
341 $ dnssec-signer
−D ..
−v
−v example.net
343 $ dnssec-signer
−o example.net.
<br>
344 to create the initial keying material and a signed zone
345 file. Then try to load the file on the name server.
</p>
347 <h2>ENVIRONMENT VARIABLES
348 <a name=
"ENVIRONMENT VARIABLES"></a>
353 <p style=
"margin-left:11%; margin-top: 1em">ZKT_CONFFILE
</p>
355 <p style=
"margin-left:22%;">Specifies the name of the
356 default global configuration files.
</p>
364 <p style=
"margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf
</i></p>
366 <p style=
"margin-left:22%;">Built-in default global
367 configuration file. The name of the default global config
368 file is settable via the environment variable ZKT_CONFFILE.
369 Use
<i>dnssec-zkt(
8)
</i> with option
<b>−Z
</b> to
370 create an initial config file.
</p>
373 <p style=
"margin-left:11%;"><i>/var/named/dnssec-
<view
>.conf
</i></p>
375 <p style=
"margin-left:22%;">View specific global
376 configuration file.
</p>
378 <p style=
"margin-left:11%;"><i>./dnssec.conf
</i></p>
380 <p style=
"margin-left:22%;">Local configuration file.
</p>
382 <p style=
"margin-left:11%;"><i>dnskey.db
</i></p>
384 <p style=
"margin-left:22%;">The file contains the currently
385 used key and zone signing keys. It will be created by
386 <i>dnsssec-signer(
8)
</i>. The name of the file is settable
387 via the dnssec configuration file (parameter
390 <p style=
"margin-left:11%;"><i>zone.db
</i></p>
392 <p style=
"margin-left:22%;">This is the zone file. The name
393 of the file is settable via the dnssec configuration file
394 (parameter
<i>zonefile
</i>).
</p>
401 <p style=
"margin-left:11%; margin-top: 1em">The named.conf
402 parser is a bit rudimental and not very well tested.
</p>
405 <a name=
"AUTHORS"></a>
409 <p style=
"margin-left:11%; margin-top: 1em">Holger Zuleger,
413 <a name=
"COPYRIGHT"></a>
417 <p style=
"margin-left:11%; margin-top: 1em">Copyright (c)
418 2005 − 2009 by Holger Zuleger. Licensed under the BSD
419 Licence. There is NO warranty; not even for MERCHANTABILITY
420 or FITNESS FOR A PARTICULAR PURPOSE.
</p>
423 <a name=
"SEE ALSO"></a>
428 <p style=
"margin-left:11%; margin-top: 1em">dnssec-keygen(
8),
429 dnssec-signzone(
8), rndc(
8), named.conf(
5), dnssec-zkt(
8)
431 RFC4033, RFC4034, RFC4035
<br>
432 [
1] DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
<br>
433 (http://www.nlnetlabs.nl/dnssec_howto/)
<br>
434 [
2] RFC4641
"DNSSEC Operational Practices
" by Miek
435 Gieben and Olaf Kolkman
<br>
436 (http://www.ietf.org/rfc/rfc4641.txt)
</p>
