dnssec-signzone
DNSSEC-SIGNZONE(8) System Manager's Manual DNSSEC-SIGNZONE(8) NAME dnssec-signzone - DNSSEC zone signing tool SYNOPSIS dnssec-signzone [-a] [-c class] [-d directory] [-s start-time] [-e end-time] [-i interval] [-o origin] [-f output-file] [-p] [-r randomdev] [-t] [-v level] [-n nthreads] zonefile [keyfile ....] DESCRIPTION dnssec-signzone is used to sign a zone. Any signedkey files for the zone to be signed should be present in the current directory, along with the keys that will be used to sign the zone. If no keyfile arguments are supplied, the default behaviour is to use all of the zone's keys that are present in the current directory. Providing specific keyfile arguments constrains dnssec-signzone to only use those keys for signing the zone. Each keyfile argument would be an identification string for a key created with dnssec-keygen(8). If the zone to be signed has any secure subzones, the signedkey files for those subzones need to be available in the cur rent working directory used by dnssec-signzone. zonefile is the name of the unsigned zone file. Unless the file name is the same as the name of the zone, the -o option should be given. origin will be the fully qualified domain origin for the zone. dnssec-signzone will generate NXT and SIG records for the zone and pro duce a signed version of the zone. If there is a signedkey file from the zone's parent, the parent's signatures will be incorporated into the gen erated signed zone file. The security status of delegations from the the signed zone - i.e. whether the child zones are DNSSEC-aware or not - is set according to the presence or absence of a signedkey file for the child in case. By default, dnssec-signzone generates a file called zonefile.signed con taining the signed zone file. The output file name can be overridden usign the -f option. dnssec-signzone does not verify the signatures by default. The -a option makes it verify the signatures it generated. The date and time when the generated SIG records become valid can be specified with the -s option. start-time can either be an absolute or relative date. An absolute start time is indicated by a number in YYYYM MDDHHMMSS notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is supplied when start-time is given as +N: N seconds from the current time. If no -s option is supplied, the cur rent date and time is used for the start time of the SIG records. The expiry date for the SIG records can be set by the -e option. Note that in this context, the expiry date specifies when the SIG records are no longer valid, not when they are deleted from caches on name servers. end-date also represents an absolute or relative date. YYYYMMDDHHMMSS notation is used as before to indicate an absolute date and time. When end-date is +N, it indicates that the SIG records will expire in N sec onds after their start date. If end-date is supplied as now+N, the SIG records will expire in N seconds after the current time. When no expiry date is set for the SIG records, dnssec-signzone defaults to an expire time of 30 days from the start time of the SIG records. When a previously signed zone is passed as input to dnssec-signzone, records may be resigned. Whether or not to resign records is config urable by using the -i option, which specifies the cycle interval as an offset from the current time (in seconds). If a SIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and dnssec-signzone will remove it and generate a new SIG record to replace it. The default cycle interval is one quarter of the difference between the specified signature end and start dates. So if the -e and -s options are not specified, dnssec-signzone generates signatures that are valid for 30 days from the current date by default, with a cycle interval of 7.5 days. Therefore, if any SIG records are due to expire in less than 7.5 days, they would be replaced with new ones. dnssec-signzone may need random numbers in the process of signing the zone. If the system does not have a /dev/random device that can be used for generating random numbers, dnssec-signzone will prompt for keyboard input and use the time intervals between keystrokes to provide random ness. The -r option overrides this behaviour, making dnssec-signzone use randomdev as a source of random data. The -p option instructs dnssec-signzone to use pseudo-random data when signing the keys. This is faster, but less secure, than using genuinely random data for signing. This option may be useful when signing large zones or when the entropy source is limited. The -t option causes dnssec-signzone to print various statistics after signing the zone. The -c option specifies that the KEY records in the input and output key sets should have the specified class instead of IN. The -d option specifies that dnssec-signzone should look in a directory other than the current directory for signedkey files. An option of -h makes dnssec-signzone print a short summary of its com mand line options and arguments. The -v option can be used to make dnssec-signzone more verbose. As the debugging/tracing level level increases, dnssec-signzone generates increasingly detailed reports about what it is doing. The default level is zero. The -n option can be used to change the threading behavior. By default, dnssec-signzone attempts to determine the number of CPUs present, and create one thread per CPU. The -n option causes a different number of threads to be created. EXAMPLE The example below shows how dnssec-signzone could be used to sign the example.com zone with the key that was generated in the example given in the man page for dnssec-keygen(8). The zone file for this zone is example.com, which is the same as the origin, so there is no need to use the -o option to set the origin. The zone's keys were either appended to the zone file or incorporated using a $INCLUDE statement. If there was a signedkey file from the parent zone - i.e. signedkey-example.com. - it should be present in the current directory. This allows the parent zone's signature to be included in the signed version of the example.com zone. # dnssec-signzone example.com Kexample.com.+003+26160 dnssec-signzone will create a file called example.com.signed, the signed version of the example.com zone. This file can then be referenced in a zone{} statement in /etc/named.conf so that it can be loaded by the name server. FILES /dev/random SEE ALSO RFC2535, dnssec-keygen(8), dnssec-signkey(8). BIND9 9 Jun 30, 2000 BIND9 9