DNSSEC-SIGNZONE linux command manual

DNSSEC-SIGNZONE(8)					   DNSSEC-SIGNZONE(8)



NAME
       dnssec-signzone - DNSSEC zone signing tool

SYNOPSIS
       dnssec-signzone	[  -a  ]  [ -c class ]	[ -d directory ]  [ -s start-
       time ]  [ -e end-time ]	[ -f output-file ]  [ -h ]  [ -i  interval  ]
       [ -n nthreads ]	[ -o origin ]  [ -p ]  [ -r randomdev ]	 [ -t ]	 [ -v
       level ]	zonefile [ key... ]

DESCRIPTION
       dnssec-signzone signs a zone. It generates NXT  and  SIG	 records  and
       produces	 a  signed  version of the zone. If there is a signedkey file
       from the zone's parent, the parent's signatures will  be	 incorporated
       into  the  generated  signed zone file. The security status of delega-
       tions from the the signed zone (that is, whether the child  zones  are
       secure or not) is determined by the presence or absence of a signedkey
       file for each child zone.

OPTIONS
       -a     Verify all generated signatures.

       -c class
	      Specifies the DNS class of the zone.

       -d directory
	      Look for signedkey files in directory as the directory

       -s start-time
	      Specify the date and time when the generated SIG records become
	      valid.  This  can	 be  either  an absolute or relative time. An
	      absolute start time is indicated by a number in  YYYYMMDDHHMMSS
	      notation;	 20000530144500	 denotes  14:45:00  UTC	 on May 30th,
	      2000. A relative start time is indicated by +N, which is N sec-
	      onds from the current time.  If no start-time is specified, the
	      current time is used.

       -e end-time
	      Specify the date	and  time  when	 the  generated	 SIG  records
	      expire.  As  with	 start-time, an absolute time is indicated in
	      YYYYMMDDHHMMSS notation. A time relative to the start  time  is
	      indicated	 with  +N,  which is N seconds from the start time. A
	      time relative to the current time is indicated with  now+N.  If
	      no  end-time  is specified, 30 days from the start time is used
	      as a default.

       -f output-file
	      The name of the output file containing  the  signed  zone.  The
	      default is to append .signed to the input file.

       -h     Prints  a short summary of the options and arguments to dnssec-
	      signzone.

       -i interval
	      When a previously signed zone is passed as input,	 records  may
	      be  resigned.  The interval option specifies the cycle interval
	      as an offset from the current  time  (in	seconds).  If  a  SIG
	      record expires after the cycle interval, it is retained. Other-
	      wise, it is considered to be expiring  soon,  and	 it  will  be
	      replaced.

	      The  default  cycle  interval  is one quarter of the difference
	      between the signature end and start times. So if	neither	 end-
	      time  or	start-time  are	 specified, dnssec-signzone generates
	      signatures that are valid for 30 days, with a cycle interval of
	      7.5  days.  Therefore,  if  any existing SIG records are due to
	      expire in less than 7.5 days, they would be replaced.

       -n ncpus
	      Specifies the number of threads to use. By default, one  thread
	      is started for each detected CPU.

       -o origin
	      The zone origin. If not specified, the name of the zone file is
	      assumed to be the origin.

       -p     Use pseudo-random data when signing the zone. This  is  faster,
	      but  less	 secure, than using real random data. This option may
	      be useful when signing large zones or when the  entropy  source
	      is limited.

       -r randomdev
	      Specifies	 the  source  of  randomness. If the operating system
	      does not	provide	 a  /dev/random	 or  equivalent	 device,  the
	      default source of randomness is keyboard input. randomdev spec-
	      ifies the name of a character device or file containing  random
	      data  to be used instead of the default. The special value key-
	      board indicates that keyboard input should be used.

       -t     Print statistics at completion.

       -v level
	      Sets the debugging level.

       zonefile
	      The file containing the zone to be signed.  Sets the  debugging
	      level.

       key    The  keys	 used to sign the zone. If no keys are specified, the
	      default all zone keys that have private key files in  the	 cur-
	      rent directory.

EXAMPLE
       The following command signs the example.com zone with the DSA key gen-
       erated in the dnssec-keygen man page. The zone's keys must be  in  the
       zone.  If  there	 are signedkey files associated with this zone or any
       child zones, they must be in the current directory.  example.com,  the
       following command would be issued:

       dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160

       The command would print a string of the form:

       In   this   example,   dnssec-signzone	creates	  the  file  db.exam-
       ple.com.signed. This file should be referenced in a zone statement  in
       a named.conf file.

SEE ALSO
       dnssec-keygen(8),  dnssec-signkey(8),  BIND  9 Administrator Reference
       Manual, RFC 2535.

AUTHOR
       Internet Software Consortium



BIND9				June 30, 2000		   DNSSEC-SIGNZONE(8)