+++ /dev/null
-.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: dnssec-signzone.8,v 1.47.44.4 2009/06/09 01:47:19 each Exp $
-.\"
-.hy 0
-.ad l
-.\"Generated by db2man.xsl. Don't modify this, modify the source.
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "DNSSEC-SIGNZONE" 8 "June 08, 2009" "" ""
-.SH NAME
-dnssec-signzone \- DNSSEC zone signing tool
-.SH "SYNOPSIS"
-.HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fIclass\fR\fR] [\fB\-d\ \fIdirectory\fR\fR] [\fB\-e\ \fIend\-time\fR\fR] [\fB\-f\ \fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fIkey\fR\fR] [\fB\-l\ \fIdomain\fR\fR] [\fB\-i\ \fIinterval\fR\fR] [\fB\-I\ \fIinput\-format\fR\fR] [\fB\-j\ \fIjitter\fR\fR] [\fB\-N\ \fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fIorigin\fR\fR] [\fB\-O\ \fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fIrandomdev\fR\fR] [\fB\-s\ \fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fIsalt\fR\fR] [\fB\-H\ \fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-signzone\fR signs a zone\&. It generates NSEC and RRSIG records and produces a signed version of the zone\&. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a \fIkeyset\fR file for each child zone\&.
-.SH "OPTIONS"
-.TP
-\-a
-Verify all generated signatures\&.
-.TP
-\-c \fIclass\fR
-Specifies the DNS class of the zone\&.
-.TP
-\-k \fIkey\fR
-Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&.
-.TP
-\-l \fIdomain\fR
-Generate a DLV set in addition to the key (DNSKEY) and DS sets\&. The domain is appended to the name of the records\&.
-.TP
-\-d \fIdirectory\fR
-Look for \fIkeyset\fR files in \fBdirectory\fR as the directory
-.TP
-\-g
-Generate DS records for child zones from keyset files\&. Existing DS records will be removed\&.
-.TP
-\-s \fIstart\-time\fR
-Specify the date and time when the generated RRSIG records become valid\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000\&. A relative start time is indicated by +N, which is N seconds from the current time\&. If no \fBstart\-time\fR is specified, the current time minus 1 hour (to allow for clock skew) is used\&.
-.TP
-\-e \fIend\-time\fR
-Specify the date and time when the generated RRSIG records expire\&. As with \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no \fBend\-time\fR is specified, 30 days from the start time is used as a default\&.
-.TP
-\-f \fIoutput\-file\fR
-The name of the output file containing the signed zone\&. The default is to append \fI\&.signed\fR to the input filename\&.
-.TP
-\-h
-Prints a short summary of the options and arguments to \fBdnssec\-signzone\fR\&.
-.TP
-\-i \fIinterval\fR
-When a previously\-signed zone is passed as input, records may be resigned\&. The \fBinterval\fR option specifies the cycle interval as an offset from the current time (in seconds)\&. If a RRSIG record expires after the cycle interval, it is retained\&. Otherwise, it is considered to be expiring soon, and it will be replaced\&.
-The default cycle interval is one quarter of the difference between the signature end and start times\&. So if neither \fBend\-time\fR or \fBstart\-time\fR are specified, \fBdnssec\-signzone\fR generates signatures that are valid for 30 days, with a cycle interval of 7\&.5 days\&. Therefore, if any existing RRSIG records are due to expire in less than 7\&.5 days, they would be replaced\&.
-.TP
-\-I \fIinput\-format\fR
-The format of the input zone file\&. Possible formats are \fB"text"\fR (default) and \fB"raw"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly\&. The use of this option does not make much sense for non\-dynamic zones\&.
-.TP
-\-j \fIjitter\fR
-When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously\&. If the zone is incrementally signed, i\&.e\&. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time\&. The \fBjitter\fR option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time\&.
-Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i\&.e\&. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time\&.
-.TP
-\-n \fIncpus\fR
-Specifies the number of threads to use\&. By default, one thread is started for each detected CPU\&.
-.TP
-\-N \fIsoa\-serial\-format\fR
-The SOA serial number format of the signed zone\&. Possible formats are \fB"keep"\fR (default), \fB"increment"\fR and \fB"unixtime"\fR\&.
-.RS
-.TP
-\fB"keep"\fR
-Do not modify the SOA serial number\&.
-.TP
-\fB"increment"\fR
-Increment the SOA serial number using RFC 1982 arithmetics\&.
-.TP
-\fB"unixtime"\fR
-Set the SOA serial number to the number of seconds since epoch\&.
-.RE
-.IP
-.TP
-\-o \fIorigin\fR
-The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
-.TP
-\-O \fIoutput\-format\fR
-The format of the output file containing the signed zone\&. Possible formats are \fB"text"\fR (default) and \fB"raw"\fR\&.
-.TP
-\-p
-Use pseudo\-random data when signing the zone\&. This is faster, but less secure, than using real random data\&. This option may be useful when signing large zones or when the entropy source is limited\&.
-.TP
-\-r \fIrandomdev\fR
-Specifies the source of randomness\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&.
-.TP
-\-t
-Print statistics at completion\&.
-.TP
-\-v \fIlevel\fR
-Sets the debugging level\&.
-.TP
-\-z
-Ignore KSK flag on key when determining what to sign\&.
-.TP
-\-3 \fIsalt\fR
-Generate a NSEC3 chain with the given hex encoded salt\&. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain\&.
-.TP
-\-H \fIiterations\fR
-When generating a NSEC3 chain use this many interations\&. The default is 100\&.
-.TP
-\-A
-When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations\&.
-.TP
-zonefile
-The file containing the zone to be signed\&.
-.TP
-key
-Specify which keys should be used to sign the zone\&. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex\&. If these are found and there are matching private keys, in the current directory, then these will be used for signing\&.
-.SH "EXAMPLE"
-.PP
-The following command signs the \fBexample\&.com\fR zone with the DSA key generated by \fBdnssec\-keygen\fR (Kexample\&.com\&.+003+17247)\&. The zone's keys must be in the master file (\fIdb\&.example\&.com\fR)\&. This invocation looks for \fIkeyset\fR files, in the current directory, so that DS records can be generated from them (\fB\-g\fR)\&.
-.nf
-% dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \\
-Kexample\&.com\&.+003+17247
-db\&.example\&.com\&.signed
-%
-.fi
-.PP
-In the above example, \fBdnssec\-signzone\fR creates the file \fIdb\&.example\&.com\&.signed\fR\&. This file should be referenced in a zone statement in a \fInamed\&.conf\fR file\&.
-.PP
-This example re\-signs a previously signed zone with default parameters\&. The private keys are assumed to be in the current directory\&.
-.nf
-% cp db\&.example\&.com\&.signed db\&.example\&.com
-% dnssec\-signzone \-o example\&.com db\&.example\&.com
-db\&.example\&.com\&.signed
-%
-.fi
-.SH "KNOWN BUGS"
-.PP
- \fBdnssec\-signzone\fR was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys needed to produce a fully\-signed zone\&. This permits a zone administrator, for example, to sign a zone with one key on one machine, move the resulting partially\-signed zone to a second machine, and sign it again with a second key\&.
-.PP
-An unfortunate side\-effect of this flexibility is that \fBdnssec\-signzone\fR does not check to make sure it's signing a zone with any valid keys at all\&. An attempt to sign a zone without any keys will appear to succeed, producing a "signed" zone with no signatures\&. There is no warning issued when a zone is not fully signed\&.
-.PP
-This will be corrected in a future release\&. In the meantime, ISC recommends examining the output of \fBdnssec\-signzone\fR to confirm that the zone is properly signed by all keys before using it\&.
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-keygen\fR(8), BIND 9 Administrator Reference Manual, RFC 4033\&.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
git.samba.org / tridge / bind9.git / blobdiff