+++ /dev/null
-<!-- Creator : groff version 1.20.1 -->
-<!-- CreationDate: Tue Aug 4 21:33:41 2009 -->
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
-"http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<meta name="generator" content="groff -Thtml, see www.gnu.org">
-<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
-<meta name="Content-Style" content="text/css">
-<style type="text/css">
- p { margin-top: 0; margin-bottom: 0; vertical-align: top }
- pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
- table { margin-top: 0; margin-bottom: 0; vertical-align: top }
- h1 { text-align: center }
-</style>
-<title>dnssec-signer</title>
-
-</head>
-<body>
-
-<h1 align="center">dnssec-signer</h1>
-
-<a href="#NAME">NAME</a><br>
-<a href="#SYNOPSYS">SYNOPSYS</a><br>
-<a href="#DESCRIPTION">DESCRIPTION</a><br>
-<a href="#OPTIONS">OPTIONS</a><br>
-<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
-<a href="#Zone setup and initial preparation">Zone setup and initial preparation</a><br>
-<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
-<a href="#FILES">FILES</a><br>
-<a href="#BUGS">BUGS</a><br>
-<a href="#AUTHORS">AUTHORS</a><br>
-<a href="#COPYRIGHT">COPYRIGHT</a><br>
-<a href="#SEE ALSO">SEE ALSO</a><br>
-
-<hr>
-
-
-<h2>NAME
-<a name="NAME"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">dnssec-signer
-— Secure DNS zone signing tool</p>
-
-<h2>SYNOPSYS
-<a name="SYNOPSYS"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-signer</b>
-[<b>−L|--logfile</b> <i>file</i>]
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
-[<b>−v</b>]] <b>−N</b> <i>named.conf</i>
-[<i>zone ...</i>] <b><br>
-dnssec-signer</b> [<b>−L|--logfile</b> <i>file</i>]
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
-[<b>−v</b>]] [<b>−D</b> <i>directory</i>]
-[<i>zone ...</i>] <b><br>
-dnssec-signer</b> [<b>−L|--logfile</b> <i>file</i>]
-[<b>−V|--view</b> <i>view</i>] [<b>−c</b>
-<i>file</i>] [<b>−fhnr</b>] [<b>−v</b>
-[<b>−v</b>]] <b>−o</b> <i>origin</i>
-[<i>zonefile</i>]</p>
-
-<h2>DESCRIPTION
-<a name="DESCRIPTION"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">The
-<i>dnssec-signer</i> command is a wrapper around
-<i>dnssec-signzone(8)</i> and <i>dnssec-keygen(8)</i> to
-sign a zone and manage the necessary zone keys. It is able
-to increment the serial number before signing the zone and
-can trigger <i>named(8)</i> to reload the signed zone file.
-The command controls several secure zones and, if started in
-regular intervals via <i>cron(8)</i>, can do all that stuff
-automatically.</p>
-
-<p style="margin-left:11%; margin-top: 1em">In the most
-useful usage scenario the command will be called with option
-<b>−N</b> to read the secure zones out of the given
-<i>named.conf</i> file. If you have a configuration file
-with views, you have to use option -V viewname or --view
-viewname to specify the name of the view. Alternatively you
-could link the executable file to a second name like
-<i>dnssec-signer-viewname</i> and use that command to
-specify the name of the view. All master zone statements
-will be scanned for filenames ending with
-".signed". These zones will be checked if the
-necessary zone- and key signing keys are existent and fresh
-enough to be used in the signing process. If one or more
-out-dated keys are found, new keying material will be
-generated via the <i>dnssec-keygen(8)</i> command and the
-old keys will be marked as depreciated. So the command do
-anything needed for a zone key rollover as defined by
-[2].</p>
-
-<p style="margin-left:11%; margin-top: 1em">If the
-resigning interval is reached or any new key must be
-announced, the serial number of the zone will be incremented
-and the <i>dnssec-signzone(8)</i> command will be evoked to
-sign the zone. After that, if the option <b>−r</b> is
-given, the <i>rndc(8)</i> command will be called to reload
-the zone on the nameserver.</p>
-
-<p style="margin-left:11%; margin-top: 1em">In the second
-form of the command it is possible to specify a directory
-tree with the option <b>−D</b> <i>dir</i>. Every
-secure zone found in a subdirectory below <i>dir</i> will be
-signed. However, it is also possible to reduce the signing
-to those zones given as arguments. In directory mode the
-pre-requisite is, that the directory name is exactly
-(including the trailing dot) the same as the zone name.</p>
-
-<p style="margin-left:11%; margin-top: 1em">In the last
-form of the command, the functionality is more or less the
-same as the <i>dnssec-signzone (8)</i> command. The
-parameter specifies the zone file name and the option
-<b>−o</b> takes the name of the zone.</p>
-
-<p style="margin-left:11%; margin-top: 1em">If neither
-<b>−N</b> nor <b>−D</b> nor <b>−o</b> is
-given, then the default directory specified in the
-<i>dnssec.conf</i> file by the parameter <i>zonedir</i> will
-be used as top level directory.</p>
-
-<h2>OPTIONS
-<a name="OPTIONS"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><b>−L</b>
-<i>file|dir</i><b>,
-−−logfile=</b><i>file|dir</i></p>
-
-<p style="margin-left:22%;">Specify the name of a log file
-or a directory where logfiles are created with a name like
-zkt-<i>YYYY-MM-DD</i>T<i>hhmmss</i>Z.log<i>.</i> If the
-argument is not an absolute path name and a zone directory
-is specified in the config file, this will be prepended to
-the given name. This option is also settable in the
-dnssec.conf file via the parameter <b>LogFile</b><i>.</i>
-<br>
-The default is no file logging, but error logging to syslog
-with facility <b>USER</b> at level <b>ERROR</b> is enabled
-by default. These parameters are settable via the config
-file parameter <b>SyslogFacility:</b><i>,</i>
-<b>SyslogLevel:</b><i>,</i> <b>LogFile:</b> and
-<b>Loglevel</b><i>.</i> <br>
-There is an additional parameter <b>VerboseLog:</b> which
-specifies the verbosity (0|1|2) of messages that will be
-logged with level <b>DEBUG</b> to file and syslog.</p>
-
-<p style="margin-left:11%;"><b>−V</b> <i>view</i><b>,
-−−view=</b><i>view</i></p>
-
-<p style="margin-left:22%;">Try to read the default
-configuration out of a file named
-<i>dnssec-<view>.conf .</i> Instead of specifying the
-−V or --view option every time, it is also possible to
-create a hard- or softlink to the executable file with an
-additional name like <i>dnssec-zkt-<view> .</i></p>
-
-<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>,
-−−config=</b><i>file</i></p>
-
-<p style="margin-left:22%;">Read configuration values out
-of the specified file. Otherwise the default config file is
-read or build-in defaults will be used.</p>
-
-<p style="margin-left:11%;"><b>−O</b>
-<i>optstr</i><b>,
-−−config-option=</b><i>optstr</i></p>
-
-<p style="margin-left:22%;">Set any config file option via
-the commandline. Several config file options can be
-specified via the argument string but have to be delimited
-by semicolon (or newline).</p>
-
-<p style="margin-left:11%;"><b>−f</b>,
-<b>−−force</b></p>
-
-<p style="margin-left:22%;">Force a resigning of the zone,
-regardless if the resigning interval is reached, or any new
-keys must be announced.</p>
-
-<p style="margin-left:11%;"><b>−n</b>,
-<b>−−noexec</b></p>
-
-<p style="margin-left:22%;">Don’t execute the
-<i>dnssec-signzone(8)</i> command. Currently this option is
-of very limited usage.</p>
-
-<p style="margin-left:11%;"><b>−r</b>,
-<b>−−reload</b></p>
-
-<p style="margin-left:22%;">Reload the zone via
-<i>rndc(8)</i> after successful signing. In a production
-environment it is recommended to use this option to be sure
-that a freshly signed zone will be immediately propagated.
-However, that’s only feasable if named runs on the
-signing machine, which is not recommended. Otherwise the
-signed zonefile must be copied to the production server
-before reloading the zone. If this is the case, the
-parameter <i>propagation</i> in the <i>dnssec.conf</i> file
-must be set to a reasonable value.</p>
-
-<p style="margin-left:11%;"><b>−v</b>,
-<b>−−verbose</b></p>
-
-<p style="margin-left:22%;">Verbose mode (recommended). A
-second <b>−v</b> will be a little more verbose.</p>
-
-<p style="margin-left:11%;"><b>−h</b>,
-<b>−−help</b></p>
-
-<p style="margin-left:22%;">Print out the online help.</p>
-
-<h2>SAMPLE USAGE
-<a name="SAMPLE USAGE"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-signer
-−N /var/named/named.conf −r −v
-−v</b></p>
-
-<p style="margin-left:22%;">Sign all secure zones found in
-the named.conf file and, if necessary, trigger a reload of
-the zone. Print some explanatory remarks on stdout.</p>
-
-<p style="margin-left:11%;"><b>dnssec-signer −D
-zonedir/example.net. −f −v −v</b></p>
-
-<p style="margin-left:22%;">Force the signing of the zone
-found in the directory <i>zonedir/example.net .</i> Do not
-reload the zone.</p>
-
-<p style="margin-left:11%;"><b>dnssec-signer −D
-zonedir −f −v −v example.net.</b></p>
-
-<p style="margin-left:22%;">Same as above.</p>
-
-<p style="margin-left:11%;"><b>dnssec-signer −f
-−v −v example.net.</b></p>
-
-<p style="margin-left:22%;">Same as above if the
-<i>dnssec.conf</i> file contains the path of the parent
-directory of the <i>example.net</i> zone.</p>
-
-<p style="margin-left:11%;"><b>dnssec-signer −f
-−v −v −o example.net. zone.db</b></p>
-
-<p style="margin-left:22%;">Same as above if we are in the
-directory containing the <i>example.net</i> files.</p>
-
-<p style="margin-left:11%;"><b>dnssec-signer
-−−config-option=’ResignInterval 1d;
-Sigvalidity 28h; \</b></p>
-
-<p style="margin-left:22%;"><b>ZSK_lifetime 2d;’
-−v −v −o example.net. zone.db</b> <br>
-Sign the example.net zone but override some config file
-values with parameters given on the commandline.</p>
-
-<h2>Zone setup and initial preparation
-<a name="Zone setup and initial preparation"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Create a
-separate directory for every secure zone.</p>
-
-<p style="margin-left:22%;">This is useful because there
-are many additional files needed to secure a zone. Besides
-the zone file (<i>zone.db</i>), there is a signed zone file
-(<i>zone.db.signed),</i> a minimum of four files containing
-the keying material, a file called <i>dnskey.db</i> with the
-current used keys, and the <i>dsset-</i> and
-<i>keyset-</i>files created by the <i>dnssec-signzone(8)</i>
-command. So in summary there is a minimum of nine files used
-per secure zone. For every additional key there are two
-extra files and every delegated subzone creates also two or
-three files.</p>
-
-<p style="margin-left:11%;">Name the directory just like
-the zone.</p>
-
-<p style="margin-left:22%;">That’s only needed if you
-want to use the dnssec-signer command in directory mode
-(<b>−D</b>). Then the name of the zone will be parsed
-out of the directory name.</p>
-
-<p style="margin-left:11%;">Change the name of the zone
-file to <i>zone.db</i></p>
-
-<p style="margin-left:22%;">Otherwise you have to set the
-name via the <i>dnssec.conf</i> parameter <i>zonefile</i>,
-or you have to use the option <b>−o</b> to name the
-zone and specify the zone file as argument.</p>
-
-<p style="margin-left:11%;">Add the name of the signed
-zonefile to the <i>named.conf</i> file</p>
-
-<p style="margin-left:22%;">The filename is the name of the
-zone file with the extension <i>.signed</i>. Create an empty
-file with the name <i>zonefile</i><b>.signed</b> in the zone
-directory.</p>
-
-<p style="margin-left:11%;">Include the keyfile in the
-zone.</p>
-
-<p style="margin-left:22%;">The name of the keyfile is
-settable by the <i>dnssec.conf</i> parameter <i>keyfile
-.</i> The default is <i>dnskey.db .</i></p>
-
-<p style="margin-left:11%;">Control the format of the
-SOA-Record</p>
-
-<p style="margin-left:22%;">For automatic incrementation of
-the serial number, the SOA-Record must be formated, so that
-the serial number is on a single line and left justified in
-a field of at least 10 spaces! If you use BIND version 9.4
-or later and use the unixtime format for the serial number
-(See parameter Serialformat in <i>dnssec.conf</i>) than this
-is not necessary.</p>
-
-<p style="margin-left:11%;">Try to sign the zone</p>
-
-<p style="margin-left:22%;">If the current working
-directory is the directory of the zone <i>example.net</i>,
-use the command <br>
-$ dnssec-signer −D .. −v −v example.net
-<br>
-$ dnssec-signer −o example.net. <br>
-to create the initial keying material and a signed zone
-file. Then try to load the file on the name server.</p>
-
-<h2>ENVIRONMENT VARIABLES
-<a name="ENVIRONMENT VARIABLES"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
-
-<p style="margin-left:22%;">Specifies the name of the
-default global configuration files.</p>
-
-<h2>FILES
-<a name="FILES"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
-
-<p style="margin-left:22%;">Built-in default global
-configuration file. The name of the default global config
-file is settable via the environment variable ZKT_CONFFILE.
-Use <i>dnssec-zkt(8)</i> with option <b>−Z</b> to
-create an initial config file.</p>
-
-
-<p style="margin-left:11%;"><i>/var/named/dnssec-<view>.conf</i></p>
-
-<p style="margin-left:22%;">View specific global
-configuration file.</p>
-
-<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
-
-<p style="margin-left:22%;">Local configuration file.</p>
-
-<p style="margin-left:11%;"><i>dnskey.db</i></p>
-
-<p style="margin-left:22%;">The file contains the currently
-used key and zone signing keys. It will be created by
-<i>dnsssec-signer(8)</i>. The name of the file is settable
-via the dnssec configuration file (parameter
-<i>keyfile</i>).</p>
-
-<p style="margin-left:11%;"><i>zone.db</i></p>
-
-<p style="margin-left:22%;">This is the zone file. The name
-of the file is settable via the dnssec configuration file
-(parameter <i>zonefile</i>).</p>
-
-<h2>BUGS
-<a name="BUGS"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">The named.conf
-parser is a bit rudimental and not very well tested.</p>
-
-<h2>AUTHORS
-<a name="AUTHORS"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
-Mans Nilsson</p>
-
-<h2>COPYRIGHT
-<a name="COPYRIGHT"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Copyright (c)
-2005 − 2009 by Holger Zuleger. Licensed under the BSD
-Licence. There is NO warranty; not even for MERCHANTABILITY
-or FITNESS FOR A PARTICULAR PURPOSE.</p>
-
-<h2>SEE ALSO
-<a name="SEE ALSO"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
-dnssec-signzone(8), rndc(8), named.conf(5), dnssec-zkt(8)
-<br>
-RFC4033, RFC4034, RFC4035 <br>
-[1] DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
-(http://www.nlnetlabs.nl/dnssec_howto/) <br>
-[2] RFC4641 "DNSSEC Operational Practices" by Miek
-Gieben and Olaf Kolkman <br>
- (http://www.ietf.org/rfc/rfc4641.txt)</p>
-<hr>
-</body>
-</html>
git.samba.org / tridge / bind9.git / blobdiff