dnssec-signzone(1) dnssec-signzone(1)
NAME [Toc] [Back]
dnssec-signzone - DNSSEC zone signing tool
SYNOPSIS [Toc] [Back]
dnssec-signzone [-a] [-c cycle-time] [-d directory] [-e end-time]
[-f output-file] [-h] [-i interval] [-n ncpus] [-o origin] [-p]
[-r randomdev] [-s start-time] [-t] [-v level] zonefile
keyfile ....
DESCRIPTION [Toc] [Back]
dnssec-signzone is used to sign a zone. Any .signedkey files for the
zone to be signed should be present in the current directory, along
with the keys that will be used to sign the zone.
Arguments [Toc] [Back]
zonefile This is the name of the unsigned zone file.
keyfile If no keyfile arguments are supplied, the default
behaviour is to use all of the zone's keys that are
present in the current directory. Providing specific
keyfile arguments constrains dnssec-signzone to only
use those keys for signing the zone. Each keyfile
argument would be an identification string for a key
created with dnssec-keygen.
If the zone to be signed has any secure subzones, the .signedkey files
for those subzones need to be available in the current working
directory used by dnssec-signzone.
Options [Toc] [Back]
-a This option is used to force verification of the
signatures generated by dnssec-signzone. By default
the signature files are not verified.
-c cycle-time
This option is used to configure the cycle period which
is used for resigning records when a previously signed
zone is passed as input to dnssec-signzone. The cycle
period is an offset from the current time (in seconds).
If a SIG record expires after the cycle period, it is
retained. Otherwise, it is considered to be expiring
soon, and dnssec-signzone will remove it and generate a
new SIG record to replace it.
-d directory
This option is used to look for signedkey files in
directory as the directory.
-e end-time
This option is used to set the expiration time for the
SIG records. The expiration time specifies when the SIG
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
dnssec-signzone(1) dnssec-signzone(1)
records are no longer valid, not when they are deleted
from caches on name servers. end-time can represent an
absolute or relative date.
The YYYYMMDDHHMMSS notation is used to indicate an
absolute date and time.
When end-time is +N, it indicates that the SIG records
will expire in N seconds after their start time.
-f output-file
This option is used to override the use of the default
signed zone file, zonefile.signed by dnssec-signzone.
-h This option is used to print a short summary of the
options and arguments to dnssec-signzone.
-i interval
When a previously signed zone is passed as input,
records may be resigned. The interval option specifies
the cycle interval as an offset from the current time
(in seconds). If a SIG record expires after the cycle
interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
The default cycle interval is one quarter of the
difference between the signature end and start times.
So if neither end-time nor start-time is specified,
dnssec-signzone generates signatures that are valid for
30 days, with a cycle interval of 7.5 days. Therefore,
if any existing SIG records are due to expire in less
than 7.5 days, they would be replaced.
-n ncpus This option can be used to create worker threads equal
to ncpus to take advantage of multiple CPUs. If no
option is given, named will try to determine the number
of CPUs present and create one thread per CPU.
-o origin This option specifies the zone origin. If not
specified, the name of the zone file is assumed to be
the origin.
-p This option instructs dnssec-signkey to use pseudorandom
data when signing the keys. This is faster, but
less secure, than using genuinely random data for
signing. This option may be useful when there are many
child zone key sets to sign or if the entropy source is
limited. It could also be used for short-lived keys
and signatures that don't require as much protection
against cryptanalysis, such as when the key will be
discarded long before it could be compromised.
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003
dnssec-signzone(1) dnssec-signzone(1)
-r randomdev
This option overrides the behaviour of dnssec-signzone
to use random numbers to seed the process of signing
the zone. If the system does not have a /dev/random
device to generate random numbers, the dnssec-signzone
program will prompt for keyboard input and use the time
intervals between keystrokes to provide randomness.
With this option, it will use randomdev as a source of
random data.
-s start-time
This option is used to specify the date and time when
the generated SIG records become valid. start-time can
either be an absolute or relative date.
An absolute start time is indicated by a number in
YYYYMMDDHHMMSS notation; such as, 20000530144500
denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when start-time is
given as +N specifying N seconds from the current time.
If no -s option is supplied, the current date and time
is used for the start time of the SIG records.
-t This option is used to print the statistics at the time
of completion.
-v level This option is used to make dnssec-signzone more
verbose. As the debugging/tracing level level
increases, dnssec-signzone generates increasingly
detailed reports about what it is doing. The default
level is zero.
EXAMPLE [Toc] [Back]
The example below shows how dnssec-signzone could be used to sign the
example.com zone with the key that was generated in the example given
in the man page for dnssec-keygen. The zone file for this zone is
example.com, which is the same as the origin, so there is no need to
use the -o option to set the origin. This zone file contains the key
set for example.com that was created by dnssec-makekeyset. The zone's
keys are either appended to the zone file or incorporated using a
$INCLUDE statement. If there was a .signedkey file from the parent
zone; i.e., example.com.signedkey, it should be present in the current
directory. This allows the parent zone's signature to be included in
the signed version of the example.com zone.
dnssec-signzone example.com Kexample.com.+003+26160
dnssec-signzone will create a file called example.com.signed, the
signed version of the example.com zone. This file can then be
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003
dnssec-signzone(1) dnssec-signzone(1)
referenced in a zone{} statement in /etc/named.conf so that it can be
loaded by the name server.
FILES [Toc] [Back]
/dev/random
SEE ALSO [Toc] [Back]
dnssec-keygen(1), dnssec-makekeyset(1), dnssec-signkey(1), RFC2535.
Hewlett-Packard Company - 4 - HP-UX 11i Version 2: August 2003 [ Back ] |
