dnssec-signzone man page on Solaris

Man page or keyword search:  
man Server   20652 pages
apropos Keyword Search (all sections)
Output format
Solaris logo
[printable version]

dnssec-signzone(1M)	System Administration Commands	   dnssec-signzone(1M)

NAME
       dnssec-signzone - DNSSEC zone signing tool

SYNOPSIS
       dnssec-signzone [-Aaghptz] [-c class] [-d directory]
	    [-e end-time] [-f output-file] [-H iterations] [-I input_format]
	    [-i interval] [-k key] [-l domain] [-N soa-serial-format] [-n ncpus]
	    [-O output_format] [-o origin] [-r randomdev] [-s start-time]
	    [-v level] [-3 salt] zonefile [key]...

DESCRIPTION
       The  dnssec-signzone  utility signs a zone. It generates NSEC and RRSIG
       records and produces a signed version of the zone. The security	status
       of  delegations	from the signed zone (that is, whether the child zones
       are secure or not) is determined by the presence or absence of a keyset
       file for each child zone.

OPTIONS
       The following options are supported:

       -A

	   When	 generating  an	 NSEC3 chain, set the OPTOUT flag on all NSEC3
	   records and do not generate NSEC3 records for insecure delegations.

       -a

	   Verify all generated signatures.

       -c class

	   Specify the DNS class of the zone.

       -d directory

	   Look for keyset files in directory.

       -e end-time

	   Specify the date and time when the generated RRSIG records  expire.
	   As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS
	   notation. A time relative to the start time is indicated  with  +N,
	   which is N seconds from the start time. A time relative to the cur‐
	   rent time is indicated with now+N. If no end-time is specified,  30
	   days from the start time is used as a default.

       -f output-file

	   The name of the output file containing the signed zone. The default
	   is to append .signed to the input file name.

       -g

	   Generate DS records for child zones from keyset files. Existing  DS
	   records will be removed.

       -H iterations

	   When	 generating a NSEC3 chain use the number of interations speci‐
	   fied by iterations. The default is 100.

       -h

	   Prints a short summary of the options and arguments to dnssec-sign‐
	   zone().

       -I input-format

	   The	format	of  the	 input	zone  file.  Possible formats are text
	   (default) and raw. This option is primarily	intended  for  dynamic
	   signed zones so that the dumped zone file in a non-text format con‐
	   taining updates can be signed directly.  The	 use  of  this	option
	   serves no purpose for non-dynamic zones.

       -i interval

	   Specify  the	 cycle interval as an offset from the current time (in
	   seconds). When a previously signed zone is passed as input, records
	   could  be  resigned.	 If  an	 RRSIG	record expires after the cycle
	   interval, it is retained. Otherwise, it is considered to be	expir‐
	   ing soon and will be replaced.

	   The default cycle interval is one quarter of the difference between
	   the signature end and start times. If neither  end-time  or	start-
	   time	 are  specified, dnssec-signzone generates signatures that are
	   valid for 30 days, with a cycle interval of 7.5 days. Any  existing
	   RRSIG  records  due	to  expire  in	less  than  7.5	 days would be
	   replaced.

       -j jitter

	   When signing a zone with a  fixed  signature	 lifetime,  all	 RRSIG
	   records issued at the time of signing expire simultaneously. If the
	   zone is incrementally signed, that is, a previously-signed zone  is
	   passed  as  input  to the signer, all expired signatures have to be
	   regenerated at about the same time. The jitter option  specifies  a
	   jitter  window  that will be used to randomize the signature-expire
	   time, thus spreading incremental  signature regeneration over time.

	   Signature lifetime jitter also benefits, to some extent, validators
	   and	servers	 by  spreading out cache expiration. That is, if large
	   numbers of RRSIGs from all caches do not expire at the  same	 time,
	   there  will	be  less  congestion  than if all validators needed to
	   refetch at almost the same time.

       -k key

	   Treat specified key as a key-signing key, ignoring any  key	flags.
	   This option can be specified multiple times.

       -l domain

	   Generate a DLV set in addition to the key (DNSKEY) and DS sets. The
	   domain is appended to the name of the records.

       -N soa-serial-format

	   The SOA serial number format of the signed zone.  Possible  formats
	   are keep (default), increment and unixtime, described as follows.

	   keep

	       Do not modify the SOA serial number.

	   increment

	       Increment the SOA serial number using RFC 1982 arithmetic.

	   unixtime

	       Set the SOA serial number to the number of seconds since epoch.

       -n nthreads

	   Specifies  the  number of threads to use. By default, one thread is
	   started for each detected CPU.

       -O output_format

	   The format of the output file containing the signed zone.  Possible
	   formats are text (default) and raw.

       -o origin

	   Specify  the	 zone  origin.	If not specified, the name of the zone
	   file is assumed to be the origin.

       -p

	   Use pseudo-random data when signing the zone. This is  faster,  but
	   less secure, than using real random data. This option may be useful
	   when signing large zones or when the entropy source is limited.

       -r randomdev

	   Specifies the source of randomness. If the  operating  system  does
	   not	provide a /dev/random or equivalent device, the default source
	   of randomness is keyboard input. randomdev specifies the name of  a
	   character  device or file containing random data to be used instead
	   of the default /dev/random. The special  value  keyboard  indicates
	   that keyboard input should be used.

       -s start-time

	   Specify  the	 date and time when the generated RRSIG records become
	   valid. This can be either an absolute or relative time. An absolute
	   start  time	is  indicated  by a number in YYYYMMDDHHMMSS notation;
	   20000530144500 denotes 14:45:00 UTC on May 30th, 2000.  A  relative
	   start  time is indicated by +N, which is N seconds from the current
	   time. If no start-time is specified, the  current  time  minus  one
	   hour (to allow for clock skew) is used.

       -t

	   Print statistics at completion.

       -v level

	   Set the debugging level.

       -z

	   Ignore KSK flag on key when determining what to sign.

       -3 salt

	   Generate  a NSEC3 chain with the specified hex-encoded salt. A dash
	   (-) can be used to indicate that no salt is to be used when	gener‐
	   ating the NSEC3 chain.

OPERANDS
       The following operands are supported:

       zonefile

	   The file containing the zone to be signed.

       key

	   Specify  which keys should be used to sign the zone. If no keys are
	   specified, then the zone will be examined for DNSKEY records at the
	   zone	 apex.	If these are found and there are matching private keys
	   in the current directory, these will be used for signing.

EXAMPLES
       Example 1 Signing a Zone with a DSA Key

       The following command signs the example.com zone with the DSA key  gen‐
       erated  in  the	example	 in  the dnssec-keygen(1M) manual page (Kexam‐
       ple.com.+003+17247). The	 zone's	 keys  must  be	 in  the  master  file
       (db.example.com). This invocation looks for keyset files in the current
       directory, so that DS records can be generated from them (-g).

	 % dnssec-signzone -g -o example.com db.example.com \
	 Kexample.com.+003+17247
	 db.example.com.signed
	 %

       In  the	above  example,	 dnssec-signzone  creates  the	file  db.exam‐
       ple.com.signed. This file should be referenced in a zone statement in a
       named.conf file.

       Example 2 Re-signing a Previously Signed Zone

       The following commands re-sign a previously signed  zone	 with  default
       parameters.  The	 private  keys are assumed to be in the current direc‐
       tory.

	 % cp db.example.com.signed db.example.com
	 % dnssec-signzone -o example.com db.example.com \
	 db.example.com.signed
	 %

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │service/network/dns/bind	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Volatile			   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       dnssec-keygen(1M), attributes(5)

       RFC 4033

       See the BIND 9 Administrator's Reference Manual. As of the date of pub‐
       lication	  of   this   man   page,   this   document  is	 available  at
       https://www.isc.org/software/bind/documentation.

SunOS 5.10			  11 Jan 2010		   dnssec-signzone(1M)
[top]

List of man pages available for Solaris

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net