System Administration Commands dnssec-signzone(1M)
NAME
dnssec-signzone - DNSEC zone signing tool
SYNOPSIS
dnssec-signzone [-aghptz] [-c class] [-d directory]
[-e end-time] [-f output-file] [-i interval] [-k key]
[-l domain] [-n nthreads] [-o origin] [-r randomdev]
[-s start-time] [-v level] zonefile [key]...
DESCRIPTION
The dnssec-signzone utility signs a zone. It generates NSEC
and RSIG records and produces a signed version of the zone.
The security status of delegations from the signed zone
(that is, whether the child zones are secure or not) is
determined by the presence or absence of a keyset file for
each child zone.
OPTIONS
The following options are supported:
-a Verify all generated signatures.
-c class Specify the DNS class of the zone.
-d directory Look for keyset files in directory.
-e end-time Specify the date and time when the gen-
erated RSIG records expire. As with
start-time, an absolute time is indicated
in YMDHMS notation. A time rela-
tive to the start time is indicated with
]N, which is N seconds from the start
time. A time relative to the current time
is indicated with now]N. If no end-time is
specified, 30 days from the start time is
used as a default.
-f output-file The name of the output file containing the
signed zone. The default is to append
.signed to the input file name.
-g Generate DS records for child zones from
keyset files. Existing DS records will be
removed.
SunOS 5.11 Last change: 24 Dec 2008 1
System Administration Commands dnssec-signzone(1M)
-h Prints a short summary of the options and
arguments to dnssec-signzone().
-i interval Specify the cycle interval as an offset
from the current time (in seconds). When a
previously signed zone is passed as input,
records could be resigned. If a SIG record
expires after the cycle interval, it is
retained. Otherwise, it is considered to
be expiring soon and will be replaced.
The default cycle interval is one quarter
of the difference between the signature
end and start times. If neither end-time
or start-time are specified, dnssec-
signzone generates signatures that are
valid for 30 days, with a cycle interval
of 7.5 days. Any existing SIG records due
to expire in less than 7.5 days would be
replaced.
-k key Treat specified key as a key-signing key,
ignoring any key flags. This option can be
specified multiple times.
-k key Treat specified key as a key-signing key,
ignoring any key flags. This option can be
specified multiple times.
-l domain Generate a DLV set in addition to the key
(DNSKEY) and DS sets. The domain is
appended to the name of the records.
-n nthreads Specifies the number of threads to use. By
default, one thread is started for each
detected CPU.
-o origin Specify the zone origin. If not specified,
the name of the zone file is assumed to be
the origin.
-p Use pseudo-random data when signing the
zone. This is faster, but less secure,
than using real random data. This option
may be useful when signing large zones or
when the entropy source is limited.
SunOS 5.11 Last change: 24 Dec 2008 2
System Administration Commands dnssec-signzone(1M)
-r randomdev Specify the source of randomness. By
default, /dev/random is used. The random-
dev argument specifies the name of a char-
acter device or file containing random
data to be used instead of the default.
The special value keyboard indicates that
keyboard input should be used.
-s start-time Specify the date and time when the gen-
erated RSIG records become valid. This
can be either an absolute or relative
time. An absolute start time is indicated
by a number in YMDHMS notation;
20000530144500 denotes 14:45:00 UTC on May
30th, 2000. A relative start time is indi-
cated by ]N, which is N seconds from the
current time. If no start-time is speci-
fied, the current time minus one hour (to
allow for clock skew) is used.
-t Print statistics at completion.
-v level Set the debugging level.
-z Ignore KSK flag on key when determining
what to sign.
OPERANDS
The following operands are supported:
zonefile The file containing the zone to be signed.
key Specify which keys should be used to sign the
zone. If no keys are specified, then the zone
will be examined for DNSKEY records at the zone
apex. If these are found and there are matching
private keys in the current directory, these
will be used for signing.
EXAMPLES
Example 1 Signing a Zone with a DSA Key
The following command signs the example.com zone with the
DSA key generated in the example in the dnssec-keygen(1M)
SunOS 5.11 Last change: 24 Dec 2008 3
System Administration Commands dnssec-signzone(1M)
manual page (Kexample.com.]003]17247). The zone's keys must
be in the master file (db.example.com). This invocation
looks for keyset files in the current directory, so that DS
records can be generated from them (-g).
% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.]003]17247
db.example.com.signed
%
In the above example, dnssec-signzone creates the file
db.example.com.signed. This file should be referenced in a
zone statement in a named.conf file.
Example 2 Re-signing a Previously Signed Zone
The following commands re-sign a previously signed zone with
default parameters. The private keys are assumed to be in
the current directory.
% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%
In the above example, dnssec-signzone creates the file
db.example.com.signed. This file should be referenced in a
zone statement in a named.conf file.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 24 Dec 2008 4
System Administration Commands dnssec-signzone(1M)
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWbind
Interface Stability Volatile
SEE ALSO
dnssec-keygen(1M), attributes(5)
RFC 2535
BIND 9 Administrator Reference Manual
SunOS 5.11 Last change: 24 Dec 2008 5
|
