/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
https://bitbucket.org/freebsd/freebsd-head/ · Unknown · 695 lines · 640 code · 55 blank · 0 comment · 0 complexity · 34ef981e9af694f1aa4567156ed8fa3e MD5 · raw file
- <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
- [<!ENTITY mdash "—">]>
- <!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
- -->
- <!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
- <refentry id="man.dnssec-signzone">
- <refentryinfo>
- <date>June 05, 2009</date>
- </refentryinfo>
- <refmeta>
- <refentrytitle><application>dnssec-signzone</application></refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo>BIND9</refmiscinfo>
- </refmeta>
- <refnamediv>
- <refname><application>dnssec-signzone</application></refname>
- <refpurpose>DNSSEC zone signing tool</refpurpose>
- </refnamediv>
- <docinfo>
- <copyright>
- <year>2004</year>
- <year>2005</year>
- <year>2006</year>
- <year>2007</year>
- <year>2008</year>
- <year>2009</year>
- <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
- </copyright>
- <copyright>
- <year>2000</year>
- <year>2001</year>
- <year>2002</year>
- <year>2003</year>
- <holder>Internet Software Consortium.</holder>
- </copyright>
- </docinfo>
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>dnssec-signzone</command>
- <arg><option>-a</option></arg>
- <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
- <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
- <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
- <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
- <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
- <arg><option>-g</option></arg>
- <arg><option>-h</option></arg>
- <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
- <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
- <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
- <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
- <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
- <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
- <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
- <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
- <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
- <arg><option>-p</option></arg>
- <arg><option>-P</option></arg>
- <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
- <arg><option>-S</option></arg>
- <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
- <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
- <arg><option>-t</option></arg>
- <arg><option>-u</option></arg>
- <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
- <arg><option>-x</option></arg>
- <arg><option>-z</option></arg>
- <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
- <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
- <arg><option>-A</option></arg>
- <arg choice="req">zonefile</arg>
- <arg rep="repeat">key</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
- <refsect1>
- <title>DESCRIPTION</title>
- <para><command>dnssec-signzone</command>
- signs a zone. It generates
- NSEC and RRSIG records and produces a signed version of the
- zone. The security status of delegations from the signed zone
- (that is, whether the child zones are secure or not) is
- determined by the presence or absence of a
- <filename>keyset</filename> file for each child zone.
- </para>
- </refsect1>
- <refsect1>
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>-a</term>
- <listitem>
- <para>
- Verify all generated signatures.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-c <replaceable class="parameter">class</replaceable></term>
- <listitem>
- <para>
- Specifies the DNS class of the zone.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-C</term>
- <listitem>
- <para>
- Compatibility mode: Generate a
- <filename>keyset-<replaceable>zonename</replaceable></filename>
- file in addition to
- <filename>dsset-<replaceable>zonename</replaceable></filename>
- when signing a zone, for use by older versions of
- <command>dnssec-signzone</command>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-d <replaceable class="parameter">directory</replaceable></term>
- <listitem>
- <para>
- Look for <filename>dsset-</filename> or
- <filename>keyset-</filename> files in <option>directory</option>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-E <replaceable class="parameter">engine</replaceable></term>
- <listitem>
- <para>
- Uses a crypto hardware (OpenSSL engine) for the crypto operations
- it supports, for instance signing with private keys from
- a secure key store. When compiled with PKCS#11 support
- it defaults to pkcs11; the empty name resets it to no engine.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-g</term>
- <listitem>
- <para>
- Generate DS records for child zones from
- <filename>dsset-</filename> or <filename>keyset-</filename>
- file. Existing DS records will be removed.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-K <replaceable class="parameter">directory</replaceable></term>
- <listitem>
- <para>
- Key repository: Specify a directory to search for DNSSEC keys.
- If not specified, defaults to the current directory.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-k <replaceable class="parameter">key</replaceable></term>
- <listitem>
- <para>
- Treat specified key as a key signing key ignoring any
- key flags. This option may be specified multiple times.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-l <replaceable class="parameter">domain</replaceable></term>
- <listitem>
- <para>
- Generate a DLV set in addition to the key (DNSKEY) and DS sets.
- The domain is appended to the name of the records.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-s <replaceable class="parameter">start-time</replaceable></term>
- <listitem>
- <para>
- Specify the date and time when the generated RRSIG records
- become valid. This can be either an absolute or relative
- time. An absolute start time is indicated by a number
- in YYYYMMDDHHMMSS notation; 20000530144500 denotes
- 14:45:00 UTC on May 30th, 2000. A relative start time is
- indicated by +N, which is N seconds from the current time.
- If no <option>start-time</option> is specified, the current
- time minus 1 hour (to allow for clock skew) is used.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-e <replaceable class="parameter">end-time</replaceable></term>
- <listitem>
- <para>
- Specify the date and time when the generated RRSIG records
- expire. As with <option>start-time</option>, an absolute
- time is indicated in YYYYMMDDHHMMSS notation. A time relative
- to the start time is indicated with +N, which is N seconds from
- the start time. A time relative to the current time is
- indicated with now+N. If no <option>end-time</option> is
- specified, 30 days from the start time is used as a default.
- <option>end-time</option> must be later than
- <option>start-time</option>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-f <replaceable class="parameter">output-file</replaceable></term>
- <listitem>
- <para>
- The name of the output file containing the signed zone. The
- default is to append <filename>.signed</filename> to
- the
- input filename.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-h</term>
- <listitem>
- <para>
- Prints a short summary of the options and arguments to
- <command>dnssec-signzone</command>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-i <replaceable class="parameter">interval</replaceable></term>
- <listitem>
- <para>
- When a previously-signed zone is passed as input, records
- may be resigned. The <option>interval</option> option
- specifies the cycle interval as an offset from the current
- time (in seconds). If a RRSIG record expires after the
- cycle interval, it is retained. Otherwise, it is considered
- to be expiring soon, and it will be replaced.
- </para>
- <para>
- The default cycle interval is one quarter of the difference
- between the signature end and start times. So if neither
- <option>end-time</option> or <option>start-time</option>
- are specified, <command>dnssec-signzone</command>
- generates
- signatures that are valid for 30 days, with a cycle
- interval of 7.5 days. Therefore, if any existing RRSIG records
- are due to expire in less than 7.5 days, they would be
- replaced.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-I <replaceable class="parameter">input-format</replaceable></term>
- <listitem>
- <para>
- The format of the input zone file.
- Possible formats are <command>"text"</command> (default)
- and <command>"raw"</command>.
- This option is primarily intended to be used for dynamic
- signed zones so that the dumped zone file in a non-text
- format containing updates can be signed directly.
- The use of this option does not make much sense for
- non-dynamic zones.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-j <replaceable class="parameter">jitter</replaceable></term>
- <listitem>
- <para>
- When signing a zone with a fixed signature lifetime, all
- RRSIG records issued at the time of signing expires
- simultaneously. If the zone is incrementally signed, i.e.
- a previously-signed zone is passed as input to the signer,
- all expired signatures have to be regenerated at about the
- same time. The <option>jitter</option> option specifies a
- jitter window that will be used to randomize the signature
- expire time, thus spreading incremental signature
- regeneration over time.
- </para>
- <para>
- Signature lifetime jitter also to some extent benefits
- validators and servers by spreading out cache expiration,
- i.e. if large numbers of RRSIGs don't expire at the same time
- from all caches there will be less congestion than if all
- validators need to refetch at mostly the same time.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-n <replaceable class="parameter">ncpus</replaceable></term>
- <listitem>
- <para>
- Specifies the number of threads to use. By default, one
- thread is started for each detected CPU.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
- <listitem>
- <para>
- The SOA serial number format of the signed zone.
- Possible formats are <command>"keep"</command> (default),
- <command>"increment"</command> and
- <command>"unixtime"</command>.
- </para>
- <variablelist>
- <varlistentry>
- <term><command>"keep"</command></term>
- <listitem>
- <para>Do not modify the SOA serial number.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><command>"increment"</command></term>
- <listitem>
- <para>Increment the SOA serial number using RFC 1982
- arithmetics.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><command>"unixtime"</command></term>
- <listitem>
- <para>Set the SOA serial number to the number of seconds
- since epoch.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-o <replaceable class="parameter">origin</replaceable></term>
- <listitem>
- <para>
- The zone origin. If not specified, the name of the zone file
- is assumed to be the origin.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-O <replaceable class="parameter">output-format</replaceable></term>
- <listitem>
- <para>
- The format of the output file containing the signed zone.
- Possible formats are <command>"text"</command> (default)
- and <command>"raw"</command>.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-p</term>
- <listitem>
- <para>
- Use pseudo-random data when signing the zone. This is faster,
- but less secure, than using real random data. This option
- may be useful when signing large zones or when the entropy
- source is limited.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-P</term>
- <listitem>
- <para>
- Disable post sign verification tests.
- </para>
- <para>
- The post sign verification test ensures that for each algorithm
- in use there is at least one non revoked self signed KSK key,
- that all revoked KSK keys are self signed, and that all records
- in the zone are signed by the algorithm.
- This option skips these tests.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-r <replaceable class="parameter">randomdev</replaceable></term>
- <listitem>
- <para>
- Specifies the source of randomness. If the operating
- system does not provide a <filename>/dev/random</filename>
- or equivalent device, the default source of randomness
- is keyboard input. <filename>randomdev</filename>
- specifies
- the name of a character device or file containing random
- data to be used instead of the default. The special value
- <filename>keyboard</filename> indicates that keyboard
- input should be used.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-S</term>
- <listitem>
- <para>
- Smart signing: Instructs <command>dnssec-signzone</command> to
- search the key repository for keys that match the zone being
- signed, and to include them in the zone if appropriate.
- </para>
- <para>
- When a key is found, its timing metadata is examined to
- determine how it should be used, according to the following
- rules. Each successive rule takes priority over the prior
- ones:
- </para>
- <variablelist>
- <varlistentry>
- <listitem>
- <para>
- If no timing metadata has been set for the key, the key is
- published in the zone and used to sign the zone.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <listitem>
- <para>
- If the key's publication date is set and is in the past, the
- key is published in the zone.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <listitem>
- <para>
- If the key's activation date is set and in the past, the
- key is published (regardless of publication date) and
- used to sign the zone.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <listitem>
- <para>
- If the key's revocation date is set and in the past, and the
- key is published, then the key is revoked, and the revoked key
- is used to sign the zone.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <listitem>
- <para>
- If either of the key's unpublication or deletion dates are set
- and in the past, the key is NOT published or used to sign the
- zone, regardless of any other metadata.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-T <replaceable class="parameter">ttl</replaceable></term>
- <listitem>
- <para>
- Specifies the TTL to be used for new DNSKEY records imported
- into the zone from the key repository. If not specified,
- the default is the minimum TTL value from the zone's SOA
- record. This option is ignored when signing without
- <option>-S</option>, since DNSKEY records are not imported
- from the key repository in that case. It is also ignored if
- there are any pre-existing DNSKEY records at the zone apex,
- in which case new records' TTL values will be set to match
- them.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-t</term>
- <listitem>
- <para>
- Print statistics at completion.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-u</term>
- <listitem>
- <para>
- Update NSEC/NSEC3 chain when re-signing a previously signed
- zone. With this option, a zone signed with NSEC can be
- switched to NSEC3, or a zone signed with NSEC3 can
- be switch to NSEC or to NSEC3 with different parameters.
- Without this option, <command>dnssec-signzone</command> will
- retain the existing chain when re-signing.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-v <replaceable class="parameter">level</replaceable></term>
- <listitem>
- <para>
- Sets the debugging level.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-x</term>
- <listitem>
- <para>
- Only sign the DNSKEY RRset with key-signing keys, and omit
- signatures from zone-signing keys. (This is similar to the
- <command>dnssec-dnskey-kskonly yes;</command> zone option in
- <command>named</command>.)
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-z</term>
- <listitem>
- <para>
- Ignore KSK flag on key when determining what to sign. This
- causes KSK-flagged keys to sign all records, not just the
- DNSKEY RRset. (This is similar to the
- <command>update-check-ksk no;</command> zone option in
- <command>named</command>.)
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-3 <replaceable class="parameter">salt</replaceable></term>
- <listitem>
- <para>
- Generate an NSEC3 chain with the given hex encoded salt.
- A dash (<replaceable class="parameter">salt</replaceable>) can
- be used to indicate that no salt is to be used when generating the NSEC3 chain.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-H <replaceable class="parameter">iterations</replaceable></term>
- <listitem>
- <para>
- When generating an NSEC3 chain, use this many interations. The
- default is 10.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-A</term>
- <listitem>
- <para>
- When generating an NSEC3 chain set the OPTOUT flag on all
- NSEC3 records and do not generate NSEC3 records for insecure
- delegations.
- </para>
- <para>
- Using this option twice (i.e., <option>-AA</option>)
- turns the OPTOUT flag off for all records. This is useful
- when using the <option>-u</option> option to modify an NSEC3
- chain which previously had OPTOUT set.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>zonefile</term>
- <listitem>
- <para>
- The file containing the zone to be signed.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>key</term>
- <listitem>
- <para>
- Specify which keys should be used to sign the zone. If
- no keys are specified, then the zone will be examined
- for DNSKEY records at the zone apex. If these are found and
- there are matching private keys, in the current directory,
- then these will be used for signing.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
- <refsect1>
- <title>EXAMPLE</title>
- <para>
- The following command signs the <userinput>example.com</userinput>
- zone with the DSA key generated by <command>dnssec-keygen</command>
- (Kexample.com.+003+17247). Because the <command>-S</command> option
- is not being used, the zone's keys must be in the master file
- (<filename>db.example.com</filename>). This invocation looks
- for <filename>dsset</filename> files, in the current directory,
- so that DS records can be imported from them (<command>-g</command>).
- </para>
- <programlisting>% dnssec-signzone -g -o example.com db.example.com \
- Kexample.com.+003+17247
- db.example.com.signed
- %</programlisting>
- <para>
- In the above example, <command>dnssec-signzone</command> creates
- the file <filename>db.example.com.signed</filename>. This
- file should be referenced in a zone statement in a
- <filename>named.conf</filename> file.
- </para>
- <para>
- This example re-signs a previously signed zone with default parameters.
- The private keys are assumed to be in the current directory.
- </para>
- <programlisting>% cp db.example.com.signed db.example.com
- % dnssec-signzone -o example.com db.example.com
- db.example.com.signed
- %</programlisting>
- </refsect1>
- <refsect1>
- <title>SEE ALSO</title>
- <para><citerefentry>
- <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
- <citetitle>RFC 4033</citetitle>.
- </para>
- </refsect1>
- <refsect1>
- <title>AUTHOR</title>
- <para><corpauthor>Internet Systems Consortium</corpauthor>
- </para>
- </refsect1>
- </refentry><!--
- - Local variables:
- - mode: sgml
- - End:
- -->