PageRenderTime 45ms CodeModel.GetById 35ms app.highlight 4ms RepoModel.GetById 0ms app.codeStats 0ms

/contrib/bind9/bin/dnssec/dnssec-signzone.docbook

https://bitbucket.org/freebsd/freebsd-head/
Unknown | 695 lines | 640 code | 55 blank | 0 comment | 0 complexity | 34ef981e9af694f1aa4567156ed8fa3e MD5 | raw file
  1<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  2               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
  3	       [<!ENTITY mdash "&#8212;">]>
  4<!--
  5 - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  6 - Copyright (C) 2000-2003  Internet Software Consortium.
  7 -
  8 - Permission to use, copy, modify, and/or distribute this software for any
  9 - purpose with or without fee is hereby granted, provided that the above
 10 - copyright notice and this permission notice appear in all copies.
 11 -
 12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 14 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 18 - PERFORMANCE OF THIS SOFTWARE.
 19-->
 20
 21<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
 22<refentry id="man.dnssec-signzone">
 23  <refentryinfo>
 24    <date>June 05, 2009</date>
 25  </refentryinfo>
 26
 27  <refmeta>
 28    <refentrytitle><application>dnssec-signzone</application></refentrytitle>
 29   <manvolnum>8</manvolnum>
 30    <refmiscinfo>BIND9</refmiscinfo>
 31  </refmeta>
 32
 33  <refnamediv>
 34    <refname><application>dnssec-signzone</application></refname>
 35    <refpurpose>DNSSEC zone signing tool</refpurpose>
 36  </refnamediv>
 37
 38  <docinfo>
 39    <copyright>
 40      <year>2004</year>
 41      <year>2005</year>
 42      <year>2006</year>
 43      <year>2007</year>
 44      <year>2008</year>
 45      <year>2009</year>
 46      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
 47    </copyright>
 48    <copyright>
 49      <year>2000</year>
 50      <year>2001</year>
 51      <year>2002</year>
 52      <year>2003</year>
 53      <holder>Internet Software Consortium.</holder>
 54    </copyright>
 55  </docinfo>
 56
 57  <refsynopsisdiv>
 58    <cmdsynopsis>
 59      <command>dnssec-signzone</command>
 60      <arg><option>-a</option></arg>
 61      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
 62      <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
 63      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
 64      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
 65      <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
 66      <arg><option>-g</option></arg>
 67      <arg><option>-h</option></arg>
 68      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
 69      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
 70      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
 71      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
 72      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
 73      <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
 74      <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
 75      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
 76      <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
 77      <arg><option>-p</option></arg>
 78      <arg><option>-P</option></arg>
 79      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
 80      <arg><option>-S</option></arg>
 81      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
 82      <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
 83      <arg><option>-t</option></arg>
 84      <arg><option>-u</option></arg>
 85      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
 86      <arg><option>-x</option></arg>
 87      <arg><option>-z</option></arg>
 88      <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
 89      <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
 90      <arg><option>-A</option></arg>
 91      <arg choice="req">zonefile</arg>
 92      <arg rep="repeat">key</arg>
 93    </cmdsynopsis>
 94  </refsynopsisdiv>
 95
 96  <refsect1>
 97    <title>DESCRIPTION</title>
 98    <para><command>dnssec-signzone</command>
 99      signs a zone.  It generates
100      NSEC and RRSIG records and produces a signed version of the
101      zone. The security status of delegations from the signed zone
102      (that is, whether the child zones are secure or not) is
103      determined by the presence or absence of a
104      <filename>keyset</filename> file for each child zone.
105    </para>
106  </refsect1>
107
108  <refsect1>
109    <title>OPTIONS</title>
110
111    <variablelist>
112      <varlistentry>
113        <term>-a</term>
114        <listitem>
115          <para>
116            Verify all generated signatures.
117          </para>
118        </listitem>
119      </varlistentry>
120
121      <varlistentry>
122        <term>-c <replaceable class="parameter">class</replaceable></term>
123        <listitem>
124          <para>
125            Specifies the DNS class of the zone.
126          </para>
127        </listitem>
128      </varlistentry>
129
130      <varlistentry>
131        <term>-C</term>
132        <listitem>
133          <para>
134            Compatibility mode: Generate a
135            <filename>keyset-<replaceable>zonename</replaceable></filename>
136            file in addition to
137            <filename>dsset-<replaceable>zonename</replaceable></filename>
138            when signing a zone, for use by older versions of
139            <command>dnssec-signzone</command>.
140          </para>
141        </listitem>
142      </varlistentry>
143
144      <varlistentry>
145        <term>-d <replaceable class="parameter">directory</replaceable></term>
146        <listitem>
147          <para>
148            Look for <filename>dsset-</filename> or
149            <filename>keyset-</filename> files in <option>directory</option>.
150          </para>
151        </listitem>
152      </varlistentry>
153
154      <varlistentry>
155        <term>-E <replaceable class="parameter">engine</replaceable></term>
156        <listitem>
157          <para>
158            Uses a crypto hardware (OpenSSL engine) for the crypto operations
159            it supports, for instance signing with private keys from
160            a secure key store. When compiled with PKCS#11 support
161            it defaults to pkcs11; the empty name resets it to no engine.
162          </para>
163        </listitem>
164      </varlistentry>
165
166      <varlistentry>
167        <term>-g</term>
168        <listitem>
169          <para>
170            Generate DS records for child zones from
171            <filename>dsset-</filename> or <filename>keyset-</filename>
172            file.  Existing DS records will be removed.
173          </para>
174        </listitem>
175      </varlistentry>
176
177      <varlistentry>
178        <term>-K <replaceable class="parameter">directory</replaceable></term>
179        <listitem>
180          <para>
181            Key repository: Specify a directory to search for DNSSEC keys.
182            If not specified, defaults to the current directory.
183          </para>
184        </listitem>
185      </varlistentry>
186
187      <varlistentry>
188        <term>-k <replaceable class="parameter">key</replaceable></term>
189        <listitem>
190          <para>
191            Treat specified key as a key signing key ignoring any
192            key flags.  This option may be specified multiple times.
193          </para>
194        </listitem>
195      </varlistentry>
196
197      <varlistentry>
198        <term>-l <replaceable class="parameter">domain</replaceable></term>
199        <listitem>
200          <para>
201            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
202            The domain is appended to the name of the records.
203          </para>
204        </listitem>
205      </varlistentry>
206
207      <varlistentry>
208        <term>-s <replaceable class="parameter">start-time</replaceable></term>
209        <listitem>
210          <para>
211            Specify the date and time when the generated RRSIG records
212            become valid.  This can be either an absolute or relative
213            time.  An absolute start time is indicated by a number
214            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
215            14:45:00 UTC on May 30th, 2000.  A relative start time is
216            indicated by +N, which is N seconds from the current time.
217            If no <option>start-time</option> is specified, the current
218            time minus 1 hour (to allow for clock skew) is used.
219          </para>
220        </listitem>
221      </varlistentry>
222
223      <varlistentry>
224        <term>-e <replaceable class="parameter">end-time</replaceable></term>
225        <listitem>
226          <para>
227            Specify the date and time when the generated RRSIG records
228            expire.  As with <option>start-time</option>, an absolute
229            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
230            to the start time is indicated with +N, which is N seconds from
231            the start time.  A time relative to the current time is
232            indicated with now+N.  If no <option>end-time</option> is
233            specified, 30 days from the start time is used as a default.
234            <option>end-time</option> must be later than
235            <option>start-time</option>.
236          </para>
237        </listitem>
238      </varlistentry>
239
240      <varlistentry>
241        <term>-f <replaceable class="parameter">output-file</replaceable></term>
242        <listitem>
243          <para>
244            The name of the output file containing the signed zone.  The
245            default is to append <filename>.signed</filename> to
246            the
247            input filename.
248          </para>
249        </listitem>
250      </varlistentry>
251
252      <varlistentry>
253        <term>-h</term>
254        <listitem>
255          <para>
256            Prints a short summary of the options and arguments to
257            <command>dnssec-signzone</command>.
258          </para>
259        </listitem>
260      </varlistentry>
261
262      <varlistentry>
263        <term>-i <replaceable class="parameter">interval</replaceable></term>
264        <listitem>
265          <para>
266            When a previously-signed zone is passed as input, records
267            may be resigned.  The <option>interval</option> option
268            specifies the cycle interval as an offset from the current
269            time (in seconds).  If a RRSIG record expires after the
270            cycle interval, it is retained.  Otherwise, it is considered
271            to be expiring soon, and it will be replaced.
272          </para>
273          <para>
274            The default cycle interval is one quarter of the difference
275            between the signature end and start times.  So if neither
276            <option>end-time</option> or <option>start-time</option>
277            are specified, <command>dnssec-signzone</command>
278            generates
279            signatures that are valid for 30 days, with a cycle
280            interval of 7.5 days.  Therefore, if any existing RRSIG records
281            are due to expire in less than 7.5 days, they would be
282            replaced.
283          </para>
284        </listitem>
285      </varlistentry>
286
287      <varlistentry>
288        <term>-I <replaceable class="parameter">input-format</replaceable></term>
289        <listitem>
290          <para>
291            The format of the input zone file.
292	    Possible formats are <command>"text"</command> (default)
293	    and <command>"raw"</command>.
294	    This option is primarily intended to be used for dynamic
295            signed zones so that the dumped zone file in a non-text
296            format containing updates can be signed directly.
297	    The use of this option does not make much sense for
298	    non-dynamic zones.
299          </para>
300        </listitem>
301      </varlistentry>
302
303      <varlistentry>
304        <term>-j <replaceable class="parameter">jitter</replaceable></term>
305        <listitem>
306          <para>
307            When signing a zone with a fixed signature lifetime, all
308            RRSIG records issued at the time of signing expires
309            simultaneously.  If the zone is incrementally signed, i.e.
310            a previously-signed zone is passed as input to the signer,
311            all expired signatures have to be regenerated at about the
312            same time.  The <option>jitter</option> option specifies a
313            jitter window that will be used to randomize the signature
314            expire time, thus spreading incremental signature
315            regeneration over time.
316          </para>
317          <para>
318            Signature lifetime jitter also to some extent benefits
319            validators and servers by spreading out cache expiration,
320            i.e. if large numbers of RRSIGs don't expire at the same time
321            from all caches there will be less congestion than if all
322            validators need to refetch at mostly the same time.
323          </para>
324        </listitem>
325      </varlistentry>
326
327      <varlistentry>
328        <term>-n <replaceable class="parameter">ncpus</replaceable></term>
329        <listitem>
330          <para>
331            Specifies the number of threads to use.  By default, one
332            thread is started for each detected CPU.
333          </para>
334        </listitem>
335      </varlistentry>
336
337      <varlistentry>
338        <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
339        <listitem>
340          <para>
341            The SOA serial number format of the signed zone.
342	    Possible formats are <command>"keep"</command> (default),
343            <command>"increment"</command> and
344	    <command>"unixtime"</command>.
345          </para>
346
347          <variablelist>
348	    <varlistentry>
349	      <term><command>"keep"</command></term>
350              <listitem>
351                <para>Do not modify the SOA serial number.</para>
352	      </listitem>
353            </varlistentry>
354
355	    <varlistentry>
356	      <term><command>"increment"</command></term>
357              <listitem>
358                <para>Increment the SOA serial number using RFC 1982
359                      arithmetics.</para>
360	      </listitem>
361            </varlistentry>
362
363	    <varlistentry>
364	      <term><command>"unixtime"</command></term>
365              <listitem>
366                <para>Set the SOA serial number to the number of seconds
367	        since epoch.</para>
368	      </listitem>
369            </varlistentry>
370	 </variablelist>
371
372        </listitem>
373      </varlistentry>
374
375      <varlistentry>
376        <term>-o <replaceable class="parameter">origin</replaceable></term>
377        <listitem>
378          <para>
379            The zone origin.  If not specified, the name of the zone file
380            is assumed to be the origin.
381          </para>
382        </listitem>
383      </varlistentry>
384
385      <varlistentry>
386        <term>-O <replaceable class="parameter">output-format</replaceable></term>
387        <listitem>
388          <para>
389            The format of the output file containing the signed zone.
390	    Possible formats are <command>"text"</command> (default)
391	    and <command>"raw"</command>.
392          </para>
393        </listitem>
394      </varlistentry>
395
396      <varlistentry>
397        <term>-p</term>
398        <listitem>
399          <para>
400            Use pseudo-random data when signing the zone.  This is faster,
401            but less secure, than using real random data.  This option
402            may be useful when signing large zones or when the entropy
403            source is limited.
404          </para>
405        </listitem>
406      </varlistentry>
407
408      <varlistentry>
409        <term>-P</term>
410        <listitem>
411          <para>
412	    Disable post sign verification tests.
413          </para>
414          <para>
415	    The post sign verification test ensures that for each algorithm
416	    in use there is at least one non revoked self signed KSK key,
417	    that all revoked KSK keys are self signed, and that all records
418	    in the zone are signed by the algorithm.
419	    This option skips these tests.
420          </para>
421        </listitem>
422      </varlistentry>
423
424      <varlistentry>
425        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
426        <listitem>
427          <para>
428            Specifies the source of randomness.  If the operating
429            system does not provide a <filename>/dev/random</filename>
430            or equivalent device, the default source of randomness
431            is keyboard input.  <filename>randomdev</filename>
432            specifies
433            the name of a character device or file containing random
434            data to be used instead of the default.  The special value
435            <filename>keyboard</filename> indicates that keyboard
436            input should be used.
437          </para>
438        </listitem>
439      </varlistentry>
440
441      <varlistentry>
442        <term>-S</term>
443        <listitem>
444          <para>
445            Smart signing: Instructs <command>dnssec-signzone</command> to
446            search the key repository for keys that match the zone being
447            signed, and to include them in the zone if appropriate.
448          </para>
449          <para>
450            When a key is found, its timing metadata is examined to
451            determine how it should be used, according to the following
452            rules.  Each successive rule takes priority over the prior
453            ones:
454          </para>
455          <variablelist>
456	    <varlistentry>
457              <listitem>
458                <para>
459                  If no timing metadata has been set for the key, the key is
460                  published in the zone and used to sign the zone.
461                </para>
462	      </listitem>
463            </varlistentry>
464
465	    <varlistentry>
466              <listitem>
467                <para>
468                  If the key's publication date is set and is in the past, the
469                  key is published in the zone.
470                </para>
471	      </listitem>
472            </varlistentry>
473
474	    <varlistentry>
475              <listitem>
476                <para>
477                  If the key's activation date is set and in the past, the
478                  key is published (regardless of publication date) and
479                  used to sign the zone.  
480                </para>
481	      </listitem>
482            </varlistentry>
483
484	    <varlistentry>
485              <listitem>
486                <para>
487                  If the key's revocation date is set and in the past, and the
488                  key is published, then the key is revoked, and the revoked key
489                  is used to sign the zone.
490                </para>
491	      </listitem>
492            </varlistentry>
493
494	    <varlistentry>
495              <listitem>
496                <para>
497                  If either of the key's unpublication or deletion dates are set
498                  and in the past, the key is NOT published or used to sign the
499                  zone, regardless of any other metadata.
500                </para>
501	      </listitem>
502            </varlistentry>
503	 </variablelist>
504        </listitem>
505      </varlistentry>
506
507      <varlistentry>
508        <term>-T <replaceable class="parameter">ttl</replaceable></term>
509        <listitem>
510          <para>
511            Specifies the TTL to be used for new DNSKEY records imported
512            into the zone from the key repository.  If not specified,
513            the default is the minimum TTL value from the zone's SOA
514            record.  This option is ignored when signing without
515            <option>-S</option>, since DNSKEY records are not imported
516            from the key repository in that case.  It is also ignored if
517            there are any pre-existing DNSKEY records at the zone apex,
518            in which case new records' TTL values will be set to match
519            them.
520          </para>
521        </listitem>
522      </varlistentry>
523
524      <varlistentry>
525        <term>-t</term>
526        <listitem>
527          <para>
528            Print statistics at completion.
529          </para>
530        </listitem>
531      </varlistentry>
532
533      <varlistentry>
534        <term>-u</term>
535        <listitem>
536          <para>
537            Update NSEC/NSEC3 chain when re-signing a previously signed
538            zone.  With this option, a zone signed with NSEC can be
539            switched to NSEC3, or a zone signed with NSEC3 can
540            be switch to NSEC or to NSEC3 with different parameters.
541            Without this option, <command>dnssec-signzone</command> will
542            retain the existing chain when re-signing.
543          </para>
544        </listitem>
545      </varlistentry>
546
547      <varlistentry>
548        <term>-v <replaceable class="parameter">level</replaceable></term>
549        <listitem>
550          <para>
551            Sets the debugging level.
552          </para>
553        </listitem>
554      </varlistentry>
555
556      <varlistentry>
557        <term>-x</term>
558        <listitem>
559          <para>
560            Only sign the DNSKEY RRset with key-signing keys, and omit
561            signatures from zone-signing keys.  (This is similar to the
562            <command>dnssec-dnskey-kskonly yes;</command> zone option in
563            <command>named</command>.)
564          </para>
565        </listitem>
566      </varlistentry>
567
568      <varlistentry>
569        <term>-z</term>
570        <listitem>
571          <para>
572            Ignore KSK flag on key when determining what to sign.  This
573            causes KSK-flagged keys to sign all records, not just the
574            DNSKEY RRset.  (This is similar to the
575            <command>update-check-ksk no;</command> zone option in
576            <command>named</command>.)
577          </para>
578        </listitem>
579      </varlistentry>
580
581      <varlistentry>
582        <term>-3 <replaceable class="parameter">salt</replaceable></term>
583        <listitem>
584          <para>
585            Generate an NSEC3 chain with the given hex encoded salt.
586	    A dash (<replaceable class="parameter">salt</replaceable>) can
587	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
588          </para>
589        </listitem>
590      </varlistentry>
591
592      <varlistentry>
593        <term>-H <replaceable class="parameter">iterations</replaceable></term>
594        <listitem>
595          <para>
596	    When generating an NSEC3 chain, use this many interations.  The
597	    default is 10.
598          </para>
599        </listitem>
600      </varlistentry>
601
602      <varlistentry>
603        <term>-A</term>
604        <listitem>
605          <para>
606	    When generating an NSEC3 chain set the OPTOUT flag on all
607	    NSEC3 records and do not generate NSEC3 records for insecure
608	    delegations.
609          </para>
610          <para>
611	    Using this option twice (i.e., <option>-AA</option>)
612	    turns the OPTOUT flag off for all records.  This is useful
613	    when using the <option>-u</option> option to modify an NSEC3
614	    chain which previously had OPTOUT set.
615          </para>
616        </listitem>
617      </varlistentry>
618
619      <varlistentry>
620        <term>zonefile</term>
621        <listitem>
622          <para>
623            The file containing the zone to be signed.
624          </para>
625        </listitem>
626      </varlistentry>
627
628      <varlistentry>
629        <term>key</term>
630        <listitem>
631          <para>
632	    Specify which keys should be used to sign the zone.  If
633	    no keys are specified, then the zone will be examined
634	    for DNSKEY records at the zone apex.  If these are found and
635	    there are matching private keys, in the current directory,
636	    then these will be used for signing.
637          </para>
638        </listitem>
639      </varlistentry>
640
641    </variablelist>
642  </refsect1>
643
644  <refsect1>
645    <title>EXAMPLE</title>
646    <para>
647      The following command signs the <userinput>example.com</userinput>
648      zone with the DSA key generated by <command>dnssec-keygen</command>
649      (Kexample.com.+003+17247).  Because the <command>-S</command> option
650      is not being used, the zone's keys must be in the master file
651      (<filename>db.example.com</filename>).  This invocation looks
652      for <filename>dsset</filename> files, in the current directory,
653      so that DS records can be imported from them (<command>-g</command>).
654    </para>
655<programlisting>% dnssec-signzone -g -o example.com db.example.com \
656Kexample.com.+003+17247
657db.example.com.signed
658%</programlisting>
659    <para>
660      In the above example, <command>dnssec-signzone</command> creates
661      the file <filename>db.example.com.signed</filename>.  This
662      file should be referenced in a zone statement in a
663      <filename>named.conf</filename> file.
664    </para>
665    <para>
666      This example re-signs a previously signed zone with default parameters.
667      The private keys are assumed to be in the current directory.
668    </para>
669<programlisting>% cp db.example.com.signed db.example.com
670% dnssec-signzone -o example.com db.example.com
671db.example.com.signed
672%</programlisting>
673  </refsect1>
674
675  <refsect1>
676    <title>SEE ALSO</title>
677    <para><citerefentry>
678        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
679      </citerefentry>,
680      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
681      <citetitle>RFC 4033</citetitle>.
682    </para>
683  </refsect1>
684
685  <refsect1>
686    <title>AUTHOR</title>
687    <para><corpauthor>Internet Systems Consortium</corpauthor>
688    </para>
689  </refsect1>
690
691</refentry><!--
692 - Local variables:
693 - mode: sgml
694 - End:
695-->