mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

man pages have been moved to bin/dnssec

Browse Source
This commit is contained in:
Andreas Gustafsson
2001-01-18 01:05:50 +00:00
parent d4134b2fc3
commit e2b3253d77
4 changed files with 0 additions and 1013 deletions
Download Patch File Download Diff File Expand all files Collapse all files

309
doc/man/dnssec/dnssec-keygen.8
View File

@@ -1,309 +0,0 @@
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" $Id: dnssec-keygen.8,v 1.12 2001/01/09 21:47:21 bwelling Exp $
.Dd Jun 30, 2000
.Dt DNSSEC-KEYGEN 8
.Os BIND9 9
.ds vT BIND9 Programmer's Manual
.Sh NAME
.Nm dnssec-keygen
.Nd key generation tool for DNSSEC
.Sh SYNOPSIS
.Nm dnssec-keygen
.Fl a Ar algorithm
.Fl b Ar keysize
.Op Fl c Ar class
.Op Fl e
.Op Fl g Ar generator
.Op Fl h
.Fl n Ar nametype
.Op Fl p Ar protocol-value
.Op Fl r Ar randomdev
.Op Fl s Ar strength-value
.Op Fl t Ar type
.Op Fl v Ar level
.Ar name
.Sh DESCRIPTION
.Nm dnssec-keygen
generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
It also generates keys for use in Transaction Signatures, TSIG, which
is defined in RFC2845.
.Pp
A short summary of the options and arguments to
.Nm dnssec-keygen
is printed by the
.Fl h
(help) option.
.Pp
The
.Fl a ,
.Fl b ,
and
.Fl n
options and their arguments must be supplied when generating keys.
The domain name that the key has to be generated for is given by
.Ar name .
.Pp
The choice of encryption algorithm is selected by the
.Fl a
option to
.Nm dnssec-keygen .
.Ar algorithm
must be one of
.Dv RSAMD5 ,
.Dv DH ,
.Dv DSA
or
.Dv HMAC-MD5
to indicate that an RSA, Diffie-Hellman, Digital Signature
Algorithm or HMAC-MD5 key is required.
An argument of
.Dv RSA
can also be given, which is equivalent to
.Dv RSAMD5 .
The argument identifying the encryption algorithm is case-insensitive.
DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
Implementations of TSIG must support HMAC-MD5.
.Pp
The number of bits in the key is determined by the
.Ar keysize
argument following the
.Fl b
option.
The choice of key size depends on the algorithm that is used.
RSA keys must be between 512 and 2048 bits.
Diffie-Hellman keys must be between 128 and 4096 bits.
For DSA, the key size must be between 512 and 1024 bits and a multiple
of 64.
The length of an HMAC-MD5 key can be between 1 and 512 bits.
.Pp
The
.Fl n
option specifies how the generated key will be used.
.Ar nametype
can be either
.Dv ZONE ,
.Dv HOST ,
.Dv ENTITY ,
or
.Dv USER
to indicate that the key will be used for signing a zone, host,
entity or user respectively.
In this context
.Dv HOST
and
.Dv ENTITY
are identical.
.Ar nametype
is case-insensitive.
.Pp
The
.Fl c
option specifies that the when creating a KEY record, the specified class
should be used instead of IN.
.Pp
The
.Fl e
option can only be used when generating RSA keys.
It tells
.Nm dnssec-keygen
to use a large exponent.
When creating Diffie-Hellman keys, the
.Fl g
option selects the Diffie-Hellman generator
.Ar generator
that is to be used.
The only supported values value of
.Ar generator
are 2 and 5.
If no Diffie-Hellman generator is supplied, a known prime
from RFC2539 will be used if possible; otherwise 2 will be used as the
generator.
.Pp
The
.Fl p
option sets the protocol value for the generated key to
.Ar protocol-value .
The default is 2 (email) for keys of type
.Dv USER
and 3 (DNSSEC) for all other key types.
Other possible values for this argument are listed in RFC2535 and its
successors.
.Pp
.Nm dnssec-keygen
uses random numbers to seed the process
of generating keys.
If the system does not have a
.Pa /dev/random
device that can be used for generating random numbers,
.Nm dnssec-keygen
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
.Nm dnssec-keygen
use
.Ar randomdev
as a source of random data.
.Pp
The key's strength value can be set with the
.Fl s
option.
The generated key will sign DNS resource records
with a strength value of
.Ar strength-value .
It should be a number between 0 and 15.
The default strength is zero.
The key strength field currently has no defined purpose in DNSSEC.
.Pp
The
.Fl t
option indicates if the key is to be used for authentication or
confidentiality.
.Ar type
can be one of
.Dv AUTHCONF ,
.Dv NOAUTHCONF ,
.Dv NOAUTH
or
.Dv NOCONF .
The default is
.Dv AUTHCONF .
If type is
.Dv AUTHCONF
the key can be used for authentication and confidentialty.
Setting
.Ar type
to
.Dv NOAUTHCONF
indicates that the key cannot be used for authentication or confidentialty.
A value of
.Dv NOAUTH
means the key can be used for confidentiality but not for
authentication.
Similarly,
.Dv NOCONF
defines that the key cannot be used for confidentiality though it can
be used for authentication.
.Pp
The
.Fl v
option can be used to make
.Nm dnssec-keygen
more verbose.
As the debugging/tracing level
.Ar level
increases,
.Nm dnssec-keygen
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Sh GENERATED KEYS
When
.Nm dnssec-keygen
completes it prints a string of the form
.Ar Knnnn.+aaa+iiiii
on the standard output.
This is an identification string for the key it has generated.
These strings can be supplied as arguments to
.Xr dnssec-makekeyset 8 .
.Pp
The
.Ar nnnn.
part is the dot-terminated domain name given by
.Ar name .
The DNSSEC algorithm identifier is indicated by
.Ar aaa -
001 for RSA, 002 for Diffie-Hellman, 003 for DSA or 157 for HMAC-MD5.
.Ar iiiii
is a five-digit number identifying the key.
.Pp
.Nm dnssec-keygen
creates two files.
The file names are adapted from the key identification string above.
They have names of the form:
.Ar Knnnn.+aaa+iiiii.key
and
.Ar Knnnn.+aaa+iiiii.private .
These contain the public and private parts of the key respectively.
The files generated by
.Nm dnssec-keygen
obey this naming convention to
make it easy for the signing tool
.Xr dnssec-signzone 8
to identify which file(s) have to be read to find the necessary
key(s) for generating or validating signatures.
.Pp
The
.Ar .key
file contains a KEY resource record that can be inserted into a zone file
with a
.Dv $INCLUDE
statement.
The private part of the key is in the
.Ar .private
file.
It contains details of the encryption algorithm that was used and any
relevant parameters: prime number, exponent, modulus, subprime, etc.
For obvious security reasons, this file does not have general read
permission.
The private part of the key is used by
.Xr dnssec-signzone 8
to generate signatures and the public part is used to verify the
signatures.
Both
.Ar .key
and
.Ar .private
key files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
.Sh EXAMPLE
To generate a 768-bit DSA key for the domain
.Dv example.com ,
the following command would be issued:
.Pp
.Dl # dnssec-keygen -a DSA -b 768 -n ZONE example.com
.Dl Kexample.com.+003+26160
.Pp
.Nm dnssec-keygen
has printed the key identification string
.Dv Kexample.com.+003+26160 ,
indicating a DSA key with identifier 26160.
It will also have created the files
.Pa Kexample.com.+003+26160.key
and
.Pa Kexample.com.+003+26160.private
containing respectively the public and private keys for the generated
DSA key.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2535,
.Xr RFC2845,
.Xr RFC2539,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 ,
.Xr dnssec-signzone 8 .
.Sh BUGS
The naming convention for the public and private key files is a little
clumsy.
It won't work for domain names that are longer than 236 characters
because of the
.Ar .+aaa+iiiii.private
suffix results in filenames that are too long for most
.Ux
systems.

210
doc/man/dnssec/dnssec-makekeyset.8
View File

@@ -1,210 +0,0 @@
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" $Id: dnssec-makekeyset.8,v 1.10 2001/01/09 21:47:23 bwelling Exp $
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
.Os BIND9 9
.ds vT BIND9 Programmer's Manual
.Sh NAME
.Nm dnssec-makekeyset
.Nd produce a set of DNSSEC keys
.Sh SYNOPSIS
.Nm dnssec-makekeyset
.Op Fl h
.Op Fl s Ar start-time
.Op Fl e Ar end-time
.Op Fl t Ar TTL
.Op Fl r Ar randomdev
.Op Fl p
.Op Fl v Ar level
.Ar keyfile ....
.Sh DESCRIPTION
.Nm dnssec-makekeyset
generates a key set from one or more keys created by
.Xr dnssec-keygen 8 .
It creates a file containing KEY and SIG records for some zone which
can then be signed by the zone's parent if the parent zone is
DNSSEC-aware.
.Ar keyfile
should be a key identification string as reported by
.Xr dnssec-keygen 8 :
i.e.
.Ar Knnnn.+aaa+iiiii
where
.Ar nnnn
is the name of the key,
.Ar aaa
is the encryption algorithm and
.Ar iiiii
is the key identifier.
Multiple
.Ar keyfile
arguments can be supplied when there are several keys to be combined
by
.Nm dnssec-makekeyset
into a key set.
.Pp
For any SIG records that are in the key set, the start time when the
SIG records become valid is specified with the
.Fl s
option.
.Ar start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when
.Ar start-time
is given as +N: N seconds from the current time.
If no
.Fl s
option is supplied, the current date and time is used for the start
time of the SIG records.
.Pp
The expiry date for the SIG records can be set by the
.Fl e
option.
Note that in this context, the expiry date specifies when the SIG
records are no longer valid, not when they are deleted from caches on name
servers.
.Ar end-date
also represents an absolute or relative date.
YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
and time.
When
.Ar end-date
is +N,
it indicates that the SIG records will expire in N seconds after their
start date.
If
.Ar end-date
is written as now+N,
the SIG records will expire in N seconds after the current time.
When no expiry date is set for the SIG records,
.Nm dnssec-makekeyset
defaults to an expire time of 30 days from the start time of the SIG
records.
.Pp
An alternate source of random data can be specified with the
.Fl r
option.
.Ar randomdev
is the name of the file to use to obtain random data.
By default
.Pa /dev/random
is used if this device is available.
If it is not provided by the operating system and no
.Fl r
option is used,
.Nm dnssec-makekeyset
will prompt the user for input from the keyboard and use the time
between keystrokes to derive some random data.
.Pp
The
.Fl p
option instructs
.Nm dnssec-makekeyset
to use pseudo-random data when self-signing the keyset. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when the entropy source is limited.
.Pp
The
.Fl t
option is followed by a time-to-live argument
.Ar TTL
which indicates the TTL value that will be assigned to the assembled KEY
and SIG records in the output file.
.Ar TTL
is expressed in seconds.
If no
.Fl t
option is provided,
.Nm dnssec-makekeyset
prints a warning and uses a default TTL of 3600 seconds.
.Pp
The
.Fl v
option can be used to make
.Nm dnssec-makekeyset
more verbose.
As the debugging/tracing level
.Ar level
increases,
.Nm dnssec-makekeyset
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Pp
The
.Fl h
option makes
.Nm dnssec-makekeyset
to print a short summary of its options and arguments.
.Pp
If
.Nm dnssec-makekeyset
is successful, it creates a file name of the form
.Ar keyset-nnnn. .
This file contains the KEY and SIG records for domain
.Dv nnnn ,
the domain name part from the key file identifier produced when
.Nm dnssec-keygen
created the domain's public and private keys.
The
.Ar keyset
file can then be transferred to the DNS administrator of the parent
zone for them to sign the contents with
.Xr dnssec-signkey 8 .
.Sh EXAMPLE
The following command generates a key set for the DSA key for
.Dv example.com
that was shown in the
.Xr dnssec-keygen 8
man page.
The backslash is for typographic reasons and would not be provided on
the command line when running
.Nm dnssec-makekeyset .
.nf
.Dl # dnssec-makekeyset -t 86400 -s 20000701120000 \e\p
.Dl -e +2592000 Kexample.com.+003+26160
.fi
.Pp
.Nm dnssec-makekeyset
will create a file called
.Pa keyset-example.com.
containing a SIG and KEY record for
.Dv example.com.
These records will have a TTL of 86400 seconds (1 day).
The SIG record becomes valid at noon UTC on July 1st 2000 and expires
30 days (2592000 seconds) later.
.Pp
The DNS administrator for
.Dv example.com
could then send
.Pa keyset-example.com.
to the DNS administrator for
.Dv .com
so that they could sign the resource records in the file.
This assumes that the
.Dv .com
zone is DNSSEC-aware and the administrators of the two zones have some
mechanism for authenticating each other and exchanging the keys and
signatures securely.
.Sh FILES
.Pa /dev/random .
.Sh SEE ALSO
.Xr RFC2535 ,
.Xr dnssec-keygen 8 ,
.Xr dnssec-signkey 8 .

209
doc/man/dnssec/dnssec-signkey.8
View File

@@ -1,209 +0,0 @@
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" $Id: dnssec-signkey.8,v 1.12 2001/01/09 21:47:24 bwelling Exp $
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
.Os BIND9 9
.ds vT BIND9 Programmer's Manual
.Sh NAME
.Nm dnssec-signkey
.Nd DNSSEC keyset signing tool
.Sh SYNOPSIS
.Nm dnssec-signkey
.Op Fl h
.Op Fl s Ar start-time
.Op Fl e Ar end-time
.Op Fl c Ar class
.Op Fl p
.Op Fl r Ar randomdev
.Op Fl v Ar level
.Ar keyset
.Ar keyfile ...
.Sh DESCRIPTION
.Nm dnssec-signkey
is used to sign a key set for a child zone.
Typically this would be provided by a
.Ar keyset
file generated by
.Xr dnssec-makekeyset 8 .
This provides a mechanism for a DNSSEC-aware zone to sign the keys of
any DNSSEC-aware child zones.
The child zone's key set gets signed with the zone keys for its parent
zone.
.Ar keyset
will be the pathname of the child zone's
.Ar keyset
file.
Each
.Ar keyfile
argument will be a key identification string as reported by
.Xr dnssec-keygen 8
for the parent zone.
This allows the child's keys to be signed by more than one
parent zone key.
.Pp
The
.Fl h
option makes
.Nm dnssec-signkey
print a short summary of its command line options
and arguments.
.Pp
By default, the validity period of the generated SIG records is copied
from that of the signatures in the input key set. This may be overriden
with the
.Fl s
and
.Fl e
options, both of which must be present if either is.
The start of the validity period is specified with the
.Fl s
option.
.Ar start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when
.Ar start-time
is given as +N: N seconds from the current time.
If no
.Fl s
option is supplied, the current date and time is used for the start
time of the SIG records.
.Pp
The expiry date for the SIG records can be set by the
.Fl e
option.
Note that in this context, the expiry date specifies when the SIG
records are no longer valid, not when they are deleted from caches on name
servers.
.Ar end-date
also represents an absolute or relative date.
YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
and time.
When
.Ar end-date
is +N,
it indicates that the SIG records will expire in N seconds after their
start date.
If
.Ar end-date
is written as now+N,
the SIG records will expire in N seconds after the current time.
.Pp
The
.Fl c
option specifies that the KEY records in the input and output key sets should
have the specified class instead of IN.
.Pp
.Nm dnssec-signkey
may need random numbers in the process of generating keys.
If the system does not have a
.Pa /dev/random
device that can be used for generating random numbers,
.Nm dnssec-signkey
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
.Nm dnssec-signkey
use
.Ar randomdev
as a source of random data.
.Pp
The
.Fl p
option instructs
.Nm dnssec-signkey
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when there are many child zone keysets to
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
.Pp
The
.Fl v
option can be used to make
.Nm dnssec-signkey
more verbose.
As the debugging/tracing level
.Ar level
increases,
.Nm dnssec-signkey
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Pp
When
.Nm dnssec-signkey
completes successfully, it generates a file called
.Ar signedkey-nnnn.
containing the signed keys for child zone
.Ar nnnn .
The keys from the
.Ar keyset
file will have been signed by the parent zone's key or keys which were
supplied as
.Ar keyfile
arguments.
This file should be sent to the DNS administrator of the child zone.
They arrange for its contents to be incorporated into the zone file
when it next gets signed with
.Xr dnssec-signzone 8 .
A copy of the generated
.Ar signedkey
file should be kept by the parent zone's DNS administrator, since
it will be needed when signing the parent zone.
.Sh EXAMPLE
The DNS administrator for a DNSSEC-aware
.Dv .com
zone would use the following command to make
.Nm dnssec-signkey
sign the
.Ar keyset
file for
.Dv example.com
created in the example shown in the man page for
.Xr dnssec-makekeyset 8 :
.Pp
.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
.Pp
where
.Dv Kcom.+003+51944
was a key file identifier that was produced when
.Xr dnssec-keygen 8
generated a key for the
.Dv .com
zone.
.Pp
.Nm dnssec-signkey
will produce a file called
.Dv signedkey-example.com.
which has the keys for
.Dv example.com
signed by the
.Dv com
zone's zone key.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signzone 8 .

285
doc/man/dnssec/dnssec-signzone.8
View File

@@ -1,285 +0,0 @@
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" $Id: dnssec-signzone.8,v 1.17 2001/01/09 21:47:25 bwelling Exp $
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
.Os BIND9 9
.ds vT BIND9 Programmer's Manual
.Sh NAME
.Nm dnssec-signzone
.Nd DNSSEC zone signing tool
.Sh SYNOPSIS
.Nm dnssec-signzone
.Op Fl a
.Op Fl c Ar class
.Op Fl d Ar directory
.Op Fl s Ar start-time
.Op Fl e Ar end-time
.Op Fl i Ar interval
.Op Fl o Ar origin
.Op Fl f Ar output-file
.Op Fl p
.Op Fl r Ar randomdev
.Op Fl t
.Op Fl v Ar level
.Op Fl n Ar nthreads
.Ar zonefile
.Op keyfile ....
.Sh DESCRIPTION
.Pp
.Nm dnssec-signzone
is used to sign a zone.
Any
.Ar signedkey
files for the zone to be signed should be present in the current
directory, along with the keys that will be used to sign the zone.
If no
.Ar keyfile
arguments are supplied, the default behaviour is to use all of the zone's
keys that are present in the current directory.
Providing specific
.Ar keyfile
arguments constrains
.Nm dnssec-signzone
to only use those keys for signing the zone.
Each
.Ar keyfile
argument would be an identification string for a key created with
.Xr dnssec-keygen 8 .
If the zone to be signed has any secure subzones, the
.Ar signedkey
files for those subzones need to be available in the
current working directory used by
.Nm dnssec-signzone .
.Pp
.Ar zonefile
is the name of the unsigned zone file.
Unless the file name is the same as the name of the zone, the
.Fl o
option should be given.
.Ar origin
will be the fully qualified domain origin for the zone.
.Pp
.Nm dnssec-signzone
will generate NXT and SIG records for the zone and produce a signed
version of the zone.
If there is a
.Ar signedkey
file from the zone's parent, the parent's signatures will be
incorporated into the generated signed zone file.
The security status of delegations from the the signed zone
- i.e. whether the child zones are DNSSEC-aware or not - is
set according to the presence or absence of a
.Ar signedkey
file for the child in case.
.Pp
By default,
.Nm dnssec-signzone
generates a file called
.Ar zonefile.signed
containing the signed zone file.
The output file name can be overridden usign the
.Fl f
option.
.\" Don't hyphenate YYYYMMDDHHMMSS
.nh YYYYMMDDHHMMSS
.Pp
.Nm dnssec-signzone
does not verify the signatures by default.
The
.Fl a
option makes it verify the signatures it generated.
.Pp
The date and time when the generated
SIG records become valid can be specified with the
.Fl s
option.
.Ar start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when
.Ar start-time
is given as +N: N seconds from the current time.
If no
.Fl s
option is supplied, the current date and time is used for the start
time of the SIG records.
.Pp
The expiry date for the SIG records can be set by the
.Fl e
option.
Note that in this context, the expiry date specifies when the SIG
records are no longer valid, not when they are deleted from caches on name
servers.
.Ar end-date
also represents an absolute or relative date.
YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
and time.
When
.Ar end-date
is +N,
it indicates that the SIG records will expire in N seconds after their
start date.
If
.Ar end-date
is supplied as now+N,
the SIG records will expire in N seconds after the current time.
When no expiry date is set for the SIG records,
.Nm dnssec-signzone
defaults to an expire time of 30 days from the start time of the SIG
records.
.Pp
When a previously signed zone is passed as input to
.Nm dnssec-signzone ,
records may be resigned. Whether or not to resign records is configurable
by using the
.Fl i
option, which specifies the cycle interval as an offset from the current time
(in seconds). If a SIG record expires after the cycle interval, it is
retained. Otherwise, it is considered to be expiring soon, and
.Nm dnssec-signzone
will remove it and generate a new SIG record to replace it.
.Pp
The default cycle interval is one quarter of the difference between the
specified signature end and start dates. So if the
.Fl e
and
.Fl s
options are not specified,
.Nm dnssec-signzone
generates signatures that are valid for 30 days from the current date
by default, with a cycle interval of 7.5 days. Therefore, if any SIG records
are due to expire in less than 7.5 days, they would be replaced
with new ones.
.Pp
.Nm dnssec-signzone
may need random numbers in the process of signing the zone.
If the system does not have a
.Pa /dev/random
device that can be used for generating random numbers,
.Nm dnssec-signzone
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
.Nm dnssec-signzone
use
.Ar randomdev
as a source of random data.
.Pp
The
.Fl p
option instructs
.Nm dnssec-signzone
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when signing large zones or when the
entropy source is limited.
.Pp
The
.Fl t
option causes
.Nm dnssec-signzone
to print various statistics after signing the zone.
.Pp
The
.Fl c
option specifies that the KEY records in the input and output key sets should
have the specified class instead of IN.
.Pp
The
.Fl d
option specifies that
.Nm dnssec-signzone
should look in a directory other than the current directory for signedkey
files.
.Pp
An option of
.Fl h
makes
.Nm dnssec-signzone
print a short summary of its command line options
and arguments.
.Pp
The
.Fl v
option can be used to make
.Nm dnssec-signzone
more verbose.
As the debugging/tracing level
.Ar level
increases,
.Nm dnssec-signzone
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Pp
The
.Fl n
option can be used to change the threading behavior. By default,
.Nm dnssec-signzone
attempts to determine the number of CPUs present, and create one thread
per CPU. The
.Fl n
option causes a different number of threads to be created.
.Sh EXAMPLE
The example below shows how
.Nm dnssec-signzone
could be used to sign the
.Dv example.com
zone with the key that was generated in the example given in the
man page for
.Xr dnssec-keygen 8 .
The zone file for this zone is
.Dv example.com ,
which is the same as the origin, so there is no need to use the
.Fl o
option to set the origin.
The zone's keys were either appended to the zone file or
incorporated using a
.Dv $INCLUDE
statement.
If there was a
.Ar signedkey
file from the parent zone - i.e.
.Dv signedkey-example.com.
- it should be present in the current directory.
This allows the parent zone's signature to be included in the signed
version of the
.Dv example.com
zone.
.Pp
.Dl # dnssec-signzone example.com Kexample.com.+003+26160
.Pp
.Nm dnssec-signzone
will create a file called
.Dv example.com.signed ,
the signed version of the
.Dv example.com
zone.
This file can then be referenced in a
.Dv zone{}
statement in
.Pa /etc/named.conf
so that it can be loaded by the name server.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-signkey 8 .