diff options
Diffstat (limited to 'bin/dnssec/dnssec-signzone.html')
| -rw-r--r-- | bin/dnssec/dnssec-signzone.html | 102 |
1 files changed, 48 insertions, 54 deletions
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 3995507201b60..fec6c8f766739 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2009, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2009, 2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -14,14 +14,13 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>dnssec-signzone</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> </head> -<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry"> <a name="man.dnssec-signzone"></a><div class="titlepage"></div> <div class="refnamediv"> <h2>Name</h2> @@ -31,9 +30,9 @@ <h2>Synopsis</h2> <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> </div> -<div class="refsect1" lang="en"> -<a name="id2543644"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-signzone</strong></span> +<div class="refsection"> +<a name="id-1.7"></a><h2>DESCRIPTION</h2> +<p><span class="command"><strong>dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone @@ -42,9 +41,9 @@ <code class="filename">keyset</code> file for each child zone. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2543659"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> +<div class="refsection"> +<a name="id-1.8"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl class="variablelist"> <dt><span class="term">-a</span></dt> <dd><p> Verify all generated signatures. @@ -60,7 +59,7 @@ file in addition to <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code> when signing a zone, for use by older versions of - <span><strong class="command">dnssec-signzone</strong></span>. + <span class="command"><strong>dnssec-signzone</strong></span>. </p></dd> <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> @@ -70,11 +69,11 @@ <dt><span class="term">-D</span></dt> <dd><p> Output only those record types automatically managed by - <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC, + <span class="command"><strong>dnssec-signzone</strong></span>, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing (<code class="option">-S</code>) is used, DNSKEY records are also included. The resulting file can be included in the original - zone file with <span><strong class="command">$INCLUDE</strong></span>. This option + zone file with <span class="command"><strong>$INCLUDE</strong></span>. This option cannot be combined with <code class="option">-O raw</code> or serial number updating. </p></dd> @@ -163,7 +162,7 @@ <dt><span class="term">-h</span></dt> <dd><p> Prints a short summary of the options and arguments to - <span><strong class="command">dnssec-signzone</strong></span>. + <span class="command"><strong>dnssec-signzone</strong></span>. </p></dd> <dt><span class="term">-V</span></dt> <dd><p> @@ -183,7 +182,7 @@ The default cycle interval is one quarter of the difference between the signature end and start times. So if neither <code class="option">end-time</code> or <code class="option">start-time</code> - are specified, <span><strong class="command">dnssec-signzone</strong></span> + are specified, <span class="command"><strong>dnssec-signzone</strong></span> generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records @@ -194,8 +193,8 @@ <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt> <dd><p> The format of the input zone file. - Possible formats are <span><strong class="command">"text"</strong></span> (default) - and <span><strong class="command">"raw"</strong></span>. + Possible formats are <span class="command"><strong>"text"</strong></span> (default) + and <span class="command"><strong>"raw"</strong></span>. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non-text format containing updates can be signed directly. @@ -225,7 +224,7 @@ </dd> <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt> <dd><p> - When writing a signed zone to 'raw' format, set the "source serial" + When writing a signed zone to 'raw' format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.) </p></dd> @@ -238,17 +237,17 @@ <dd> <p> The SOA serial number format of the signed zone. - Possible formats are <span><strong class="command">"keep"</strong></span> (default), - <span><strong class="command">"increment"</strong></span> and - <span><strong class="command">"unixtime"</strong></span>. + Possible formats are <span class="command"><strong>"keep"</strong></span> (default), + <span class="command"><strong>"increment"</strong></span> and + <span class="command"><strong>"unixtime"</strong></span>. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>"keep"</strong></span></span></dt> <dd><p>Do not modify the SOA serial number.</p></dd> -<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>"increment"</strong></span></span></dt> <dd><p>Increment the SOA serial number using RFC 1982 arithmetics.</p></dd> -<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>"unixtime"</strong></span></span></dt> <dd><p>Set the SOA serial number to the number of seconds since epoch.</p></dd> </dl></div> @@ -261,15 +260,15 @@ <dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt> <dd><p> The format of the output file containing the signed zone. - Possible formats are <span><strong class="command">"text"</strong></span> (default) - <span><strong class="command">"full"</strong></span>, which is text output in a + Possible formats are <span class="command"><strong>"text"</strong></span> (default) + <span class="command"><strong>"full"</strong></span>, which is text output in a format suitable for processing by external scripts, - and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>, + and <span class="command"><strong>"raw"</strong></span> or <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a binary format for rapid loading - by <span><strong class="command">named</strong></span>. <span><strong class="command">"raw=N"</strong></span> + by <span class="command"><strong>named</strong></span>. <span class="command"><strong>"raw=N"</strong></span> specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of - <span><strong class="command">named</strong></span>; if N is 1, the file can be + <span class="command"><strong>named</strong></span>; if N is 1, the file can be read by release 9.9.0 or higher. The default is 1. </p></dd> <dt><span class="term">-p</span></dt> @@ -300,11 +299,11 @@ <p> Normally, when a previously-signed zone is passed as input to the signer, and a DNSKEY record has been removed and - replaced with a new one, signatures from the old key + replaced with a new one, signatures from the old key that are still within their validity period are retained. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset. The <code class="option">-Q</code> - forces <span><strong class="command">dnssec-signzone</strong></span> to remove + forces <span class="command"><strong>dnssec-signzone</strong></span> to remove signatures from keys that are no longer active. This enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover"). @@ -317,7 +316,7 @@ </p> <p> This option is similar to <code class="option">-Q</code>, except it - forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from + forces <span class="command"><strong>dnssec-signzone</strong></span> to signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in RFC 4641, section 4.2.1.2 ("Double Signature Zone Signing Key Rollover"). @@ -338,7 +337,7 @@ <dt><span class="term">-S</span></dt> <dd> <p> - Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to + Smart signing: Instructs <span class="command"><strong>dnssec-signzone</strong></span> to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate. </p> @@ -348,7 +347,7 @@ rules. Each successive rule takes priority over the prior ones: </p> -<div class="variablelist"><dl> +<div class="variablelist"><dl class="variablelist"> <dt></dt> <dd><p> If no timing metadata has been set for the key, the key is @@ -363,7 +362,7 @@ <dd><p> If the key's activation date is set and in the past, the key is published (regardless of publication date) and - used to sign the zone. + used to sign the zone. </p></dd> <dt></dt> <dd><p> @@ -403,7 +402,7 @@ zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. - Without this option, <span><strong class="command">dnssec-signzone</strong></span> will + Without this option, <span class="command"><strong>dnssec-signzone</strong></span> will retain the existing chain when re-signing. </p></dd> <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> @@ -414,16 +413,16 @@ <dd><p> Only sign the DNSKEY RRset with key-signing keys, and omit signatures from zone-signing keys. (This is similar to the - <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in - <span><strong class="command">named</strong></span>.) + <span class="command"><strong>dnssec-dnskey-kskonly yes;</strong></span> zone option in + <span class="command"><strong>named</strong></span>.) </p></dd> <dt><span class="term">-z</span></dt> <dd><p> Ignore KSK flag on key when determining what to sign. This causes KSK-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the - <span><strong class="command">update-check-ksk no;</strong></span> zone option in - <span><strong class="command">named</strong></span>.) + <span class="command"><strong>update-check-ksk no;</strong></span> zone option in + <span class="command"><strong>named</strong></span>.) </p></dd> <dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt> <dd><p> @@ -464,23 +463,23 @@ </p></dd> </dl></div> </div> -<div class="refsect1" lang="en"> -<a name="id2545181"></a><h2>EXAMPLE</h2> +<div class="refsection"> +<a name="id-1.9"></a><h2>EXAMPLE</h2> <p> The following command signs the <strong class="userinput"><code>example.com</code></strong> - zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> - (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option + zone with the DSA key generated by <span class="command"><strong>dnssec-keygen</strong></span> + (Kexample.com.+003+17247). Because the <span class="command"><strong>-S</strong></span> option is not being used, the zone's keys must be in the master file (<code class="filename">db.example.com</code>). This invocation looks for <code class="filename">dsset</code> files, in the current directory, - so that DS records can be imported from them (<span><strong class="command">-g</strong></span>). + so that DS records can be imported from them (<span class="command"><strong>-g</strong></span>). </p> <pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \ Kexample.com.+003+17247 db.example.com.signed %</pre> <p> - In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates + In the above example, <span class="command"><strong>dnssec-signzone</strong></span> creates the file <code class="filename">db.example.com.signed</code>. This file should be referenced in a zone statement in a <code class="filename">named.conf</code> file. @@ -494,17 +493,12 @@ db.example.com.signed db.example.com.signed %</pre> </div> -<div class="refsect1" lang="en"> -<a name="id2545237"></a><h2>SEE ALSO</h2> +<div class="refsection"> +<a name="id-1.10"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>. </p> </div> -<div class="refsect1" lang="en"> -<a name="id2545265"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> </div></body> </html> |