diff options
Diffstat (limited to 'contrib/bind9/bin/dnssec/dnssec-signzone.docbook')
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.docbook | 378 |
1 files changed, 0 insertions, 378 deletions
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook deleted file mode 100644 index 35f35cc7339dc..0000000000000 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook +++ /dev/null @@ -1,378 +0,0 @@ -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN" - "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" - [<!ENTITY mdash "—">]> -<!-- - - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> - -<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.11 2005/06/24 00:18:15 marka Exp $ --> - -<refentry> - <refentryinfo> - <date>June 30, 2000</date> - </refentryinfo> - - <refmeta> - <refentrytitle><application>dnssec-signzone</application></refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo>BIND9</refmiscinfo> - </refmeta> - - <docinfo> - <copyright> - <year>2004</year> - <year>2005</year> - <holder>Internet Systems Consortium, Inc. ("ISC")</holder> - </copyright> - <copyright> - <year>2000</year> - <year>2001</year> - <year>2002</year> - <year>2003</year> - <holder>Internet Software Consortium.</holder> - </copyright> - </docinfo> - - <refnamediv> - <refname><application>dnssec-signzone</application></refname> - <refpurpose>DNSSEC zone signing tool</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis> - <command>dnssec-signzone</command> - <arg><option>-a</option></arg> - <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> - <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg> - <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg> - <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg> - <arg><option>-g</option></arg> - <arg><option>-h</option></arg> - <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg> - <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg> - <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg> - <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg> - <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg> - <arg><option>-p</option></arg> - <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> - <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> - <arg><option>-t</option></arg> - <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> - <arg><option>-z</option></arg> - <arg choice="req">zonefile</arg> - <arg rep="repeat">key</arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1> - <title>DESCRIPTION</title> - <para> - <command>dnssec-signzone</command> signs a zone. It generates - NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <filename>keyset</filename> file for each child zone. - </para> - </refsect1> - - <refsect1> - <title>OPTIONS</title> - - <variablelist> - <varlistentry> - <term>-a</term> - <listitem> - <para> - Verify all generated signatures. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-c <replaceable class="parameter">class</replaceable></term> - <listitem> - <para> - Specifies the DNS class of the zone. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-k <replaceable class="parameter">key</replaceable></term> - <listitem> - <para> - Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-l <replaceable class="parameter">domain</replaceable></term> - <listitem> - <para> - Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-d <replaceable class="parameter">directory</replaceable></term> - <listitem> - <para> - Look for <filename>keyset</filename> files in - <option>directory</option> as the directory - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-g</term> - <listitem> - <para> - Generate DS records for child zones from keyset files. - Existing DS records will be removed. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-s <replaceable class="parameter">start-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated RRSIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <option>start-time</option> is specified, the current - time minus 1 hour (to allow for clock skew) is used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-e <replaceable class="parameter">end-time</replaceable></term> - <listitem> - <para> - Specify the date and time when the generated RRSIG records - expire. As with <option>start-time</option>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <option>end-time</option> is - specified, 30 days from the start time is used as a default. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-f <replaceable class="parameter">output-file</replaceable></term> - <listitem> - <para> - The name of the output file containing the signed zone. The - default is to append <filename>.signed</filename> to the - input file. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-h</term> - <listitem> - <para> - Prints a short summary of the options and arguments to - <command>dnssec-signzone</command>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-i <replaceable class="parameter">interval</replaceable></term> - <listitem> - <para> - When a previously signed zone is passed as input, records - may be resigned. The <option>interval</option> option - specifies the cycle interval as an offset from the current - time (in seconds). If a RRSIG record expires after the - cycle interval, it is retained. Otherwise, it is considered - to be expiring soon, and it will be replaced. - </para> - <para> - The default cycle interval is one quarter of the difference - between the signature end and start times. So if neither - <option>end-time</option> or <option>start-time</option> - are specified, <command>dnssec-signzone</command> generates - signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing RRSIG records - are due to expire in less than 7.5 days, they would be - replaced. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-n <replaceable class="parameter">ncpus</replaceable></term> - <listitem> - <para> - Specifies the number of threads to use. By default, one - thread is started for each detected CPU. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-o <replaceable class="parameter">origin</replaceable></term> - <listitem> - <para> - The zone origin. If not specified, the name of the zone file - is assumed to be the origin. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-p</term> - <listitem> - <para> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-r <replaceable class="parameter">randomdev</replaceable></term> - <listitem> - <para> - Specifies the source of randomness. If the operating - system does not provide a <filename>/dev/random</filename> - or equivalent device, the default source of randomness - is keyboard input. <filename>randomdev</filename> specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <filename>keyboard</filename> indicates that keyboard - input should be used. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-t</term> - <listitem> - <para> - Print statistics at completion. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-v <replaceable class="parameter">level</replaceable></term> - <listitem> - <para> - Sets the debugging level. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-z</term> - <listitem> - <para> - Ignore KSK flag on key when determining what to sign. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>zonefile</term> - <listitem> - <para> - The file containing the zone to be signed. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>key</term> - <listitem> - <para> - The keys used to sign the zone. If no keys are specified, the - default all zone keys that have private key files in the - current directory. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1> - <title>EXAMPLE</title> - <para> - The following command signs the <userinput>example.com</userinput> - zone with the DSA key generated in the <command>dnssec-keygen</command> - man page. The zone's keys must be in the zone. If there are - <filename>keyset</filename> files associated with child zones, - they must be in the current directory. - <userinput>example.com</userinput>, the following command would be - issued: - </para> - <para> - <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput> - </para> - <para> - The command would print a string of the form: - </para> - <para> - In this example, <command>dnssec-signzone</command> creates - the file <filename>db.example.com.signed</filename>. This file - should be referenced in a zone statement in a - <filename>named.conf</filename> file. - </para> - </refsect1> - - <refsect1> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry>, - <citetitle>BIND 9 Administrator Reference Manual</citetitle>, - <citetitle>RFC 2535</citetitle>. - </para> - </refsect1> - - <refsect1> - <title>AUTHOR</title> - <para> - <corpauthor>Internet Systems Consortium</corpauthor> - </para> - </refsect1> - -</refentry> - -<!-- - - Local variables: - - mode: sgml - - End: ---> |