From 473038528ab5bd55332138ebf791ab91a25f747b Mon Sep 17 00:00:00 2001 From: Doug Barton Date: Sat, 16 Jul 2011 10:49:33 +0000 Subject: Vendor import of BIND 9.8.0-P4 --- bin/dnssec/dnssec-signzone.html | 200 ++++++++++++++++++++++++++++------------ 1 file changed, 141 insertions(+), 59 deletions(-) (limited to 'bin/dnssec/dnssec-signzone.html') diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 1d4ecffc85b4d..28e7158e6e7c3 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -29,21 +29,21 @@

Synopsis

-

dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-s start-time] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

+

dnssec-signzone [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the - zone. It also generates a keyset- file containing - the key-signing keys for the zone, and if signing a zone which - contains delegations, it can optionally generate DS records for - the child zones from their keyset- files. + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a + keyset file for each child zone.

-

OPTIONS

+

OPTIONS

-a

@@ -53,6 +53,38 @@

Specifies the DNS class of the zone.

+
-C
+

+ Compatibility mode: Generate a + keyset-zonename + file in addition to + dsset-zonename + when signing a zone, for use by older versions of + dnssec-signzone. +

+
-d directory
+

+ Look for dsset- or + keyset- files in directory. +

+
-E engine
+

+ Uses a crypto hardware (OpenSSL engine) for the crypto operations + it supports, for instance signing with private keys from + a secure key store. When compiled with PKCS#11 support + it defaults to pkcs11; the empty name resets it to no engine. +

+
-g
+

+ Generate DS records for child zones from + dsset- or keyset- + file. Existing DS records will be removed. +

+
-K directory
+

+ Key repository: Specify a directory to search for DNSSEC keys. + If not specified, defaults to the current directory. +

-k key

Treat specified key as a key signing key ignoring any @@ -63,18 +95,6 @@ Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.

-
-d directory
-

- Look for keyset files in - directory as the directory -

-
-g
-

- If the zone contains any delegations, and there are - keyset- files for any of the child zones, - then DS records for the child zones will be generated from the - keys in those files. Existing DS records will be removed. -

-s start-time

Specify the date and time when the generated RRSIG records @@ -95,6 +115,8 @@ the start time. A time relative to the current time is indicated with now+N. If no end-time is specified, 30 days from the start time is used as a default. + end-time must be later than + start-time.

-f output-file

@@ -229,35 +251,119 @@ keyboard indicates that keyboard input should be used.

+
-S
+
+

+ Smart signing: Instructs dnssec-signzone to + search the key repository for keys that match the zone being + signed, and to include them in the zone if appropriate. +

+

+ When a key is found, its timing metadata is examined to + determine how it should be used, according to the following + rules. Each successive rule takes priority over the prior + ones: +

+
+
+

+ If no timing metadata has been set for the key, the key is + published in the zone and used to sign the zone. +

+
+

+ If the key's publication date is set and is in the past, the + key is published in the zone. +

+
+

+ If the key's activation date is set and in the past, the + key is published (regardless of publication date) and + used to sign the zone. +

+
+

+ If the key's revocation date is set and in the past, and the + key is published, then the key is revoked, and the revoked key + is used to sign the zone. +

+
+

+ If either of the key's unpublication or deletion dates are set + and in the past, the key is NOT published or used to sign the + zone, regardless of any other metadata. +

+
+
+
-T ttl
+

+ Specifies the TTL to be used for new DNSKEY records imported + into the zone from the key repository. If not specified, + the default is the minimum TTL value from the zone's SOA + record. This option is ignored when signing without + -S, since DNSKEY records are not imported + from the key repository in that case. It is also ignored if + there are any pre-existing DNSKEY records at the zone apex, + in which case new records' TTL values will be set to match + them. +

-t

Print statistics at completion.

+
-u
+

+ Update NSEC/NSEC3 chain when re-signing a previously signed + zone. With this option, a zone signed with NSEC can be + switched to NSEC3, or a zone signed with NSEC3 can + be switch to NSEC or to NSEC3 with different parameters. + Without this option, dnssec-signzone will + retain the existing chain when re-signing. +

-v level

Sets the debugging level.

+
-x
+

+ Only sign the DNSKEY RRset with key-signing keys, and omit + signatures from zone-signing keys. (This is similar to the + dnssec-dnskey-kskonly yes; zone option in + named.) +

-z

- Ignore KSK flag on key when determining what to sign. + Ignore KSK flag on key when determining what to sign. This + causes KSK-flagged keys to sign all records, not just the + DNSKEY RRset. (This is similar to the + update-check-ksk no; zone option in + named.)

-3 salt

- Generate a NSEC3 chain with the given hex encoded salt. + Generate an NSEC3 chain with the given hex encoded salt. A dash (salt) can be used to indicate that no salt is to be used when generating the NSEC3 chain.

-H iterations

- When generating a NSEC3 chain use this many interations. The - default is 100. + When generating an NSEC3 chain, use this many interations. The + default is 10.

-A
-

- When generating a NSEC3 chain set the OPTOUT flag on all +

+

+ When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations. -

+

+

+ Using this option twice (i.e., -AA) + turns the OPTOUT flag off for all records. This is useful + when using the -u option to modify an NSEC3 + chain which previously had OPTOUT set. +

+
zonefile

The file containing the zone to be signed. @@ -273,14 +379,15 @@

-

EXAMPLE

+

EXAMPLE

The following command signs the example.com zone with the DSA key generated by dnssec-keygen - (Kexample.com.+003+17247). The zone's keys must be in the master - file (db.example.com). This invocation looks - for keyset files, in the current directory, - so that DS records can be generated from them (-g). + (Kexample.com.+003+17247). Because the -S option + is not being used, the zone's keys must be in the master file + (db.example.com). This invocation looks + for dsset files, in the current directory, + so that DS records can be imported from them (-g).

% dnssec-signzone -g -o example.com db.example.com \
 Kexample.com.+003+17247
@@ -302,39 +409,14 @@ db.example.com.signed
 %
-

KNOWN BUGS

-

- dnssec-signzone was designed so that it could - sign a zone partially, using only a subset of the DNSSEC keys - needed to produce a fully-signed zone. This permits a zone - administrator, for example, to sign a zone with one key on one - machine, move the resulting partially-signed zone to a second - machine, and sign it again with a second key. -

-

- An unfortunate side-effect of this flexibility is that - dnssec-signzone does not check to make sure - it's signing a zone with any valid keys at all. An attempt to - sign a zone without any keys will appear to succeed, producing - a "signed" zone with no signatures. There is no warning issued - when a zone is not fully signed. -

-

- This will be corrected in a future release. In the meantime, ISC - recommends examining the output of dnssec-signzone - to confirm that the zone is properly signed by all keys before - using it. -

-
-
-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

-- cgit v1.2.3