diff options
Diffstat (limited to 'bin/dnssec/dnssec-signzone.html')
| -rw-r--r-- | bin/dnssec/dnssec-signzone.html | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 37994539b605..65abf80eb53d 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543626"></a><h2>DESCRIPTION</h2> +<a name="id2543629"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -43,7 +43,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543641"></a><h2>OPTIONS</h2> +<a name="id2543644"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd><p> @@ -288,10 +288,10 @@ This option skips these tests. </p> </dd> -<dt><span class="term">-R</span></dt> +<dt><span class="term">-Q</span></dt> <dd> <p> - Remove signatures from keys that no longer exist. + Remove signatures from keys that are no longer active. </p> <p> Normally, when a previously-signed zone is passed as input @@ -299,9 +299,24 @@ replaced with a new one, signatures from the old key that are still within their validity period are retained. This allows the zone to continue to validate with cached - copies of the old DNSKEY RRset. The <code class="option">-R</code> forces - <span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned - signatures. + copies of the old DNSKEY RRset. The <code class="option">-Q</code> + forces <span><strong class="command">dnssec-signzone</strong></span> to remove + signatures from keys that are no longer active. This + enables ZSK rollover using the procedure described in + RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover"). + </p> +</dd> +<dt><span class="term">-R</span></dt> +<dd> +<p> + Remove signatures from keys that are no longer published. + </p> +<p> + This option is similar to <code class="option">-Q</code>, except it + forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from + keys that are no longer published. This enables ZSK rollover + using the procedure described in RFC 4641, section 4.2.1.2 + ("Double Signature Zone Signing Key Rollover"). </p> </dd> <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> @@ -414,7 +429,7 @@ </p></dd> <dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt> <dd><p> - When generating an NSEC3 chain, use this many interations. The + When generating an NSEC3 chain, use this many iterations. The default is 10. </p></dd> <dt><span class="term">-A</span></dt> @@ -446,7 +461,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2545127"></a><h2>EXAMPLE</h2> +<a name="id2545153"></a><h2>EXAMPLE</h2> <p> The following command signs the <strong class="userinput"><code>example.com</code></strong> zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> @@ -476,14 +491,14 @@ db.example.com.signed %</pre> </div> <div class="refsect1" lang="en"> -<a name="id2545182"></a><h2>SEE ALSO</h2> +<a name="id2545208"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, - <em class="citetitle">RFC 4033</em>. + <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2545207"></a><h2>AUTHOR</h2> +<a name="id2545236"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> |