Unix/Linux Go Back    

RedHat 9 (Linux i386) - man page for dnssec-signzone (redhat section 8)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


       dnssec-signzone - DNSSEC zone signing tool

       dnssec-signzone [ -a ]  [ -c class ]  [ -d directory ]  [ -s start-time ]  [ -e end-time ]
       [ -f output-file ]  [ -h ]  [ -i interval ]  [ -n nthreads ]  [ -o origin ]  [ -p ]  [  -r
       randomdev ]  [ -t ]  [ -v level ]  zonefile [ key... ]

       dnssec-signzone	signs a zone. It generates NXT and SIG records and produces a signed ver-
       sion of the zone. If there is a signedkey file from the zone's parent, the parent's signa-
       tures  will  be	incorporated  into the generated signed zone file. The security status of
       delegations from the the signed zone (that is, whether the child zones are secure or  not)
       is determined by the presence or absence of a signedkey file for each child zone.

       -a     Verify all generated signatures.

       -c class
	      Specifies the DNS class of the zone.

       -d directory
	      Look for signedkey files in directory as the directory

       -s start-time
	      Specify  the date and time when the generated SIG records become valid. This can be
	      either an absolute or relative time. An absolute start time is indicated by a  num-
	      ber  in  YYYYMMDDHHMMSS  notation; 20000530144500 denotes 14:45:00 UTC on May 30th,
	      2000. A relative start time is indicated by +N, which is N seconds from the current
	      time.  If no start-time is specified, the current time is used.

       -e end-time
	      Specify  the  date  and  time when the generated SIG records expire. As with start-
	      time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative  to
	      the start time is indicated with +N, which is N seconds from the start time. A time
	      realtive to the current time is indicated with now+N. If no end-time is  specified,
	      30 days from the start time is used as a default.

       -f output-file
	      The  name  of  the output file containing the signed zone. The default is to append
	      .signed to the input file.

       -h     Prints a short summary of the options and arguments to dnssec-signzone.

       -i interval
	      When a previously signed zone is passed as input,  records  may  be  resigned.  The
	      interval option specifies the cycle interval as an offset from the current time (in
	      seconds). If a SIG record expires after the cycle interval, it is retained.  Other-
	      wise, it is considered to be expiring soon, and it will be replaced.

	      The  default  cycle interval is one quarter of the difference between the signature
	      end and start times. So if neither end-time or start-time  are  specified,  dnssec-
	      signzone	generates signatures that are valid for 30 days, with a cycle interval of
	      7.5 days. Therefore, if any existing SIG records are due to expire in less than 7.5
	      days, they would be replaced.

       -n ncpus
	      Specifies  the number of threads to use. By default, one thread is started for each
	      detected CPU.

       -o origin
	      The zone origin. If not specified, the name of the zone file is assumed to  be  the

       -p     Use pseudo-random data when signing the zone. This is faster, but less secure, than
	      using real random data. This option may be useful when signing large zones or  when
	      the entropy source is limited.

       -r randomdev
	      Specifies  the  source  of  randomness.  If the operating system does not provide a
	      /dev/random or equivalent device, the default  source  of  randomness  is  keyboard
	      input. randomdev specifies the name of a character device or file containing random
	      data to be used instead of the default. The special value keyboard  indicates  that
	      keyboard input should be used.

       -t     Print statistics at completion.

       -v level
	      Sets the debugging level.

	      The file containing the zone to be signed.  Sets the debugging level.

       key    The keys used to sign the zone. If no keys are specified, the default all zone keys
	      that have private key files in the current directory.

       The following command signs the example.com zone with the DSA key generated in the dnssec-
       keygen man page. The zone's keys must be in the zone. If there are signedkey files associ-
       ated with this zone or any child zones, they must be  in  the  current  directory.   exam-
       ple.com, the following command would be issued:

       dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160

       The command would print a string of the form:

       In  this example, dnssec-signzone creates the file db.example.com.signed. This file should
       be referenced in a zone statement in a named.conf file.

       dnssec-keygen(8), dnssec-signkey(8), BIND 9 Administrator Reference Manual, RFC 2535.

       Internet Software Consortium

BIND9					  June 30, 2000 		       DNSSEC-SIGNZONE(8)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 04:43 PM.