hpux man page for dnssec-signzone

dnssec-signzone(1)					      General Commands Manual						dnssec-signzone(1)

NAME
       dnssec-signzone - DNSSEC zone signing tool

SYNOPSIS
       class] directory] end-time] output-file] key]... domain] interval] nthreads] origin] randomdev] start-time] level] zonefile key...

DESCRIPTION
       is used to sign a zone.	It generates NSEC and RRSIG records and produces a signed version of the zone.	The security status of delegations
       from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a file for each child
       zone.

       If  the	zone to be signed has any secure subzones, the files for those subzones need to be available in the current working directory used
       by

   Options
       has the following options:

       Force verification of the signatures generated by
		 By default, the signature files are not verified.

       Specify the DNS class of the zone.

       Look for  files in directory .  The default is the current directory.

       Set the expiration time for the RRSIG records.
		 As with the start-time, end-time can represent an absolute or relative date.

		 Use the YYYYMMDDhhmmss notation to indicate absolute date and time and the notation for relative time.

		 When end-time is it indicates that the RRSIG records will expire in N seconds after their start time.	A  time  relative  to  the
		 current time is indicated with If is omitted, the default is 30 days from the start time.

		 See also the option.

       Override the use of the default signed zone file,

       Generate DS records for child zones from
		 files.  Existing DS records will be removed.

       Print a short summary of the
		 options and operands.

       When a previously signed zone is passed as input,
		 records  may be re-signed.  The option specifies the cycle interval as an offset from the current time (in seconds).  If an RRSIG
		 record expires after the cycle interval, it is retained.  Otherwise, it is considered	to  be	expiring  soon,  and  it  will	be
		 replaced.

		 The  default  cycle  interval	is  one quarter of the difference between the signature end and start times.  So if neither nor is
		 specified, generates signatures that are valid for 30 days, with a cycle interval of 7.5 days.  Therefore, if any existing  RRSIG
		 records are due to expire in less than 7.5 days, they would be replaced.

       Treat	 key as a key-signing key, ignoring any key flags.  This option may be specified multiple times.

       Generate a DLV set in addition to the key (DNSKEY) and DS sets.
		 The domain is appended to the name of the records.

       Specify the number of CPUs to create threads for.
		 By default, one thread is started for each detected CPU.

       Specify the zone origin.
		 If not specified, the zone origin defaults to the name of the zone file.

       Use pseudo-random data when signing the keys.
		 This  is  faster,  but  less secure, than using genuinely random data for signing.  This option may be useful when there are many
		 child zone key sets to sign or if the entropy source is limited.  It could also be used for short-lived keys and signatures  that
		 don't	require  as  much protection against cryptanalysis, such as when the key will be discarded long before it could be compro-
		 mised.

       Override the behavior of
		 to use random numbers to seed the process of signing the zone.  If the system does not have a device to generate random  numbers,
		 will  prompt  for  keyboard input and use the time intervals between keystrokes to provide randomness.  With this option, it will
		 use randomdev as a source of random data.

       Specify the date and time when the generated
		 RRSIG records become valid.  start-time can either be an absolute or relative date.

		 An absolute start time is indicated by a number in YYYYMMDDhhmmss notation; for example, denotes 14:45:00 UTC on May 30th, 2000.

		 A relative start time is supplied when start-time is given as specifying N seconds from the current time.

		 If is omitted, the default value is the current time minus 1 hour (to allow for clock skew).

		 See also the option.

       Print the statistics at the time of completion.

       Set the verbosity level.
		 As the debugging/tracing level level increases, generates increasingly detailed reports about what  it  is  doing.   The  default
		 level is

       Ignore the KSK flag on the key when determining what to sign.

   Operands
       has the following operands:

       key	 A  key  used to sign the zone.  If no keys are specified, the default is all zone keys that have private key files in the current
		 directory.

       zonefile  The name of the unsigned zone file.

EXAMPLES
       This example shows how can be used to sign the zone with the DSA key that was generated in the  example	given  in  the	manpage  for  (see
       dnssec-keygen(1)).   The  zone's  keys  must  be  in the zone.  If there are files associated with child zones, they must be in the current
       directory.

       creates a file called the signed version of the zone.  This file can then be referenced in a statement in so that it can be loaded  by  the
       name server.

AUTHOR
       was developed by the Internet Systems Consortium (ISC).

FILES
SEE ALSO
       dnssec-keygen(1).

       Requests for Comments (RFC): 2535, available online at

       available online at

       available from the Internet Systems Consortium at

								     BIND 9.3							dnssec-signzone(1)