413 lines
16 KiB
Plaintext
413 lines
16 KiB
Plaintext
.\" Man page generated from reStructuredText.
|
|
.
|
|
.TH "DNSSEC-SIGNZONE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
|
|
.SH NAME
|
|
dnssec-signzone \- DNSSEC zone signing tool
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.SH SYNOPSIS
|
|
.sp
|
|
\fBdnssec\-signzone\fP [\fB\-a\fP] [\fB\-c\fP class] [\fB\-d\fP directory] [\fB\-D\fP] [\fB\-E\fP engine] [\fB\-e\fP end\-time] [\fB\-f\fP output\-file] [\fB\-g\fP] [\fB\-h\fP] [\fB\-i\fP interval] [\fB\-I\fP input\-format] [\fB\-j\fP jitter] [\fB\-K\fP directory] [\fB\-k\fP key] [\fB\-L\fP serial] [\fB\-M\fP maxttl] [\fB\-N\fP soa\-serial\-format] [\fB\-o\fP origin] [\fB\-O\fP output\-format] [\fB\-P\fP] [\fB\-Q\fP] [\fB\-q\fP] [\fB\-R\fP] [\fB\-S\fP] [\fB\-s\fP start\-time] [\fB\-T\fP ttl] [\fB\-t\fP] [\fB\-u\fP] [\fB\-v\fP level] [\fB\-V\fP] [\fB\-X\fP extended end\-time] [\fB\-x\fP] [\fB\-z\fP] [\fB\-3\fP salt] [\fB\-H\fP iterations] [\fB\-A\fP] {zonefile} [key...]
|
|
.SH DESCRIPTION
|
|
.sp
|
|
\fBdnssec\-signzone\fP signs a zone. It generates NSEC and RRSIG records
|
|
and produces a signed version of the zone. The security status of
|
|
delegations from the signed zone (that is, whether the child zones are
|
|
secure or not) is determined by the presence or absence of a \fBkeyset\fP
|
|
file for each child zone.
|
|
.SH OPTIONS
|
|
.INDENT 0.0
|
|
.TP
|
|
\fB\-a\fP
|
|
Verify all generated signatures.
|
|
.TP
|
|
\fB\-c\fP class
|
|
Specifies the DNS class of the zone.
|
|
.TP
|
|
\fB\-C\fP
|
|
Compatibility mode: Generate a \fBkeyset\-zonename\fP file in addition
|
|
to \fBdsset\-zonename\fP when signing a zone, for use by older versions
|
|
of \fBdnssec\-signzone\fP\&.
|
|
.TP
|
|
\fB\-d\fP directory
|
|
Look for \fBdsset\-\fP or \fBkeyset\-\fP files in \fBdirectory\fP\&.
|
|
.TP
|
|
\fB\-D\fP
|
|
Output only those record types automatically managed by
|
|
\fBdnssec\-signzone\fP, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records.
|
|
If smart signing (\fB\-S\fP) is used, DNSKEY records are also included.
|
|
The resulting file can be included in the original zone file with
|
|
\fB$INCLUDE\fP\&. This option cannot be combined with \fB\-O raw\fP,
|
|
\fB\-O map\fP, or serial number updating.
|
|
.TP
|
|
\fB\-E\fP engine
|
|
When applicable, specifies the hardware to use for cryptographic
|
|
operations, such as a secure key store used for signing.
|
|
.sp
|
|
When BIND is built with OpenSSL PKCS#11 support, this defaults to the
|
|
string "pkcs11", which identifies an OpenSSL engine that can drive a
|
|
cryptographic accelerator or hardware service module. When BIND is
|
|
built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it
|
|
defaults to the path of the PKCS#11 provider library specified via
|
|
"\-\-with\-pkcs11".
|
|
.TP
|
|
\fB\-g\fP
|
|
Generate DS records for child zones from \fBdsset\-\fP or \fBkeyset\-\fP
|
|
file. Existing DS records will be removed.
|
|
.TP
|
|
\fB\-K\fP directory
|
|
Key repository: Specify a directory to search for DNSSEC keys. If not
|
|
specified, defaults to the current directory.
|
|
.TP
|
|
\fB\-k\fP key
|
|
Treat specified key as a key signing key ignoring any key flags. This
|
|
option may be specified multiple times.
|
|
.TP
|
|
\fB\-M\fP maxttl
|
|
Sets the maximum TTL for the signed zone. Any TTL higher than maxttl
|
|
in the input zone will be reduced to maxttl in the output. This
|
|
provides certainty as to the largest possible TTL in the signed zone,
|
|
which is useful to know when rolling keys because it is the longest
|
|
possible time before signatures that have been retrieved by resolvers
|
|
will expire from resolver caches. Zones that are signed with this
|
|
option should be configured to use a matching \fBmax\-zone\-ttl\fP in
|
|
\fBnamed.conf\fP\&. (Note: This option is incompatible with \fB\-D\fP,
|
|
because it modifies non\-DNSSEC data in the output zone.)
|
|
.TP
|
|
\fB\-s\fP start\-time
|
|
Specify the date and time when the generated RRSIG records become
|
|
valid. This can be either an absolute or relative time. An absolute
|
|
start time is indicated by a number in YYYYMMDDHHMMSS notation;
|
|
20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
|
|
start time is indicated by +N, which is N seconds from the current
|
|
time. If no \fBstart\-time\fP is specified, the current time minus 1
|
|
hour (to allow for clock skew) is used.
|
|
.TP
|
|
\fB\-e\fP end\-time
|
|
Specify the date and time when the generated RRSIG records expire. As
|
|
with \fBstart\-time\fP, an absolute time is indicated in YYYYMMDDHHMMSS
|
|
notation. A time relative to the start time is indicated with +N,
|
|
which is N seconds from the start time. A time relative to the
|
|
current time is indicated with now+N. If no \fBend\-time\fP is
|
|
specified, 30 days from the start time is used as a default.
|
|
\fBend\-time\fP must be later than \fBstart\-time\fP\&.
|
|
.TP
|
|
\fB\-X\fP extended end\-time
|
|
Specify the date and time when the generated RRSIG records for the
|
|
DNSKEY RRset will expire. This is to be used in cases when the DNSKEY
|
|
signatures need to persist longer than signatures on other records;
|
|
e.g., when the private component of the KSK is kept offline and the
|
|
KSK signature is to be refreshed manually.
|
|
.sp
|
|
As with \fBstart\-time\fP, an absolute time is indicated in
|
|
YYYYMMDDHHMMSS notation. A time relative to the start time is
|
|
indicated with +N, which is N seconds from the start time. A time
|
|
relative to the current time is indicated with now+N. If no
|
|
\fBextended end\-time\fP is specified, the value of \fBend\-time\fP is used
|
|
as the default. (\fBend\-time\fP, in turn, defaults to 30 days from the
|
|
start time.) \fBextended end\-time\fP must be later than \fBstart\-time\fP\&.
|
|
.TP
|
|
\fB\-f\fP output\-file
|
|
The name of the output file containing the signed zone. The default
|
|
is to append \fB\&.signed\fP to the input filename. If \fBoutput\-file\fP is
|
|
set to \fB"\-"\fP, then the signed zone is written to the standard
|
|
output, with a default output format of "full".
|
|
.TP
|
|
\fB\-h\fP
|
|
Prints a short summary of the options and arguments to
|
|
\fBdnssec\-signzone\fP\&.
|
|
.TP
|
|
\fB\-V\fP
|
|
Prints version information.
|
|
.TP
|
|
\fB\-i\fP interval
|
|
When a previously\-signed zone is passed as input, records may be
|
|
resigned. The \fBinterval\fP option specifies the cycle interval as an
|
|
offset from the current time (in seconds). If a RRSIG record expires
|
|
after the cycle interval, it is retained. Otherwise, it is considered
|
|
to be expiring soon, and it will be replaced.
|
|
.sp
|
|
The default cycle interval is one quarter of the difference between
|
|
the signature end and start times. So if neither \fBend\-time\fP or
|
|
\fBstart\-time\fP are specified, \fBdnssec\-signzone\fP generates
|
|
signatures that are valid for 30 days, with a cycle interval of 7.5
|
|
days. Therefore, if any existing RRSIG records are due to expire in
|
|
less than 7.5 days, they would be replaced.
|
|
.TP
|
|
\fB\-I\fP input\-format
|
|
The format of the input zone file. Possible formats are \fB"text"\fP
|
|
(default), \fB"raw"\fP, and \fB"map"\fP\&. This option is primarily
|
|
intended to be used for dynamic signed zones so that the dumped zone
|
|
file in a non\-text format containing updates can be signed directly.
|
|
The use of this option does not make much sense for non\-dynamic
|
|
zones.
|
|
.TP
|
|
\fB\-j\fP jitter
|
|
When signing a zone with a fixed signature lifetime, all RRSIG
|
|
records issued at the time of signing expires simultaneously. If the
|
|
zone is incrementally signed, i.e. a previously\-signed zone is passed
|
|
as input to the signer, all expired signatures have to be regenerated
|
|
at about the same time. The \fBjitter\fP option specifies a jitter
|
|
window that will be used to randomize the signature expire time, thus
|
|
spreading incremental signature regeneration over time.
|
|
.sp
|
|
Signature lifetime jitter also to some extent benefits validators and
|
|
servers by spreading out cache expiration, i.e. if large numbers of
|
|
RRSIGs don\(aqt expire at the same time from all caches there will be
|
|
less congestion than if all validators need to refetch at mostly the
|
|
same time.
|
|
.TP
|
|
\fB\-L\fP serial
|
|
When writing a signed zone to "raw" or "map" format, set the "source
|
|
serial" value in the header to the specified serial number. (This is
|
|
expected to be used primarily for testing purposes.)
|
|
.TP
|
|
\fB\-n\fP ncpus
|
|
Specifies the number of threads to use. By default, one thread is
|
|
started for each detected CPU.
|
|
.TP
|
|
\fB\-N\fP soa\-serial\-format
|
|
The SOA serial number format of the signed zone. Possible formats are
|
|
\fB"keep"\fP (default), \fB"increment"\fP, \fB"unixtime"\fP, and
|
|
\fB"date"\fP\&.
|
|
.INDENT 7.0
|
|
.TP
|
|
.B \fB"keep"\fP
|
|
Do not modify the SOA serial number.
|
|
.TP
|
|
.B \fB"increment"\fP
|
|
Increment the SOA serial number using \fI\%RFC 1982\fP arithmetic.
|
|
.TP
|
|
.B \fB"unixtime"\fP
|
|
Set the SOA serial number to the number of seconds since epoch.
|
|
.TP
|
|
.B \fB"date"\fP
|
|
Set the SOA serial number to today\(aqs date in YYYYMMDDNN format.
|
|
.UNINDENT
|
|
.TP
|
|
\fB\-o\fP origin
|
|
The zone origin. If not specified, the name of the zone file is
|
|
assumed to be the origin.
|
|
.TP
|
|
\fB\-O\fP output\-format
|
|
The format of the output file containing the signed zone. Possible
|
|
formats are \fB"text"\fP (default), which is the standard textual
|
|
representation of the zone; \fB"full"\fP, which is text output in a
|
|
format suitable for processing by external scripts; and \fB"map"\fP,
|
|
\fB"raw"\fP, and \fB"raw=N"\fP, which store the zone in binary formats
|
|
for rapid loading by \fBnamed\fP\&. \fB"raw=N"\fP specifies the format
|
|
version of the raw zone file: if N is 0, the raw file can be read by
|
|
any version of \fBnamed\fP; if N is 1, the file can be read by release
|
|
9.9.0 or higher; the default is 1.
|
|
.TP
|
|
\fB\-P\fP
|
|
Disable post sign verification tests.
|
|
.sp
|
|
The post sign verification test ensures that for each algorithm in
|
|
use there is at least one non revoked self signed KSK key, that all
|
|
revoked KSK keys are self signed, and that all records in the zone
|
|
are signed by the algorithm. This option skips these tests.
|
|
.TP
|
|
\fB\-Q\fP
|
|
Remove signatures from keys that are no longer active.
|
|
.sp
|
|
Normally, when a previously\-signed zone is passed as input to the
|
|
signer, and a DNSKEY record has been removed and replaced with a new
|
|
one, signatures from the old key that are still within their validity
|
|
period are retained. This allows the zone to continue to validate
|
|
with cached copies of the old DNSKEY RRset. The \fB\-Q\fP forces
|
|
\fBdnssec\-signzone\fP to remove signatures from keys that are no longer
|
|
active. This enables ZSK rollover using the procedure described in
|
|
\fI\%RFC 4641#4.2.1.1\fP ("Pre\-Publish Key Rollover").
|
|
.TP
|
|
.B \fB\-q\fP
|
|
Quiet mode: Suppresses unnecessary output. Without this option, when
|
|
\fBdnssec\-signzone\fP is run it will print to standard output the number of
|
|
keys in use, the algorithms used to verify the zone was signed correctly and
|
|
other status information, and finally the filename containing the signed
|
|
zone. With it, that output is suppressed, leaving only the filename.
|
|
.TP
|
|
\fB\-R\fP
|
|
Remove signatures from keys that are no longer published.
|
|
.sp
|
|
This option is similar to \fB\-Q\fP, except it forces
|
|
\fBdnssec\-signzone\fP to signatures from keys that are no longer
|
|
published. This enables ZSK rollover using the procedure described in
|
|
\fI\%RFC 4641#4.2.1.2\fP ("Double Signature Zone Signing Key
|
|
Rollover").
|
|
.TP
|
|
\fB\-S\fP
|
|
Smart signing: Instructs \fBdnssec\-signzone\fP to search the key
|
|
repository for keys that match the zone being signed, and to include
|
|
them in the zone if appropriate.
|
|
.sp
|
|
When a key is found, its timing metadata is examined to determine how
|
|
it should be used, according to the following rules. Each successive
|
|
rule takes priority over the prior ones:
|
|
.INDENT 7.0
|
|
.INDENT 3.5
|
|
If no timing metadata has been set for the key, the key is
|
|
published in the zone and used to sign the zone.
|
|
.sp
|
|
If the key\(aqs publication date is set and is in the past, the key
|
|
is published in the zone.
|
|
.sp
|
|
If the key\(aqs activation date is set and in the past, the key is
|
|
published (regardless of publication date) and used to sign the
|
|
zone.
|
|
.sp
|
|
If the key\(aqs revocation date is set and in the past, and the key
|
|
is published, then the key is revoked, and the revoked key is used
|
|
to sign the zone.
|
|
.sp
|
|
If either of the key\(aqs unpublication or deletion dates are set and
|
|
in the past, the key is NOT published or used to sign the zone,
|
|
regardless of any other metadata.
|
|
.sp
|
|
If key\(aqs sync publication date is set and in the past,
|
|
synchronization records (type CDS and/or CDNSKEY) are created.
|
|
.sp
|
|
If key\(aqs sync deletion date is set and in the past,
|
|
synchronization records (type CDS and/or CDNSKEY) are removed.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.TP
|
|
\fB\-T\fP ttl
|
|
Specifies a TTL to be used for new DNSKEY records imported into the
|
|
zone from the key repository. If not specified, the default is the
|
|
TTL value from the zone\(aqs SOA record. This option is ignored when
|
|
signing without \fB\-S\fP, since DNSKEY records are not imported from
|
|
the key repository in that case. It is also ignored if there are any
|
|
pre\-existing DNSKEY records at the zone apex, in which case new
|
|
records\(aq TTL values will be set to match them, or if any of the
|
|
imported DNSKEY records had a default TTL value. In the event of a a
|
|
conflict between TTL values in imported keys, the shortest one is
|
|
used.
|
|
.TP
|
|
\fB\-t\fP
|
|
Print statistics at completion.
|
|
.TP
|
|
\fB\-u\fP
|
|
Update NSEC/NSEC3 chain when re\-signing a previously signed zone.
|
|
With this option, a zone signed with NSEC can be switched to NSEC3,
|
|
or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with
|
|
different parameters. Without this option, \fBdnssec\-signzone\fP will
|
|
retain the existing chain when re\-signing.
|
|
.TP
|
|
\fB\-v\fP level
|
|
Sets the debugging level.
|
|
.TP
|
|
\fB\-x\fP
|
|
Only sign the DNSKEY, CDNSKEY, and CDS RRsets with key\-signing keys,
|
|
and omit signatures from zone\-signing keys. (This is similar to the
|
|
\fBdnssec\-dnskey\-kskonly yes;\fP zone option in \fBnamed\fP\&.)
|
|
.TP
|
|
\fB\-z\fP
|
|
Ignore KSK flag on key when determining what to sign. This causes
|
|
KSK\-flagged keys to sign all records, not just the DNSKEY RRset.
|
|
(This is similar to the \fBupdate\-check\-ksk no;\fP zone option in
|
|
\fBnamed\fP\&.)
|
|
.TP
|
|
\fB\-3\fP salt
|
|
Generate an NSEC3 chain with the given hex encoded salt. A dash
|
|
(salt) can be used to indicate that no salt is to be used when
|
|
generating the NSEC3 chain.
|
|
.TP
|
|
\fB\-H\fP iterations
|
|
When generating an NSEC3 chain, use this many iterations. The default
|
|
is 10.
|
|
.TP
|
|
\fB\-A\fP
|
|
When generating an NSEC3 chain set the OPTOUT flag on all NSEC3
|
|
records and do not generate NSEC3 records for insecure delegations.
|
|
.sp
|
|
Using this option twice (i.e., \fB\-AA\fP) turns the OPTOUT flag off for
|
|
all records. This is useful when using the \fB\-u\fP option to modify an
|
|
NSEC3 chain which previously had OPTOUT set.
|
|
.TP
|
|
\fBzonefile\fP
|
|
The file containing the zone to be signed.
|
|
.TP
|
|
\fBkey\fP
|
|
Specify which keys should be used to sign the zone. If no keys are
|
|
specified, then the zone will be examined for DNSKEY records at the
|
|
zone apex. If these are found and there are matching private keys, in
|
|
the current directory, then these will be used for signing.
|
|
.UNINDENT
|
|
.SH EXAMPLE
|
|
.sp
|
|
The following command signs the \fBexample.com\fP zone with the
|
|
ECDSAP256SHA256 key generated by key generated by \fBdnssec\-keygen\fP
|
|
(Kexample.com.+013+17247). Because the \fB\-S\fP option is not being used,
|
|
the zone\(aqs keys must be in the master file (\fBdb.example.com\fP). This
|
|
invocation looks for \fBdsset\fP files, in the current directory, so that
|
|
DS records can be imported from them (\fB\-g\fP).
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
% dnssec\-signzone \-g \-o example.com db.example.com \e
|
|
Kexample.com.+013+17247
|
|
db.example.com.signed
|
|
%
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
In the above example, \fBdnssec\-signzone\fP creates the file
|
|
\fBdb.example.com.signed\fP\&. This file should be referenced in a zone
|
|
statement in a \fBnamed.conf\fP file.
|
|
.sp
|
|
This example re\-signs a previously signed zone with default parameters.
|
|
The private keys are assumed to be in the current directory.
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
% cp db.example.com.signed db.example.com
|
|
% dnssec\-signzone \-o example.com db.example.com
|
|
db.example.com.signed
|
|
%
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.SH SEE ALSO
|
|
.sp
|
|
\fBdnssec\-keygen(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 4033\fP,
|
|
\fI\%RFC 4641\fP\&.
|
|
.SH AUTHOR
|
|
Internet Systems Consortium
|
|
.SH COPYRIGHT
|
|
2020, Internet Systems Consortium
|
|
.\" Generated by docutils manpage writer.
|
|
.
|