Man Linux: Main Page and Category List

NAME

       ldns-signzone - sign a zonefile with DNSSEC data

SYNOPSIS

       ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ...  ]

DESCRIPTION

       ldns-signzone  is  used  to  generate a DNSSEC signed zone. When run it
       will create a new  zonefile  that  contains  RRSIG  and  NSEC  resource
       records, as specified in RFC 4033, RFC 4034 and RFC 4035.

       Keys  must  be specified by their base name (i.e. without .private). If
       the DNSKEY that belongs to the key in the .private file is not  present
       in  the  zone,  it  will be read from the file <base name>.key. If that
       file does not exist, the  DNSKEY  value  will  be  generated  from  the
       private key.

       Multiple  keys can be specified, Key Signing Keys are used as such when
       they are either already present in the zone, or  specified  in  a  .key
       file, and have the KSK bit set.

OPTIONS

       -d     Normally,  if  the  DNSKEY RR for a key that is used to sign the
              zone is not found in the zone file, it will be read  from  .key,
              or  derived  from  the  private key (in that order). This option
              turns that feature off, so that only the signatures are added to
              the zone.

       -e date
              Set  expiration  date of the signatures to this date, the format
              can be YYYYMMDD[hhmmss], or a timestamp.

       -f file
              Use  this  file  to  store   the   signed   zone   in   (default
              <originalfile>.signed)

       -i date
              Set  inception  date  of the signatures to this date, the format
              can be YYYYMMDD[hhmmss], or a timestamp.

       -l     Leave old DNSSEC RRSIGS and NSEC  records  intact  (by  default,
              they are removed from the zone)

       -o origin
              Use this as the origin of the zone

       -v     Print the version and exit

       -A     Sign  the  DNSKEY record with all keys.  By default it is signed
              with a minimal number of keys, to keep the response size for the
              DNSKEY  query  small,  and only the SEP keys that are passed are
              used.  If there are no SEP keys, the DNSKEY RRset is signed with
              the  non-SEP  keys.   This  option turns off the default and all
              keys are used to sign the DNSKEY RRset.

       -E name
              Use the  EVP  cryptographic  engine  with  the  given  name  for
              signing.  This  can  have some extra options; see ENGINE OPTIONS
              for more information.

       -k id,int
              Use the key with the given id as the signing key  for  algorithm
              int  as  a Zone signing key. This option is used when you use an
              OpenSSL engine, see ENGINE OPTIONS for more information.

       -K id,int

              Use the key with the given id as the signing key  for  algorithm
              int  as  a  Key signing key. This options is used when you ue an
              OpenSSL engine, see ENGINE OPTIONS for more information.

       -n     Use NSEC3 instead of NSEC.

       If you use NSEC3, you can specify the following extra options:

       -a algorithm
              Algorithm used to create the hashed NSEC3 owner names

       -p     Opt-out. All NSEC3 records in the zone  will  have  the  Opt-out
              flag set. After signing, you can add insecure delegations to the
              signed zone.

       -s string
              Salt

       -t number
              Number of hash iterations

ENGINE OPTIONS

       You can modify the  possible  engines,  if  supported,  by  setting  an
       OpenSSL  configuration  file.  This  is  done  through  the environment
       variable OPENSSL_CONF. If you use -E with a non-existent  engine  name,
       ldns-signzone   will   print  a  list  of  engines  supported  by  your
       configuration.

       The key options (-k and -K) work as follows; you specify a key id,  and
       a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can
       be any of the following:

           <id>
           <slot>:<id>
           id_<id>
           slot_<slot>-id_<id>
           label_<label>
           slot_<slot>-label_<label>

       Where ’<id>’ is the PKCS #11 key identifier  in  hexadecimal  notation,
       ’<label>’  is  the  PKCS  #11 human-readable label, and ’<slot>’ is the
       slot number where the token is present.

       If not already present, a DNSKEY RR is generated from the key data, and
       added to the zone.

EXAMPLES

       ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
              Sign  the  zone  in  the file ’nlnetlabs.nl’ with the key in the
              files ’Knlnetlabs.nl.+005+12273.private’. If the DNSKEY  is  not
              present    in    the   zone,   use   the   key   in   the   file
              ’Knlnetlabs.nl.+005+12273.key’. If that is not present, generate
              one with default values from ’Knlnetlabs.nl.+005+12273.private’.

AUTHOR

       Written by the ldns team as an example for ldns usage.

REPORTING BUGS

       Report bugs to <ldns-team@nlnetlabs.nl>.

COPYRIGHT

       Copyright (C) 2005-2008 NLnet Labs. This is free software. There is  NO
       warranty;  not  even  for  MERCHANTABILITY  or FITNESS FOR A PARTICULAR
       PURPOSE.

                                  30 May 2005                 ldns-signzone(1)