diff options
| author | peter <peter@FreeBSD.org> | 2008-07-12 05:00:28 +0000 |
|---|---|---|
| committer | peter <peter@FreeBSD.org> | 2008-07-12 05:00:28 +0000 |
| commit | ba8f85b49c38af7bc2a9acdef5dcde2de008d25e (patch) | |
| tree | ceac31a567976fd5866cb5791b059781f6e045de /contrib/bind9/doc/arm/man.dnssec-signzone.html | |
| parent | 0f328cea2580ffb8f9e363be671a517787111472 (diff) | |
| download | FreeBSD-src-ba8f85b49c38af7bc2a9acdef5dcde2de008d25e.zip FreeBSD-src-ba8f85b49c38af7bc2a9acdef5dcde2de008d25e.tar.gz | |
Flatten bind9 vendor work area
Diffstat (limited to 'contrib/bind9/doc/arm/man.dnssec-signzone.html')
| -rw-r--r-- | contrib/bind9/doc/arm/man.dnssec-signzone.html | 323 |
1 files changed, 0 insertions, 323 deletions
diff --git a/contrib/bind9/doc/arm/man.dnssec-signzone.html b/contrib/bind9/doc/arm/man.dnssec-signzone.html deleted file mode 100644 index 2d0ce06..0000000 --- a/contrib/bind9/doc/arm/man.dnssec-signzone.html +++ /dev/null @@ -1,323 +0,0 @@ -<!-- - - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> -<!-- $Id: man.dnssec-signzone.html,v 1.2.2.46 2007/10/31 01:35:59 marka Exp $ --> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> -<title>dnssec-signzone</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> -<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages"> -<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen"> -<link rel="next" href="man.named-checkconf.html" title="named-checkconf"> -</head> -<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> -<div class="navheader"> -<table width="100%" summary="Navigation header"> -<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr> -<tr> -<td width="20%" align="left"> -<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td> -<th width="60%" align="center">Manual pages</th> -<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a> -</td> -</tr> -</table> -<hr> -</div> -<div class="refentry" lang="en"> -<a name="man.dnssec-signzone"></a><div class="titlepage"></div> -<div class="refnamediv"> -<h2>Name</h2> -<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p> -</div> -<div class="refsynopsisdiv"> -<h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div> -</div> -<div class="refsect1" lang="en"> -<a name="id2598823"></a><h2>DESCRIPTION</h2> -<p><span><strong class="command">dnssec-signzone</strong></span> - signs a zone. It generates - NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <code class="filename">keyset</code> file for each child zone. - </p> -</div> -<div class="refsect1" lang="en"> -<a name="id2598842"></a><h2>OPTIONS</h2> -<div class="variablelist"><dl> -<dt><span class="term">-a</span></dt> -<dd><p> - Verify all generated signatures. - </p></dd> -<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> -<dd><p> - Specifies the DNS class of the zone. - </p></dd> -<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt> -<dd><p> - Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. - </p></dd> -<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> -<dd><p> - Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. - </p></dd> -<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> -<dd><p> - Look for <code class="filename">keyset</code> files in - <code class="option">directory</code> as the directory - </p></dd> -<dt><span class="term">-g</span></dt> -<dd><p> - Generate DS records for child zones from keyset files. - Existing DS records will be removed. - </p></dd> -<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt> -<dd><p> - Specify the date and time when the generated RRSIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no <code class="option">start-time</code> is specified, the current - time minus 1 hour (to allow for clock skew) is used. - </p></dd> -<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt> -<dd><p> - Specify the date and time when the generated RRSIG records - expire. As with <code class="option">start-time</code>, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no <code class="option">end-time</code> is - specified, 30 days from the start time is used as a default. - </p></dd> -<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt> -<dd><p> - The name of the output file containing the signed zone. The - default is to append <code class="filename">.signed</code> to - the - input filename. - </p></dd> -<dt><span class="term">-h</span></dt> -<dd><p> - Prints a short summary of the options and arguments to - <span><strong class="command">dnssec-signzone</strong></span>. - </p></dd> -<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt> -<dd> -<p> - When a previously-signed zone is passed as input, records - may be resigned. The <code class="option">interval</code> option - specifies the cycle interval as an offset from the current - time (in seconds). If a RRSIG record expires after the - cycle interval, it is retained. Otherwise, it is considered - to be expiring soon, and it will be replaced. - </p> -<p> - The default cycle interval is one quarter of the difference - between the signature end and start times. So if neither - <code class="option">end-time</code> or <code class="option">start-time</code> - are specified, <span><strong class="command">dnssec-signzone</strong></span> - generates - signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing RRSIG records - are due to expire in less than 7.5 days, they would be - replaced. - </p> -</dd> -<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt> -<dd><p> - The format of the input zone file. - Possible formats are <span><strong class="command">"text"</strong></span> (default) - and <span><strong class="command">"raw"</strong></span>. - This option is primarily intended to be used for dynamic - signed zones so that the dumped zone file in a non-text - format containing updates can be signed directly. - The use of this option does not make much sense for - non-dynamic zones. - </p></dd> -<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt> -<dd> -<p> - When signing a zone with a fixed signature lifetime, all - RRSIG records issued at the time of signing expires - simultaneously. If the zone is incrementally signed, i.e. - a previously-signed zone is passed as input to the signer, - all expired signatures have to be regenerated at about the - same time. The <code class="option">jitter</code> option specifies a - jitter window that will be used to randomize the signature - expire time, thus spreading incremental signature - regeneration over time. - </p> -<p> - Signature lifetime jitter also to some extent benefits - validators and servers by spreading out cache expiration, - i.e. if large numbers of RRSIGs don't expire at the same time - from all caches there will be less congestion than if all - validators need to refetch at mostly the same time. - </p> -</dd> -<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt> -<dd><p> - Specifies the number of threads to use. By default, one - thread is started for each detected CPU. - </p></dd> -<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt> -<dd> -<p> - The SOA serial number format of the signed zone. - Possible formats are <span><strong class="command">"keep"</strong></span> (default), - <span><strong class="command">"increment"</strong></span> and - <span><strong class="command">"unixtime"</strong></span>. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt> -<dd><p>Do not modify the SOA serial number.</p></dd> -<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt> -<dd><p>Increment the SOA serial number using RFC 1982 - arithmetics.</p></dd> -<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt> -<dd><p>Set the SOA serial number to the number of seconds - since epoch.</p></dd> -</dl></div> -</dd> -<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt> -<dd><p> - The zone origin. If not specified, the name of the zone file - is assumed to be the origin. - </p></dd> -<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt> -<dd><p> - The format of the output file containing the signed zone. - Possible formats are <span><strong class="command">"text"</strong></span> (default) - and <span><strong class="command">"raw"</strong></span>. - </p></dd> -<dt><span class="term">-p</span></dt> -<dd><p> - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - </p></dd> -<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> -<dd><p> - Specifies the source of randomness. If the operating - system does not provide a <code class="filename">/dev/random</code> - or equivalent device, the default source of randomness - is keyboard input. <code class="filename">randomdev</code> - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - <code class="filename">keyboard</code> indicates that keyboard - input should be used. - </p></dd> -<dt><span class="term">-t</span></dt> -<dd><p> - Print statistics at completion. - </p></dd> -<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> -<dd><p> - Sets the debugging level. - </p></dd> -<dt><span class="term">-z</span></dt> -<dd><p> - Ignore KSK flag on key when determining what to sign. - </p></dd> -<dt><span class="term">zonefile</span></dt> -<dd><p> - The file containing the zone to be signed. - </p></dd> -<dt><span class="term">key</span></dt> -<dd><p> - Specify which keys should be used to sign the zone. If - no keys are specified, then the zone will be examined - for DNSKEY records at the zone apex. If these are found and - there are matching private keys, in the current directory, - then these will be used for signing. - </p></dd> -</dl></div> -</div> -<div class="refsect1" lang="en"> -<a name="id2641307"></a><h2>EXAMPLE</h2> -<p> - The following command signs the <strong class="userinput"><code>example.com</code></strong> - zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> - (Kexample.com.+003+17247). The zone's keys must be in the master - file (<code class="filename">db.example.com</code>). This invocation looks - for <code class="filename">keyset</code> files, in the current directory, - so that DS records can be generated from them (<span><strong class="command">-g</strong></span>). - </p> -<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \ -Kexample.com.+003+17247 -db.example.com.signed -%</pre> -<p> - In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates - the file <code class="filename">db.example.com.signed</code>. This - file should be referenced in a zone statement in a - <code class="filename">named.conf</code> file. - </p> -<p> - This example re-signs a previously signed zone with default parameters. - The private keys are assumed to be in the current directory. - </p> -<pre class="programlisting">% cp db.example.com.signed db.example.com -% dnssec-signzone -o example.com db.example.com -db.example.com.signed -%</pre> -</div> -<div class="refsect1" lang="en"> -<a name="id2641380"></a><h2>SEE ALSO</h2> -<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, - <em class="citetitle">BIND 9 Administrator Reference Manual</em>, - <em class="citetitle">RFC 2535</em>. - </p> -</div> -<div class="refsect1" lang="en"> -<a name="id2641404"></a><h2>AUTHOR</h2> -<p><span class="corpauthor">Internet Systems Consortium</span> - </p> -</div> -</div> -<div class="navfooter"> -<hr> -<table width="100%" summary="Navigation footer"> -<tr> -<td width="40%" align="left"> -<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td> -<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td> -<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a> -</td> -</tr> -<tr> -<td width="40%" align="left" valign="top"> -<span class="application">dnssec-keygen</span> </td> -<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> -<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span> -</td> -</tr> -</table> -</div> -</body> -</html> |
