1 files changed, 97 insertions, 10 deletions

diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
index 128ebe9..e427fc1 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 05, 2009</date>
@@ -43,6 +43,7 @@
       <year>2007</year>
       <year>2008</year>
       <year>2009</year>
+      <year>2011</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -60,6 +61,7 @@
       <arg><option>-a</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-D</option></arg>
       <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
       <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
       <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
@@ -67,6 +69,7 @@
       <arg><option>-h</option></arg>
       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
+      <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
       <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
       <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
       <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
@@ -74,8 +77,9 @@
       <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
       <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
       <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
-      <arg><option>-p</option></arg>
       <arg><option>-P</option></arg>
+      <arg><option>-p</option></arg>
+      <arg><option>-R</option></arg>
       <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
       <arg><option>-S</option></arg>
       <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
@@ -83,6 +87,7 @@
       <arg><option>-t</option></arg>
       <arg><option>-u</option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
       <arg><option>-x</option></arg>
       <arg><option>-z</option></arg>
       <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
@@ -152,6 +157,22 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-D</term>
+        <listitem>
+          <para>
+	    Output only those record types automatically managed by
+	    <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
+	    NSEC3 and NSEC3PARAM records. If smart signing
+	    (<option>-S</option>) is used, DNSKEY records are also
+	    included. The resulting file can be included in the original
+	    zone file with <command>$INCLUDE</command>. This option
+	    cannot be combined with <option>-O raw</option> or serial
+	    number updating.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-E <replaceable class="parameter">engine</replaceable></term>
         <listitem>
           <para>
@@ -238,13 +259,40 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
+        <listitem>
+          <para>
+            Specify the date and time when the generated RRSIG records
+            for the DNSKEY RRset will expire.  This is to be used in cases
+            when the DNSKEY signatures need to persist longer than
+            signatures on other records; e.g., when the private component
+            of the KSK is kept offline and the KSK signature is to be
+            refreshed manually.
+          </para>
+          <para>
+            As with <option>start-time</option>, an absolute
+            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+            to the start time is indicated with +N, which is N seconds from
+            the start time.  A time relative to the current time is
+            indicated with now+N.  If no <option>extended end-time</option> is
+            specified, the value of <option>end-time</option> is used as
+            the default.  (<option>end-time</option>, in turn, defaults to
+            30 days from the start time.) <option>extended end-time</option>
+            must be later than <option>start-time</option>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-f <replaceable class="parameter">output-file</replaceable></term>
         <listitem>
           <para>
             The name of the output file containing the signed zone.  The
             default is to append <filename>.signed</filename> to
-            the
-            input filename.
+            the input filename.  If <option>output-file</option> is
+            set to <literal>"-"</literal>, then the signed zone is
+            written to the standard output, with a default output
+            format of "full".
           </para>
         </listitem>
       </varlistentry>
@@ -325,6 +373,17 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-L <replaceable class="parameter">serial</replaceable></term>
+        <listitem>
+          <para>
+            When writing a signed zone to 'raw' format, set the "source serial" 
+            value in the header to the specified serial number.  (This is
+            expected to be used primarily for testing purposes.)
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-n <replaceable class="parameter">ncpus</replaceable></term>
         <listitem>
           <para>
@@ -388,7 +447,15 @@
           <para>
             The format of the output file containing the signed zone.
 	    Possible formats are <command>"text"</command> (default)
-	    and <command>"raw"</command>.
+	    <command>"full"</command>, which is text output in a
+            format suitable for processing by external scripts,
+            and <command>"raw"</command> or <command>"raw=N"</command>,
+            which store the zone in a binary format for rapid loading
+            by <command>named</command>.  <command>"raw=N"</command>
+            specifies the format version of the raw zone file: if N
+            is 0, the raw file can be read by any version of
+            <command>named</command>; if N is 1, the file can be
+            read by release 9.9.0 or higher.  The default is 1.
           </para>
         </listitem>
       </varlistentry>
@@ -422,6 +489,24 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-R</term>
+        <listitem>
+          <para>
+	    Remove signatures from keys that no longer exist.
+          </para>
+          <para>
+            Normally, when a previously-signed zone is passed as input
+            to the signer, and a DNSKEY record has been removed and
+            replaced with a new one, signatures from the old key 
+            that are still within their validity period are retained.
+	    This allows the zone to continue to validate with cached
+	    copies of the old DNSKEY RRset.  The <option>-R</option> forces
+            <command>dnssec-signzone</command> to remove all orphaned
+            signatures.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
         <term>-r <replaceable class="parameter">randomdev</replaceable></term>
         <listitem>
           <para>
@@ -508,15 +593,17 @@
         <term>-T <replaceable class="parameter">ttl</replaceable></term>
         <listitem>
           <para>
-            Specifies the TTL to be used for new DNSKEY records imported
-            into the zone from the key repository.  If not specified,
-            the default is the minimum TTL value from the zone's SOA
+            Specifies a TTL to be used for new DNSKEY records imported
+            into the zone from the key repository.  If not
+            specified, the default is the TTL value from the zone's SOA
             record.  This option is ignored when signing without
             <option>-S</option>, since DNSKEY records are not imported
             from the key repository in that case.  It is also ignored if
             there are any pre-existing DNSKEY records at the zone apex,
             in which case new records' TTL values will be set to match
-            them.
+            them, or if any of the imported DNSKEY records had a default
+            TTL value.  In the event of a a conflict between TTL values in
+            imported keys, the shortest one is used.
           </para>
         </listitem>
       </varlistentry>