diff options
Diffstat (limited to 'contrib/bind9/bin/dnssec/dnssec-signzone.docbook')
-rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.docbook | 107 |
1 files changed, 97 insertions, 10 deletions
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook index 128ebe9..e427fc1 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ --> +<!-- $Id: dnssec-signzone.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ --> <refentry id="man.dnssec-signzone"> <refentryinfo> <date>June 05, 2009</date> @@ -43,6 +43,7 @@ <year>2007</year> <year>2008</year> <year>2009</year> + <year>2011</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -60,6 +61,7 @@ <arg><option>-a</option></arg> <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg> + <arg><option>-D</option></arg> <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg> <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg> <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg> @@ -67,6 +69,7 @@ <arg><option>-h</option></arg> <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg> <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg> + <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg> <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg> <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg> <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg> @@ -74,8 +77,9 @@ <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg> <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg> <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg> - <arg><option>-p</option></arg> <arg><option>-P</option></arg> + <arg><option>-p</option></arg> + <arg><option>-R</option></arg> <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> <arg><option>-S</option></arg> <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> @@ -83,6 +87,7 @@ <arg><option>-t</option></arg> <arg><option>-u</option></arg> <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> + <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg> <arg><option>-x</option></arg> <arg><option>-z</option></arg> <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg> @@ -152,6 +157,22 @@ </varlistentry> <varlistentry> + <term>-D</term> + <listitem> + <para> + Output only those record types automatically managed by + <command>dnssec-signzone</command>, i.e. RRSIG, NSEC, + NSEC3 and NSEC3PARAM records. If smart signing + (<option>-S</option>) is used, DNSKEY records are also + included. The resulting file can be included in the original + zone file with <command>$INCLUDE</command>. This option + cannot be combined with <option>-O raw</option> or serial + number updating. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-E <replaceable class="parameter">engine</replaceable></term> <listitem> <para> @@ -238,13 +259,40 @@ </varlistentry> <varlistentry> + <term>-X <replaceable class="parameter">extended end-time</replaceable></term> + <listitem> + <para> + Specify the date and time when the generated RRSIG records + for the DNSKEY RRset will expire. This is to be used in cases + when the DNSKEY signatures need to persist longer than + signatures on other records; e.g., when the private component + of the KSK is kept offline and the KSK signature is to be + refreshed manually. + </para> + <para> + As with <option>start-time</option>, an absolute + time is indicated in YYYYMMDDHHMMSS notation. A time relative + to the start time is indicated with +N, which is N seconds from + the start time. A time relative to the current time is + indicated with now+N. If no <option>extended end-time</option> is + specified, the value of <option>end-time</option> is used as + the default. (<option>end-time</option>, in turn, defaults to + 30 days from the start time.) <option>extended end-time</option> + must be later than <option>start-time</option>. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-f <replaceable class="parameter">output-file</replaceable></term> <listitem> <para> The name of the output file containing the signed zone. The default is to append <filename>.signed</filename> to - the - input filename. + the input filename. If <option>output-file</option> is + set to <literal>"-"</literal>, then the signed zone is + written to the standard output, with a default output + format of "full". </para> </listitem> </varlistentry> @@ -325,6 +373,17 @@ </varlistentry> <varlistentry> + <term>-L <replaceable class="parameter">serial</replaceable></term> + <listitem> + <para> + When writing a signed zone to 'raw' format, set the "source serial" + value in the header to the specified serial number. (This is + expected to be used primarily for testing purposes.) + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-n <replaceable class="parameter">ncpus</replaceable></term> <listitem> <para> @@ -388,7 +447,15 @@ <para> The format of the output file containing the signed zone. Possible formats are <command>"text"</command> (default) - and <command>"raw"</command>. + <command>"full"</command>, which is text output in a + format suitable for processing by external scripts, + and <command>"raw"</command> or <command>"raw=N"</command>, + which store the zone in a binary format for rapid loading + by <command>named</command>. <command>"raw=N"</command> + specifies the format version of the raw zone file: if N + is 0, the raw file can be read by any version of + <command>named</command>; if N is 1, the file can be + read by release 9.9.0 or higher. The default is 1. </para> </listitem> </varlistentry> @@ -422,6 +489,24 @@ </varlistentry> <varlistentry> + <term>-R</term> + <listitem> + <para> + Remove signatures from keys that no longer exist. + </para> + <para> + Normally, when a previously-signed zone is passed as input + to the signer, and a DNSKEY record has been removed and + replaced with a new one, signatures from the old key + that are still within their validity period are retained. + This allows the zone to continue to validate with cached + copies of the old DNSKEY RRset. The <option>-R</option> forces + <command>dnssec-signzone</command> to remove all orphaned + signatures. + </para> + </listitem> + </varlistentry> + <varlistentry> <term>-r <replaceable class="parameter">randomdev</replaceable></term> <listitem> <para> @@ -508,15 +593,17 @@ <term>-T <replaceable class="parameter">ttl</replaceable></term> <listitem> <para> - Specifies the TTL to be used for new DNSKEY records imported - into the zone from the key repository. If not specified, - the default is the minimum TTL value from the zone's SOA + Specifies a TTL to be used for new DNSKEY records imported + into the zone from the key repository. If not + specified, the default is the TTL value from the zone's SOA record. This option is ignored when signing without <option>-S</option>, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match - them. + them, or if any of the imported DNSKEY records had a default + TTL value. In the event of a a conflict between TTL values in + imported keys, the shortest one is used. </para> </listitem> </varlistentry> |