diff options
Diffstat (limited to 'doc/arm/man.dnssec-signzone.html')
| -rw-r--r-- | doc/arm/man.dnssec-signzone.html | 101 |
1 files changed, 84 insertions, 17 deletions
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 4f73bf4..290e770 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -23,7 +23,7 @@ <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages"> <link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime"> -<link rel="next" href="man.named-checkconf.html" title="named-checkconf"> +<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> <div class="navheader"> @@ -33,7 +33,7 @@ <td width="20%" align="left"> <a accesskey="p" href="man.dnssec-settime.html">Prev</a> </td> <th width="60%" align="center">Manual pages</th> -<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a> +<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-verify.html">Next</a> </td> </tr> </table> @@ -47,10 +47,10 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2618290"></a><h2>DESCRIPTION</h2> +<a name="id2620935"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2618309"></a><h2>OPTIONS</h2> +<a name="id2620954"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd><p> @@ -85,6 +85,17 @@ Look for <code class="filename">dsset-</code> or <code class="filename">keyset-</code> files in <code class="option">directory</code>. </p></dd> +<dt><span class="term">-D</span></dt> +<dd><p> + Output only those record types automatically managed by + <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC, + NSEC3 and NSEC3PARAM records. If smart signing + (<code class="option">-S</code>) is used, DNSKEY records are also + included. The resulting file can be included in the original + zone file with <span><strong class="command">$INCLUDE</strong></span>. This option + cannot be combined with <code class="option">-O raw</code> or serial + number updating. + </p></dd> <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt> <dd><p> Uses a crypto hardware (OpenSSL engine) for the crypto operations @@ -136,12 +147,36 @@ <code class="option">end-time</code> must be later than <code class="option">start-time</code>. </p></dd> +<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt> +<dd> +<p> + Specify the date and time when the generated RRSIG records + for the DNSKEY RRset will expire. This is to be used in cases + when the DNSKEY signatures need to persist longer than + signatures on other records; e.g., when the private component + of the KSK is kept offline and the KSK signature is to be + refreshed manually. + </p> +<p> + As with <code class="option">start-time</code>, an absolute + time is indicated in YYYYMMDDHHMMSS notation. A time relative + to the start time is indicated with +N, which is N seconds from + the start time. A time relative to the current time is + indicated with now+N. If no <code class="option">extended end-time</code> is + specified, the value of <code class="option">end-time</code> is used as + the default. (<code class="option">end-time</code>, in turn, defaults to + 30 days from the start time.) <code class="option">extended end-time</code> + must be later than <code class="option">start-time</code>. + </p> +</dd> <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt> <dd><p> The name of the output file containing the signed zone. The default is to append <code class="filename">.signed</code> to - the - input filename. + the input filename. If <code class="option">output-file</code> is + set to <code class="literal">"-"</code>, then the signed zone is + written to the standard output, with a default output + format of "full". </p></dd> <dt><span class="term">-h</span></dt> <dd><p> @@ -202,6 +237,12 @@ validators need to refetch at mostly the same time. </p> </dd> +<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt> +<dd><p> + When writing a signed zone to 'raw' format, set the "source serial" + value in the header to the specified serial number. (This is + expected to be used primarily for testing purposes.) + </p></dd> <dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt> <dd><p> Specifies the number of threads to use. By default, one @@ -235,7 +276,15 @@ <dd><p> The format of the output file containing the signed zone. Possible formats are <span><strong class="command">"text"</strong></span> (default) - and <span><strong class="command">"raw"</strong></span>. + <span><strong class="command">"full"</strong></span>, which is text output in a + format suitable for processing by external scripts, + and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>, + which store the zone in a binary format for rapid loading + by <span><strong class="command">named</strong></span>. <span><strong class="command">"raw=N"</strong></span> + specifies the format version of the raw zone file: if N + is 0, the raw file can be read by any version of + <span><strong class="command">named</strong></span>; if N is 1, the file can be + read by release 9.9.0 or higher. The default is 1. </p></dd> <dt><span class="term">-p</span></dt> <dd><p> @@ -257,6 +306,22 @@ This option skips these tests. </p> </dd> +<dt><span class="term">-R</span></dt> +<dd> +<p> + Remove signatures from keys that no longer exist. + </p> +<p> + Normally, when a previously-signed zone is passed as input + to the signer, and a DNSKEY record has been removed and + replaced with a new one, signatures from the old key + that are still within their validity period are retained. + This allows the zone to continue to validate with cached + copies of the old DNSKEY RRset. The <code class="option">-R</code> forces + <span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned + signatures. + </p> +</dd> <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> <dd><p> Specifies the source of randomness. If the operating @@ -315,15 +380,17 @@ </dd> <dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt> <dd><p> - Specifies the TTL to be used for new DNSKEY records imported - into the zone from the key repository. If not specified, - the default is the minimum TTL value from the zone's SOA + Specifies a TTL to be used for new DNSKEY records imported + into the zone from the key repository. If not + specified, the default is the TTL value from the zone's SOA record. This option is ignored when signing without <code class="option">-S</code>, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match - them. + them, or if any of the imported DNSKEY records had a default + TTL value. In the event of a a conflict between TTL values in + imported keys, the shortest one is used. </p></dd> <dt><span class="term">-t</span></dt> <dd><p> @@ -397,7 +464,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2672630"></a><h2>EXAMPLE</h2> +<a name="id2675701"></a><h2>EXAMPLE</h2> <p> The following command signs the <strong class="userinput"><code>example.com</code></strong> zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> @@ -427,14 +494,14 @@ db.example.com.signed %</pre> </div> <div class="refsect1" lang="en"> -<a name="id2672709"></a><h2>SEE ALSO</h2> +<a name="id2675848"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4033</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2672733"></a><h2>AUTHOR</h2> +<a name="id2675873"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> @@ -446,14 +513,14 @@ db.example.com.signed <td width="40%" align="left"> <a accesskey="p" href="man.dnssec-settime.html">Prev</a> </td> <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td> -<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a> +<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-verify.html">Next</a> </td> </tr> <tr> <td width="40%" align="left" valign="top"> <span class="application">dnssec-settime</span> </td> <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> -<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span> +<td width="40%" align="right" valign="top"> <span class="application">dnssec-verify</span> </td> </tr> </table> |
