1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
|
.\" Copyright (c) 1996 by Internet Software Consortium
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
.\" ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
.\" CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
.\" SOFTWARE.
.\"
.\" $Id: dnssigner.1,v 8.2 1997/03/14 02:29:42 vixie Exp $
.\"
.Dd October 25, 1996
.Dt DNSSIGNER @CMD_EXT_U@
.Os BSD 4
.Sh NAME
.Nm dnssigner
.Nd add signatures to DNS zone files
.Sh SYNOPSIS
.Nm dnssigner
.Op Cm signer-name Ar default_signer
.Op Cm boot-file Ar file
.Op Cm debug-file Ar file
.Op Cm out-dir Ar directory
.Op Cm seq-no Ar number
.Oo
.Cm expiration-time
.Oo Po Cm +
.Ns \&|
.Ns Cm =
.Pc Oc
.Ns Ar time
.Oc
.Op Cm hide
.Op Cm noaxfr
.Op Cm nosign
.Op Cm verify
.Op Cm update-zonekey
.Op Fl d Ns Ar level
.Sh DESCRIPTION
.Ic Dnssigner
(Sign DNS zone database) is a tool to generate signatures
for DNS (Domain Name System) resource records. It also generates
NXT records for each zone.
.Pp
.Bl -tag -width Fl
.It Cm signer-name Ar default_signer
Specifies a name of the key to use if no signer is defined using the
.Em Li $SIGNER
directive in the boot files.
.It Cm boot-file Ar file
Specifies the control file for
.Ic dnssigner ,
which is in the same format as the BIND-4
.Pa named.boot
file.
.It Cm debug-file Ar file
Redirect debug output to the specified
.Ar file ;
default is
.Pa signer_out
in the current directory.
.It Cm out-dir Ar directory
Write signed files to thie specified
.Ar directory ;
default is to use
.Pa /tmp .
.Pp
.Sy NOTE :
Specify the full path to this directory; relative paths may not work.
.It Xo Cm expiration-time
.Oo Po Cm +
.Ns \&|
.Ns Cm =
.Pc Oc
.Ns Ar time
.Xc
Time when the signature records are to
expire. Using either
.Dq Cm =
or
.Em no
sign before the
.Ar time
argument
.Po i.e.,
.Do Op Cm =
.Ns Ar time
.Dc
.Pc ,
the
.Ar time
is interpreted as an absolute time in seconds when the records will expire.
.Po Sy NOTE :
All such times are interpreted as Universal Times.
.Pc
With
.Dq Cm +
specified
.Pq i.e., Dq Cm + Ns Ar time ,
the
.Ar time
time is interpreted as an offset into the future.
.Pp
If not specified on the command line, the default
.Cm expiration-time
is 3600*24*30 sec (30 days).
.It Cm seq-no Ar number
Force the serial number in the SOA records to the specified value.
If this parameter is not set, the serial number will be set to a value
based on the current time.
.It Cm hide
This flag will cause NXT records in zones with wildcard
records to point to
.Li *.<zone>
as the next host. The purpose of this
flag is to hide all information about valid names in a zone.
.It Cm noaxfr
Turn of generation of zone transfer signature records,
which validate the transfer of an entire zone.
.It Cm nosign
When this flag is specified, the boot files are read, NXT
records are generated and zone file is written to the output
directory. No SIG records are generated. This flag is useful for
quickly checking the format of the data in the boot files, and to
have boot files sorted into DNSSEC order.
.It Cm verify
When this flag is present,
.Ic dnssigner
will verify all
signed records and print out a confirmation message for each SIG
verified. The main use of this flag is to see how long it takes to
generate each signature.
.It Cm update-zonekey
If this flag is specified, then the zonekeys used
to sign files will be updated with new records. Specify this flag if
one or more of the keys have been updated. If there are no zonekeys
specified in the boot files, this flag will insert them. Omitting
zonekeys will cause primary nameservers to reject the zone.
.It Fl d Ns Ar level
Debug level to use for running
.Ic dnssigner ;
these levels are the same as those used by
.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@
.El
.Ss DETAILS
.Ic Dnssigner
reads BIND-4
.Pa named.boot
and zone files, adds SIG and NXT
records and writes out the records (to one file per zone, regardless of
how many include files the original zone was in). The files generated by
.Ic dnssigner
are ordinary textual zone files and are then normally
loaded by
.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@
to serve the zone.
.Ic Dnssigner
\fBrequires that the PRIVATE key(s) reside in the input directory\fP.
.Pp
Making manual changes to the output files is hazardous, because most
changes will invalidate one or more signatures contained therein. This
will cause the zone to fail to load into
.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ ,
or will cause subsequent
failures in retrieving records from the zone. It is far better to make
changes in
.Ic dnssigner's
input files, and rerun
.Ic dnssigner .
.Pp
When
.Ic dnssigner
detects a delegation point, it creates a special file
.Pa <zone_name>.PARENT
which contains the RR's the parent zone signs for the
child zone (NS, KEY, NXT). The intent is that the child will include this
file when loading primary nameservers. Similarly, each zone file ends
with the
.Dq Li #include <zone_name>.PARENT
command. The records
in the
.Pa .PARENT
files are omitted from the SIG(AXFR) calculations as these
records usualy are on a different signing cycle.
.Pp
The
.Em Li Dq $SIGNER Op Ar keyname
directive can be used to change signers in a
zone. If
.Ar keyname
is omitted, signing is turned off. Keys are loaded the
first time the keys are accessed. Only records that are signed by the
zone signer (the key that signs the SOA) are included in the SIG(AXFR)
calculation. It is not generally recommended that multiple keys sign
records in the same zone, unless this is useful for dynamic updates.
.Sh ENVIRONMENT
No environmental variables are used.
.Sh SEE ALSO
.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ ,
RSAREF documentation,
Internet-Draft
.Em draft-ietf-dnssec-secext-10.txt
on Secure DNS, or its successor.
.Sh AUTHOR
Olafur Gudmundsson (ogud@tis.com)
.Sh ACKNOWLEDGMENTS
The underlying crypto math is done by the RSAREF or BSAFE libraries.
|
