Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-signzone.8
CommitLineData
b4d3f782 1.\" Copyright (C) 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
60e5e10f 2.\"
6807a2dc
TU
3.\" This Source Code Form is subject to the terms of the Mozilla Public
4.\" License, v. 2.0. If a copy of the MPL was not distributed with this
5.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
83217b5f 6.\"
60e5e10f
RA
7.hy 0
8.ad l
2eeb74d1
TU
9'\" t
10.\" Title: dnssec-signzone
71c66a87 11.\" Author:
fd2597f7 12.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
2eeb74d1 13.\" Date: 2014-02-18
71c66a87 14.\" Manual: BIND9
2eeb74d1
TU
15.\" Source: ISC
16.\" Language: English
71c66a87 17.\"
2eeb74d1
TU
18.TH "DNSSEC\-SIGNZONE" "8" "2014\-02\-18" "ISC" "BIND9"
19.\" -----------------------------------------------------------------
20.\" * Define some portability stuff
21.\" -----------------------------------------------------------------
22.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
23.\" http://bugs.debian.org/507673
24.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
25.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
26.ie \n(.g .ds Aq \(aq
27.el .ds Aq '
28.\" -----------------------------------------------------------------
29.\" * set default formatting
30.\" -----------------------------------------------------------------
cedb0bd0
MA
31.\" disable hyphenation
32.nh
33.\" disable justification (adjust text to left margin only)
34.ad l
2eeb74d1
TU
35.\" -----------------------------------------------------------------
36.\" * MAIN CONTENT STARTS HERE *
37.\" -----------------------------------------------------------------
cedb0bd0 38.SH "NAME"
2eeb74d1 39dnssec-signzone \- DNSSEC zone signing tool
60e5e10f 40.SH "SYNOPSIS"
fd2597f7 41.HP \w'\fBdnssec\-signzone\fR\ 'u
9536688b 42\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-M\ \fR\fB\fImaxttl\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-Q\fR] [\fB\-R\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
0b062f49
BW
43.SH "DESCRIPTION"
44.PP
cedb0bd0 45\fBdnssec\-signzone\fR
2eeb74d1
TU
46signs a zone\&. It generates NSEC and RRSIG records and produces a signed version of the zone\&. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
47keyset
48file for each child zone\&.
0b062f49 49.SH "OPTIONS"
e21a2904 50.PP
60e5e10f 51\-a
e21a2904 52.RS 4
2eeb74d1 53Verify all generated signatures\&.
e21a2904
MA
54.RE
55.PP
60e5e10f 56\-c \fIclass\fR
e21a2904 57.RS 4
2eeb74d1 58Specifies the DNS class of the zone\&.
e21a2904
MA
59.RE
60.PP
2895f101
AU
61\-C
62.RS 4
63Compatibility mode: Generate a
2eeb74d1 64keyset\-\fIzonename\fR
2895f101 65file in addition to
2eeb74d1 66dsset\-\fIzonename\fR
2895f101 67when signing a zone, for use by older versions of
2eeb74d1 68\fBdnssec\-signzone\fR\&.
2895f101
AU
69.RE
70.PP
0a7ed886 71\-d \fIdirectory\fR
e21a2904 72.RS 4
0a7ed886 73Look for
2eeb74d1 74dsset\-
0a7ed886 75or
2eeb74d1 76keyset\-
0a7ed886 77files in
2eeb74d1 78\fBdirectory\fR\&.
e21a2904
MA
79.RE
80.PP
be6c1c50
AU
81\-D
82.RS 4
83Output only those record types automatically managed by
2eeb74d1
TU
84\fBdnssec\-signzone\fR, i\&.e\&. RRSIG, NSEC, NSEC3 and NSEC3PARAM records\&. If smart signing (\fB\-S\fR) is used, DNSKEY records are also included\&. The resulting file can be included in the original zone file with
85\fB$INCLUDE\fR\&. This option cannot be combined with
dba3c818 86\fB\-O raw\fR,
2eeb74d1 87\fB\-O map\fR, or serial number updating\&.
be6c1c50
AU
88.RE
89.PP
8ec3c085
AU
90\-E \fIengine\fR
91.RS 4
2eeb74d1 92When applicable, specifies the hardware to use for cryptographic operations, such as a secure key store used for signing\&.
6ea23853 93.sp
2eeb74d1 94When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
8ec3c085
AU
95.RE
96.PP
0a7ed886 97\-g
e21a2904 98.RS 4
0a7ed886 99Generate DS records for child zones from
2eeb74d1 100dsset\-
0a7ed886 101or
2eeb74d1
TU
102keyset\-
103file\&. Existing DS records will be removed\&.
e21a2904
MA
104.RE
105.PP
0a7ed886 106\-K \fIdirectory\fR
e21a2904 107.RS 4
2eeb74d1 108Key repository: Specify a directory to search for DNSSEC keys\&. If not specified, defaults to the current directory\&.
e21a2904
MA
109.RE
110.PP
0a7ed886
AU
111\-k \fIkey\fR
112.RS 4
2eeb74d1 113Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&.
0a7ed886
AU
114.RE
115.PP
116\-l \fIdomain\fR
e21a2904 117.RS 4
2eeb74d1 118Generate a DLV set in addition to the key (DNSKEY) and DS sets\&. The domain is appended to the name of the records\&.
e21a2904
MA
119.RE
120.PP
0e1dece2
TU
121\-M \fImaxttl\fR
122.RS 4
2eeb74d1 123Sets the maximum TTL for the signed zone\&. Any TTL higher than
0e1dece2
TU
124\fImaxttl\fR
125in the input zone will be reduced to
126\fImaxttl\fR
2eeb74d1 127in the output\&. This provides certainty as to the largest possible TTL in the signed zone, which is useful to know when rolling keys because it is the longest possible time before signatures that have been retrieved by resolvers will expire from resolver caches\&. Zones that are signed with this option should be configured to use a matching
0e1dece2
TU
128\fBmax\-zone\-ttl\fR
129in
2eeb74d1
TU
130named\&.conf\&. (Note: This option is incompatible with
131\fB\-D\fR, because it modifies non\-DNSSEC data in the output zone\&.)
0e1dece2
TU
132.RE
133.PP
60e5e10f 134\-s \fIstart\-time\fR
e21a2904 135.RS 4
2eeb74d1 136Specify the date and time when the generated RRSIG records become valid\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000\&. A relative start time is indicated by +N, which is N seconds from the current time\&. If no
cedb0bd0 137\fBstart\-time\fR
2eeb74d1 138is specified, the current time minus 1 hour (to allow for clock skew) is used\&.
e21a2904
MA
139.RE
140.PP
60e5e10f 141\-e \fIend\-time\fR
e21a2904 142.RS 4
2eeb74d1
TU
143Specify the date and time when the generated RRSIG records expire\&. As with
144\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no
cedb0bd0 145\fBend\-time\fR
2eeb74d1 146is specified, 30 days from the start time is used as a default\&.
2895f101
AU
147\fBend\-time\fR
148must be later than
2eeb74d1 149\fBstart\-time\fR\&.
e21a2904
MA
150.RE
151.PP
60a900e8
AU
152\-X \fIextended end\-time\fR
153.RS 4
2eeb74d1 154Specify the date and time when the generated RRSIG records for the DNSKEY RRset will expire\&. This is to be used in cases when the DNSKEY signatures need to persist longer than signatures on other records; e\&.g\&., when the private component of the KSK is kept offline and the KSK signature is to be refreshed manually\&.
60a900e8
AU
155.sp
156As with
2eeb74d1 157\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no
60a900e8
AU
158\fBextended end\-time\fR
159is specified, the value of
160\fBend\-time\fR
2eeb74d1 161is used as the default\&. (\fBend\-time\fR, in turn, defaults to 30 days from the start time\&.)
60a900e8
AU
162\fBextended end\-time\fR
163must be later than
2eeb74d1 164\fBstart\-time\fR\&.
60a900e8
AU
165.RE
166.PP
60e5e10f 167\-f \fIoutput\-file\fR
e21a2904 168.RS 4
2eeb74d1
TU
169The name of the output file containing the signed zone\&. The default is to append
170\&.signed
171to the input filename\&. If
2628293c
AU
172\fBoutput\-file\fR
173is set to
2eeb74d1 174"\-", then the signed zone is written to the standard output, with a default output format of "full"\&.
e21a2904
MA
175.RE
176.PP
60e5e10f 177\-h
e21a2904 178.RS 4
cedb0bd0 179Prints a short summary of the options and arguments to
2eeb74d1 180\fBdnssec\-signzone\fR\&.
e21a2904
MA
181.RE
182.PP
6f120589
TU
183\-V
184.RS 4
2eeb74d1 185Prints version information\&.
6f120589
TU
186.RE
187.PP
60e5e10f 188\-i \fIinterval\fR
e21a2904 189.RS 4
2eeb74d1 190When a previously\-signed zone is passed as input, records may be resigned\&. The
cedb0bd0 191\fBinterval\fR
2eeb74d1 192option specifies the cycle interval as an offset from the current time (in seconds)\&. If a RRSIG record expires after the cycle interval, it is retained\&. Otherwise, it is considered to be expiring soon, and it will be replaced\&.
cedb0bd0 193.sp
2eeb74d1 194The default cycle interval is one quarter of the difference between the signature end and start times\&. So if neither
cedb0bd0
MA
195\fBend\-time\fR
196or
197\fBstart\-time\fR
198are specified,
199\fBdnssec\-signzone\fR
2eeb74d1 200generates signatures that are valid for 30 days, with a cycle interval of 7\&.5 days\&. Therefore, if any existing RRSIG records are due to expire in less than 7\&.5 days, they would be replaced\&.
e21a2904
MA
201.RE
202.PP
94fc951a 203\-I \fIinput\-format\fR
e21a2904 204.RS 4
2eeb74d1 205The format of the input zone file\&. Possible formats are
cedb0bd0 206\fB"text"\fR
dba3c818
TU
207(default),
208\fB"raw"\fR, and
2eeb74d1 209\fB"map"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly\&. The use of this option does not make much sense for non\-dynamic zones\&.
e21a2904
MA
210.RE
211.PP
60e5e10f 212\-j \fIjitter\fR
e21a2904 213.RS 4
2eeb74d1 214When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously\&. If the zone is incrementally signed, i\&.e\&. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time\&. The
cedb0bd0 215\fBjitter\fR
2eeb74d1 216option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time\&.
cedb0bd0 217.sp
2eeb74d1 218Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i\&.e\&. if large numbers of RRSIGs don\*(Aqt expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time\&.
e21a2904
MA
219.RE
220.PP
97e74139
AU
221\-L \fIserial\fR
222.RS 4
2eeb74d1 223When writing a signed zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
97e74139
AU
224.RE
225.PP
60e5e10f 226\-n \fIncpus\fR
e21a2904 227.RS 4
2eeb74d1 228Specifies the number of threads to use\&. By default, one thread is started for each detected CPU\&.
e21a2904
MA
229.RE
230.PP
52ece689 231\-N \fIsoa\-serial\-format\fR
e21a2904 232.RS 4
2eeb74d1 233The SOA serial number format of the signed zone\&. Possible formats are
52ece689
MA
234\fB"keep"\fR
235(default),
e68c527d
TU
236\fB"increment"\fR,
237\fB"unixtime"\fR, and
2eeb74d1 238\fB"date"\fR\&.
e21a2904 239.PP
52ece689 240\fB"keep"\fR
e21a2904 241.RS 4
2eeb74d1 242Do not modify the SOA serial number\&.
e21a2904
MA
243.RE
244.PP
52ece689 245\fB"increment"\fR
e21a2904 246.RS 4
2eeb74d1 247Increment the SOA serial number using RFC 1982 arithmetics\&.
e21a2904
MA
248.RE
249.PP
52ece689 250\fB"unixtime"\fR
e21a2904 251.RS 4
2eeb74d1 252Set the SOA serial number to the number of seconds since epoch\&.
52ece689 253.RE
e68c527d
TU
254.PP
255\fB"date"\fR
256.RS 4
2eeb74d1 257Set the SOA serial number to today\*(Aqs date in YYYYMMDDNN format\&.
e21a2904
MA
258.RE
259.RE
260.PP
60e5e10f 261\-o \fIorigin\fR
e21a2904 262.RS 4
2eeb74d1 263The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
e21a2904
MA
264.RE
265.PP
94fc951a 266\-O \fIoutput\-format\fR
e21a2904 267.RS 4
2eeb74d1 268The format of the output file containing the signed zone\&. Possible formats are
cedb0bd0 269\fB"text"\fR
dba3c818
TU
270(default), which is the standard textual representation of the zone;
271\fB"full"\fR, which is text output in a format suitable for processing by external scripts; and
43b94483 272\fB"map"\fR,
dba3c818
TU
273\fB"raw"\fR, and
274\fB"raw=N"\fR, which store the zone in binary formats for rapid loading by
2eeb74d1 275\fBnamed\fR\&.
72938578
AU
276\fB"raw=N"\fR
277specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
2eeb74d1 278\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
e21a2904
MA
279.RE
280.PP
62830568
AU
281\-P
282.RS 4
2eeb74d1 283Disable post sign verification tests\&.
62830568 284.sp
2eeb74d1 285The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm\&. This option skips these tests\&.
62830568
AU
286.RE
287.PP
3f9791ea 288\-Q
7717ec7a 289.RS 4
2eeb74d1 290Remove signatures from keys that are no longer active\&.
7717ec7a 291.sp
2eeb74d1 292Normally, when a previously\-signed zone is passed as input to the signer, and a DNSKEY record has been removed and replaced with a new one, signatures from the old key that are still within their validity period are retained\&. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset\&. The
3f9791ea 293\fB\-Q\fR
7717ec7a
AU
294forces
295\fBdnssec\-signzone\fR
2eeb74d1 296to remove signatures from keys that are no longer active\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.1 ("Pre\-Publish Key Rollover")\&.
3f9791ea
TU
297.RE
298.PP
299\-R
300.RS 4
2eeb74d1 301Remove signatures from keys that are no longer published\&.
3f9791ea
TU
302.sp
303This option is similar to
304\fB\-Q\fR, except it forces
305\fBdnssec\-signzone\fR
2eeb74d1 306to signatures from keys that are no longer published\&. This enables ZSK rollover using the procedure described in RFC 4641, section 4\&.2\&.1\&.2 ("Double Signature Zone Signing Key Rollover")\&.
7717ec7a
AU
307.RE
308.PP
0a7ed886
AU
309\-S
310.RS 4
311Smart signing: Instructs
312\fBdnssec\-signzone\fR
2eeb74d1 313to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate\&.
0a7ed886 314.sp
2eeb74d1 315When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules\&. Each successive rule takes priority over the prior ones:
0a7ed886
AU
316.PP
317.RS 4
2eeb74d1 318If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone\&.
0a7ed886
AU
319.RE
320.PP
321.RS 4
2eeb74d1 322If the key\*(Aqs publication date is set and is in the past, the key is published in the zone\&.
0a7ed886
AU
323.RE
324.PP
325.RS 4
2eeb74d1 326If the key\*(Aqs activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone\&.
0a7ed886
AU
327.RE
328.PP
329.RS 4
2eeb74d1 330If the key\*(Aqs revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone\&.
0a7ed886
AU
331.RE
332.PP
333.RS 4
2eeb74d1 334If either of the key\*(Aqs unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata\&.
0a7ed886 335.RE
208abf3f
TU
336.PP
337.RS 4
338If key\*(Aqs sync publication date is set and in the past, synchronization records (type CDS and/or CDNSKEY) are created\&.
339.RE
340.PP
341.RS 4
342If key\*(Aqs sync deletion date is set and in the past, synchronization records (type CDS and/or CDNSKEY) are removed\&.
343.RE
0a7ed886
AU
344.RE
345.PP
346\-T \fIttl\fR
347.RS 4
2eeb74d1
TU
348Specifies a TTL to be used for new DNSKEY records imported into the zone from the key repository\&. If not specified, the default is the TTL value from the zone\*(Aqs SOA record\&. This option is ignored when signing without
349\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case\&. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records\*(Aq TTL values will be set to match them, or if any of the imported DNSKEY records had a default TTL value\&. In the event of a a conflict between TTL values in imported keys, the shortest one is used\&.
0a7ed886
AU
350.RE
351.PP
60e5e10f 352\-t
e21a2904 353.RS 4
2eeb74d1 354Print statistics at completion\&.
e21a2904
MA
355.RE
356.PP
f3d1a0ba
AU
357\-u
358.RS 4
2eeb74d1 359Update NSEC/NSEC3 chain when re\-signing a previously signed zone\&. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters\&. Without this option,
f3d1a0ba 360\fBdnssec\-signzone\fR
2eeb74d1 361will retain the existing chain when re\-signing\&.
f3d1a0ba
AU
362.RE
363.PP
60e5e10f 364\-v \fIlevel\fR
e21a2904 365.RS 4
2eeb74d1 366Sets the debugging level\&.
e21a2904
MA
367.RE
368.PP
8de0d8a6
AU
369\-x
370.RS 4
e3bd90ee 371Only sign the DNSKEY, CDNSKEY, and CDS RRsets with key\-signing keys, and omit signatures from zone\-signing keys\&. (This is similar to the
089c63b6 372\fBdnssec\-dnskey\-kskonly yes;\fR
3b2c6af6 373zone option in
2eeb74d1 374\fBnamed\fR\&.)
8de0d8a6
AU
375.RE
376.PP
60e5e10f 377\-z
e21a2904 378.RS 4
2eeb74d1 379Ignore KSK flag on key when determining what to sign\&. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset\&. (This is similar to the
3b2c6af6
AU
380\fBupdate\-check\-ksk no;\fR
381zone option in
2eeb74d1 382\fBnamed\fR\&.)
e21a2904
MA
383.RE
384.PP
731cc132
AU
385\-3 \fIsalt\fR
386.RS 4
2eeb74d1 387Generate an NSEC3 chain with the given hex encoded salt\&. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain\&.
731cc132
AU
388.RE
389.PP
390\-H \fIiterations\fR
391.RS 4
2eeb74d1 392When generating an NSEC3 chain, use this many iterations\&. The default is 10\&.
731cc132
AU
393.RE
394.PP
395\-A
396.RS 4
2eeb74d1 397When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations\&.
f3d1a0ba 398.sp
2eeb74d1
TU
399Using this option twice (i\&.e\&.,
400\fB\-AA\fR) turns the OPTOUT flag off for all records\&. This is useful when using the
f3d1a0ba 401\fB\-u\fR
2eeb74d1 402option to modify an NSEC3 chain which previously had OPTOUT set\&.
731cc132
AU
403.RE
404.PP
60e5e10f 405zonefile
e21a2904 406.RS 4
2eeb74d1 407The file containing the zone to be signed\&.
e21a2904
MA
408.RE
409.PP
60e5e10f 410key
e21a2904 411.RS 4
2eeb74d1 412Specify which keys should be used to sign the zone\&. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex\&. If these are found and there are matching private keys, in the current directory, then these will be used for signing\&.
e21a2904 413.RE
0b062f49
BW
414.SH "EXAMPLE"
415.PP
cedb0bd0 416The following command signs the
2eeb74d1 417\fBexample\&.com\fR
5bd85525 418zone with the ECDSAP256SHA256 key generated by key generated by
cedb0bd0 419\fBdnssec\-keygen\fR
5bd85525 420(Kexample\&.com\&.+013+17247)\&. Because the
3b2c6af6 421\fB\-S\fR
2eeb74d1
TU
422option is not being used, the zone\*(Aqs keys must be in the master file (db\&.example\&.com)\&. This invocation looks for
423dsset
424files, in the current directory, so that DS records can be imported from them (\fB\-g\fR)\&.
d71e2e0c 425.sp
2eeb74d1 426.if n \{\
d71e2e0c 427.RS 4
2eeb74d1 428.\}
d71e2e0c 429.nf
2eeb74d1 430% dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \e
5bd85525 431Kexample\&.com\&.+013+17247
2eeb74d1 432db\&.example\&.com\&.signed
d71e2e0c
MA
433%
434.fi
2eeb74d1 435.if n \{\
d71e2e0c 436.RE
2eeb74d1 437.\}
0b062f49 438.PP
d71e2e0c 439In the above example,
cedb0bd0
MA
440\fBdnssec\-signzone\fR
441creates the file
2eeb74d1
TU
442db\&.example\&.com\&.signed\&. This file should be referenced in a zone statement in a
443named\&.conf
444file\&.
d71e2e0c 445.PP
2eeb74d1 446This example re\-signs a previously signed zone with default parameters\&. The private keys are assumed to be in the current directory\&.
d71e2e0c 447.sp
2eeb74d1 448.if n \{\
d71e2e0c 449.RS 4
2eeb74d1 450.\}
d71e2e0c 451.nf
2eeb74d1
TU
452% cp db\&.example\&.com\&.signed db\&.example\&.com
453% dnssec\-signzone \-o example\&.com db\&.example\&.com
454db\&.example\&.com\&.signed
d71e2e0c
MA
455%
456.fi
2eeb74d1 457.if n \{\
d71e2e0c 458.RE
2eeb74d1 459.\}
0b062f49
BW
460.SH "SEE ALSO"
461.PP
2eeb74d1 462\fBdnssec-keygen\fR(8),
cedb0bd0 463BIND 9 Administrator Reference Manual,
3f9791ea 464RFC 4033,
2eeb74d1 465RFC 4641\&.
0b062f49
BW
466.SH "AUTHOR"
467.PP
2eeb74d1 468\fBInternet Systems Consortium, Inc\&.\fR
71c66a87 469.SH "COPYRIGHT"
e21a2904 470.br
b4d3f782 471Copyright \(co 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
e21a2904 472.br