/* Void Main's man pages */

{ phpMan } else { main(); }

Command: man perldoc info search(apropos)  

ldns-signzone(1)                                                                                                ldns-signzone(1)



NAME
       ldns-signzone - sign a zonefile with DNSSEC data

SYNOPSIS
       ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ...  ]


DESCRIPTION
       ldns-signzone  is  used  to generate a DNSSEC signed zone. When run it will create a new zonefile that contains RRSIG and
       NSEC resource records, as specified in RFC 4033, RFC 4034 and RFC 4035.

       Keys must be specified by their base name (i.e. without .private). If the DNSKEY that belongs to the key in the  .private
       file  is  not present in the zone, it will be read from the file <base name>.key. If that file does not exist, the DNSKEY
       value will be generated from the private key.

       Multiple keys can be specified, Key Signing Keys are used as such when they are either already present in  the  zone,  or
       specified in a .key file, and have the KSK bit set.


OPTIONS
       -b     Augments  the  zone  and the RR's with extra comment texts for a more readable layout, easier to debug. DS records
              will have a bubblebabble version of the data in the comment text, NSEC3 records will have the  original  NSEC3  in
              the comment text.

              Without this option, only DNSKEY RR's will have their Key Tag annotated in the comment text.


       -d     Normally,  if the DNSKEY RR for a key that is used to sign the zone is not found in the zone file, it will be read
              from .key, or derived from the private key (in that order). This option turns that feature off, so that  only  the
              signatures are added to the zone.


       -e date
              Set expiration date of the signatures to this date, the format can be YYYYMMDD[hhmmss], or a timestamp.


       -f file
              Use this file to store the signed zone in (default <originalfile>.signed)


       -i date
              Set inception date of the signatures to this date, the format can be YYYYMMDD[hhmmss], or a timestamp.


       -l     Leave old DNSSEC RRSIGS and NSEC records intact (by default, they are removed from the zone)


       -o origin
              Use this as the origin of the zone


       -v     Print the version and exit


       -A     Sign the DNSKEY record with all keys.  By default it is signed with a minimal number of keys, to keep the response
              size for the DNSKEY query small, and only the SEP keys that are passed are used.  If there are no  SEP  keys,  the
              DNSKEY RRset is signed with the non-SEP keys.  This option turns off the default and all keys are used to sign the
              DNSKEY RRset.


       -E name
              Use the EVP cryptographic engine with the given name for signing. This can have some  extra  options;  see  ENGINE
              OPTIONS for more information.


       -k id,int
              Use the key with the given id as the signing key for algorithm int as a Zone signing key. This option is used when
              you use an OpenSSL engine, see ENGINE OPTIONS for more information.


       -K id,int

              Use the key with the given id as the signing key for algorithm int as a Key signing key. This options is used when
              you use an OpenSSL engine, see ENGINE OPTIONS for more information.


       -n     Use NSEC3 instead of NSEC.


       If you use NSEC3, you can specify the following extra options:


       -a algorithm
              Algorithm used to create the hashed NSEC3 owner names


       -p     Opt-out. All NSEC3 records in the zone will have the Opt-out flag set. After signing, you can add insecure delega-
              tions to the signed zone.


       -s string
              Salt


       -t number
              Number of hash iterations


ENGINE OPTIONS
       You can modify the possible engines, if supported, by setting an OpenSSL configuration file. This  is  done  through  the
       environment  variable  OPENSSL_CONF.  If  you  use -E with a non-existent engine name, ldns-signzone will print a list of
       engines supported by your configuration.

       The key options (-k and -K) work as follows; you specify a key id, and a DNSSEC algorithm number  (for  instance,  5  for
       RSASHA1). The key id can be any of the following:

           <id>
           <slot>:<id>
           id_<id>
           slot_<slot>-id_<id>
           label_<label>
           slot_<slot>-label_<label>

       Where  '<id>' is the PKCS #11 key identifier in hexadecimal notation, '<label>' is the PKCS #11 human-readable label, and
       '<slot>' is the slot number where the token is present.

       If not already present, a DNSKEY RR is generated from the key data, and added to the zone.


EXAMPLES
       ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
              Sign the zone in the file 'nlnetlabs.nl' with the key in  the  files  'Knlnetlabs.nl.+005+12273.private'.  If  the
              DNSKEY is not present in the zone, use the key in the file 'Knlnetlabs.nl.+005+12273.key'. If that is not present,
              generate one with default values from 'Knlnetlabs.nl.+005+12273.private'.



AUTHOR
       Written by the ldns team as an example for ldns usage.


REPORTING BUGS
       Report bugs to <ldns-teamATnlnetlabs.nl>.


COPYRIGHT
       Copyright (C) 2005-2008 NLnet Labs. This is free software. There is NO warranty; not even for MERCHANTABILITY or  FITNESS
       FOR A PARTICULAR PURPOSE.



                                                           30 May 2005                                          ldns-signzone(1)
Valid XHTML 1.0!Valid CSS!