diff --git a/doc/man/dnssec/dnssec-keygen.8 b/doc/man/dnssec/dnssec-keygen.8 deleted file mode 100644 index f87f3261b1..0000000000 --- a/doc/man/dnssec/dnssec-keygen.8 +++ /dev/null @@ -1,309 +0,0 @@ -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -.\" $Id: dnssec-keygen.8,v 1.12 2001/01/09 21:47:21 bwelling Exp $ - -.Dd Jun 30, 2000 -.Dt DNSSEC-KEYGEN 8 -.Os BIND9 9 -.ds vT BIND9 Programmer's Manual -.Sh NAME -.Nm dnssec-keygen -.Nd key generation tool for DNSSEC -.Sh SYNOPSIS -.Nm dnssec-keygen -.Fl a Ar algorithm -.Fl b Ar keysize -.Op Fl c Ar class -.Op Fl e -.Op Fl g Ar generator -.Op Fl h -.Fl n Ar nametype -.Op Fl p Ar protocol-value -.Op Fl r Ar randomdev -.Op Fl s Ar strength-value -.Op Fl t Ar type -.Op Fl v Ar level -.Ar name -.Sh DESCRIPTION -.Nm dnssec-keygen -generates keys for DNSSEC, Secure DNS, as defined in RFC2535. -It also generates keys for use in Transaction Signatures, TSIG, which -is defined in RFC2845. -.Pp -A short summary of the options and arguments to -.Nm dnssec-keygen -is printed by the -.Fl h -(help) option. -.Pp -The -.Fl a , -.Fl b , -and -.Fl n -options and their arguments must be supplied when generating keys. -The domain name that the key has to be generated for is given by -.Ar name . -.Pp -The choice of encryption algorithm is selected by the -.Fl a -option to -.Nm dnssec-keygen . -.Ar algorithm -must be one of -.Dv RSAMD5 , -.Dv DH , -.Dv DSA -or -.Dv HMAC-MD5 -to indicate that an RSA, Diffie-Hellman, Digital Signature -Algorithm or HMAC-MD5 key is required. -An argument of -.Dv RSA -can also be given, which is equivalent to -.Dv RSAMD5 . -The argument identifying the encryption algorithm is case-insensitive. -DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one. -Implementations of TSIG must support HMAC-MD5. -.Pp -The number of bits in the key is determined by the -.Ar keysize -argument following the -.Fl b -option. -The choice of key size depends on the algorithm that is used. -RSA keys must be between 512 and 2048 bits. -Diffie-Hellman keys must be between 128 and 4096 bits. -For DSA, the key size must be between 512 and 1024 bits and a multiple -of 64. -The length of an HMAC-MD5 key can be between 1 and 512 bits. -.Pp -The -.Fl n -option specifies how the generated key will be used. -.Ar nametype -can be either -.Dv ZONE , -.Dv HOST , -.Dv ENTITY , -or -.Dv USER -to indicate that the key will be used for signing a zone, host, -entity or user respectively. -In this context -.Dv HOST -and -.Dv ENTITY -are identical. -.Ar nametype -is case-insensitive. -.Pp -The -.Fl c -option specifies that the when creating a KEY record, the specified class -should be used instead of IN. -.Pp -The -.Fl e -option can only be used when generating RSA keys. -It tells -.Nm dnssec-keygen -to use a large exponent. -When creating Diffie-Hellman keys, the -.Fl g -option selects the Diffie-Hellman generator -.Ar generator -that is to be used. -The only supported values value of -.Ar generator -are 2 and 5. -If no Diffie-Hellman generator is supplied, a known prime -from RFC2539 will be used if possible; otherwise 2 will be used as the -generator. -.Pp -The -.Fl p -option sets the protocol value for the generated key to -.Ar protocol-value . -The default is 2 (email) for keys of type -.Dv USER -and 3 (DNSSEC) for all other key types. -Other possible values for this argument are listed in RFC2535 and its -successors. -.Pp -.Nm dnssec-keygen -uses random numbers to seed the process -of generating keys. -If the system does not have a -.Pa /dev/random -device that can be used for generating random numbers, -.Nm dnssec-keygen -will prompt for keyboard input and use the time intervals between -keystrokes to provide randomness. -The -.Fl r -option overrides this behaviour, making -.Nm dnssec-keygen -use -.Ar randomdev -as a source of random data. -.Pp -The key's strength value can be set with the -.Fl s -option. -The generated key will sign DNS resource records -with a strength value of -.Ar strength-value . -It should be a number between 0 and 15. -The default strength is zero. -The key strength field currently has no defined purpose in DNSSEC. -.Pp -The -.Fl t -option indicates if the key is to be used for authentication or -confidentiality. -.Ar type -can be one of -.Dv AUTHCONF , -.Dv NOAUTHCONF , -.Dv NOAUTH -or -.Dv NOCONF . -The default is -.Dv AUTHCONF . -If type is -.Dv AUTHCONF -the key can be used for authentication and confidentialty. -Setting -.Ar type -to -.Dv NOAUTHCONF -indicates that the key cannot be used for authentication or confidentialty. -A value of -.Dv NOAUTH -means the key can be used for confidentiality but not for -authentication. -Similarly, -.Dv NOCONF -defines that the key cannot be used for confidentiality though it can -be used for authentication. -.Pp -The -.Fl v -option can be used to make -.Nm dnssec-keygen -more verbose. -As the debugging/tracing level -.Ar level -increases, -.Nm dnssec-keygen -generates increasingly detailed reports about what it is doing. -The default level is zero. -.Sh GENERATED KEYS -When -.Nm dnssec-keygen -completes it prints a string of the form -.Ar Knnnn.+aaa+iiiii -on the standard output. -This is an identification string for the key it has generated. -These strings can be supplied as arguments to -.Xr dnssec-makekeyset 8 . -.Pp -The -.Ar nnnn. -part is the dot-terminated domain name given by -.Ar name . -The DNSSEC algorithm identifier is indicated by -.Ar aaa - -001 for RSA, 002 for Diffie-Hellman, 003 for DSA or 157 for HMAC-MD5. -.Ar iiiii -is a five-digit number identifying the key. -.Pp -.Nm dnssec-keygen -creates two files. -The file names are adapted from the key identification string above. -They have names of the form: -.Ar Knnnn.+aaa+iiiii.key -and -.Ar Knnnn.+aaa+iiiii.private . -These contain the public and private parts of the key respectively. -The files generated by -.Nm dnssec-keygen -obey this naming convention to -make it easy for the signing tool -.Xr dnssec-signzone 8 -to identify which file(s) have to be read to find the necessary -key(s) for generating or validating signatures. -.Pp -The -.Ar .key -file contains a KEY resource record that can be inserted into a zone file -with a -.Dv $INCLUDE -statement. -The private part of the key is in the -.Ar .private -file. -It contains details of the encryption algorithm that was used and any -relevant parameters: prime number, exponent, modulus, subprime, etc. -For obvious security reasons, this file does not have general read -permission. -The private part of the key is used by -.Xr dnssec-signzone 8 -to generate signatures and the public part is used to verify the -signatures. -Both -.Ar .key -and -.Ar .private -key files are generated for symmetric encryption algorithm such as -HMAC-MD5, even though the public and private key are equivalent. -.Sh EXAMPLE -To generate a 768-bit DSA key for the domain -.Dv example.com , -the following command would be issued: -.Pp -.Dl # dnssec-keygen -a DSA -b 768 -n ZONE example.com -.Dl Kexample.com.+003+26160 -.Pp -.Nm dnssec-keygen -has printed the key identification string -.Dv Kexample.com.+003+26160 , -indicating a DSA key with identifier 26160. -It will also have created the files -.Pa Kexample.com.+003+26160.key -and -.Pa Kexample.com.+003+26160.private -containing respectively the public and private keys for the generated -DSA key. -.Sh FILES -.Pa /dev/random -.Sh SEE ALSO -.Xr RFC2535, -.Xr RFC2845, -.Xr RFC2539, -.Xr dnssec-makekeyset 8 , -.Xr dnssec-signkey 8 , -.Xr dnssec-signzone 8 . -.Sh BUGS -The naming convention for the public and private key files is a little -clumsy. -It won't work for domain names that are longer than 236 characters -because of the -.Ar .+aaa+iiiii.private -suffix results in filenames that are too long for most -.Ux -systems. diff --git a/doc/man/dnssec/dnssec-makekeyset.8 b/doc/man/dnssec/dnssec-makekeyset.8 deleted file mode 100644 index 8999e2c8de..0000000000 --- a/doc/man/dnssec/dnssec-makekeyset.8 +++ /dev/null @@ -1,210 +0,0 @@ -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -.\" $Id: dnssec-makekeyset.8,v 1.10 2001/01/09 21:47:23 bwelling Exp $ - -.Dd Jun 30, 2000 -.Dt DNSSEC-MAKEKEYSET 8 -.Os BIND9 9 -.ds vT BIND9 Programmer's Manual -.Sh NAME -.Nm dnssec-makekeyset -.Nd produce a set of DNSSEC keys -.Sh SYNOPSIS -.Nm dnssec-makekeyset -.Op Fl h -.Op Fl s Ar start-time -.Op Fl e Ar end-time -.Op Fl t Ar TTL -.Op Fl r Ar randomdev -.Op Fl p -.Op Fl v Ar level -.Ar keyfile .... -.Sh DESCRIPTION -.Nm dnssec-makekeyset -generates a key set from one or more keys created by -.Xr dnssec-keygen 8 . -It creates a file containing KEY and SIG records for some zone which -can then be signed by the zone's parent if the parent zone is -DNSSEC-aware. -.Ar keyfile -should be a key identification string as reported by -.Xr dnssec-keygen 8 : -i.e. -.Ar Knnnn.+aaa+iiiii -where -.Ar nnnn -is the name of the key, -.Ar aaa -is the encryption algorithm and -.Ar iiiii -is the key identifier. -Multiple -.Ar keyfile -arguments can be supplied when there are several keys to be combined -by -.Nm dnssec-makekeyset -into a key set. -.Pp -For any SIG records that are in the key set, the start time when the -SIG records become valid is specified with the -.Fl s -option. -.Ar start-time -can either be an absolute or relative date. -An absolute start time is indicated by a number in YYYYMMDDHHMMSS -notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. -A relative start time is supplied when -.Ar start-time -is given as +N: N seconds from the current time. -If no -.Fl s -option is supplied, the current date and time is used for the start -time of the SIG records. -.Pp -The expiry date for the SIG records can be set by the -.Fl e -option. -Note that in this context, the expiry date specifies when the SIG -records are no longer valid, not when they are deleted from caches on name -servers. -.Ar end-date -also represents an absolute or relative date. -YYYYMMDDHHMMSS notation is used as before to indicate an absolute date -and time. -When -.Ar end-date -is +N, -it indicates that the SIG records will expire in N seconds after their -start date. -If -.Ar end-date -is written as now+N, -the SIG records will expire in N seconds after the current time. -When no expiry date is set for the SIG records, -.Nm dnssec-makekeyset -defaults to an expire time of 30 days from the start time of the SIG -records. -.Pp -An alternate source of random data can be specified with the -.Fl r -option. -.Ar randomdev -is the name of the file to use to obtain random data. -By default -.Pa /dev/random -is used if this device is available. -If it is not provided by the operating system and no -.Fl r -option is used, -.Nm dnssec-makekeyset -will prompt the user for input from the keyboard and use the time -between keystrokes to derive some random data. -.Pp -The -.Fl p -option instructs -.Nm dnssec-makekeyset -to use pseudo-random data when self-signing the keyset. This is faster, but -less secure, than using genuinely random data for signing. -This option may be useful when the entropy source is limited. -.Pp -The -.Fl t -option is followed by a time-to-live argument -.Ar TTL -which indicates the TTL value that will be assigned to the assembled KEY -and SIG records in the output file. -.Ar TTL -is expressed in seconds. -If no -.Fl t -option is provided, -.Nm dnssec-makekeyset -prints a warning and uses a default TTL of 3600 seconds. -.Pp -The -.Fl v -option can be used to make -.Nm dnssec-makekeyset -more verbose. -As the debugging/tracing level -.Ar level -increases, -.Nm dnssec-makekeyset -generates increasingly detailed reports about what it is doing. -The default level is zero. -.Pp -The -.Fl h -option makes -.Nm dnssec-makekeyset -to print a short summary of its options and arguments. -.Pp -If -.Nm dnssec-makekeyset -is successful, it creates a file name of the form -.Ar keyset-nnnn. . -This file contains the KEY and SIG records for domain -.Dv nnnn , -the domain name part from the key file identifier produced when -.Nm dnssec-keygen -created the domain's public and private keys. -The -.Ar keyset -file can then be transferred to the DNS administrator of the parent -zone for them to sign the contents with -.Xr dnssec-signkey 8 . -.Sh EXAMPLE -The following command generates a key set for the DSA key for -.Dv example.com -that was shown in the -.Xr dnssec-keygen 8 -man page. -The backslash is for typographic reasons and would not be provided on -the command line when running -.Nm dnssec-makekeyset . -.nf -.Dl # dnssec-makekeyset -t 86400 -s 20000701120000 \e\p -.Dl -e +2592000 Kexample.com.+003+26160 -.fi -.Pp -.Nm dnssec-makekeyset -will create a file called -.Pa keyset-example.com. -containing a SIG and KEY record for -.Dv example.com. -These records will have a TTL of 86400 seconds (1 day). -The SIG record becomes valid at noon UTC on July 1st 2000 and expires -30 days (2592000 seconds) later. -.Pp -The DNS administrator for -.Dv example.com -could then send -.Pa keyset-example.com. -to the DNS administrator for -.Dv .com -so that they could sign the resource records in the file. -This assumes that the -.Dv .com -zone is DNSSEC-aware and the administrators of the two zones have some -mechanism for authenticating each other and exchanging the keys and -signatures securely. -.Sh FILES -.Pa /dev/random . -.Sh SEE ALSO -.Xr RFC2535 , -.Xr dnssec-keygen 8 , -.Xr dnssec-signkey 8 . diff --git a/doc/man/dnssec/dnssec-signkey.8 b/doc/man/dnssec/dnssec-signkey.8 deleted file mode 100644 index 07b1296bf8..0000000000 --- a/doc/man/dnssec/dnssec-signkey.8 +++ /dev/null @@ -1,209 +0,0 @@ -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -.\" $Id: dnssec-signkey.8,v 1.12 2001/01/09 21:47:24 bwelling Exp $ - -.Dd Jun 30, 2000 -.Dt DNSSEC-SIGNKEY 8 -.Os BIND9 9 -.ds vT BIND9 Programmer's Manual -.Sh NAME -.Nm dnssec-signkey -.Nd DNSSEC keyset signing tool -.Sh SYNOPSIS -.Nm dnssec-signkey -.Op Fl h -.Op Fl s Ar start-time -.Op Fl e Ar end-time -.Op Fl c Ar class -.Op Fl p -.Op Fl r Ar randomdev -.Op Fl v Ar level -.Ar keyset -.Ar keyfile ... -.Sh DESCRIPTION -.Nm dnssec-signkey -is used to sign a key set for a child zone. -Typically this would be provided by a -.Ar keyset -file generated by -.Xr dnssec-makekeyset 8 . -This provides a mechanism for a DNSSEC-aware zone to sign the keys of -any DNSSEC-aware child zones. -The child zone's key set gets signed with the zone keys for its parent -zone. -.Ar keyset -will be the pathname of the child zone's -.Ar keyset -file. -Each -.Ar keyfile -argument will be a key identification string as reported by -.Xr dnssec-keygen 8 -for the parent zone. -This allows the child's keys to be signed by more than one -parent zone key. -.Pp -The -.Fl h -option makes -.Nm dnssec-signkey -print a short summary of its command line options -and arguments. -.Pp -By default, the validity period of the generated SIG records is copied -from that of the signatures in the input key set. This may be overriden -with the -.Fl s -and -.Fl e -options, both of which must be present if either is. -The start of the validity period is specified with the -.Fl s -option. -.Ar start-time -can either be an absolute or relative date. -An absolute start time is indicated by a number in YYYYMMDDHHMMSS -notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. -A relative start time is supplied when -.Ar start-time -is given as +N: N seconds from the current time. -If no -.Fl s -option is supplied, the current date and time is used for the start -time of the SIG records. -.Pp -The expiry date for the SIG records can be set by the -.Fl e -option. -Note that in this context, the expiry date specifies when the SIG -records are no longer valid, not when they are deleted from caches on name -servers. -.Ar end-date -also represents an absolute or relative date. -YYYYMMDDHHMMSS notation is used as before to indicate an absolute date -and time. -When -.Ar end-date -is +N, -it indicates that the SIG records will expire in N seconds after their -start date. -If -.Ar end-date -is written as now+N, -the SIG records will expire in N seconds after the current time. -.Pp -The -.Fl c -option specifies that the KEY records in the input and output key sets should -have the specified class instead of IN. -.Pp -.Nm dnssec-signkey -may need random numbers in the process of generating keys. -If the system does not have a -.Pa /dev/random -device that can be used for generating random numbers, -.Nm dnssec-signkey -will prompt for keyboard input and use the time intervals between -keystrokes to provide randomness. -The -.Fl r -option overrides this behaviour, making -.Nm dnssec-signkey -use -.Ar randomdev -as a source of random data. -.Pp -The -.Fl p -option instructs -.Nm dnssec-signkey -to use pseudo-random data when signing the keys. This is faster, but -less secure, than using genuinely random data for signing. -This option may be useful when there are many child zone keysets to -sign or if the entropy source is limited. -It could also be used for short-lived keys and signatures that don't -require as much protection against cryptanalysis, such as when the key -will be discarded long before it could be compromised. -.Pp -The -.Fl v -option can be used to make -.Nm dnssec-signkey -more verbose. -As the debugging/tracing level -.Ar level -increases, -.Nm dnssec-signkey -generates increasingly detailed reports about what it is doing. -The default level is zero. -.Pp -When -.Nm dnssec-signkey -completes successfully, it generates a file called -.Ar signedkey-nnnn. -containing the signed keys for child zone -.Ar nnnn . -The keys from the -.Ar keyset -file will have been signed by the parent zone's key or keys which were -supplied as -.Ar keyfile -arguments. -This file should be sent to the DNS administrator of the child zone. -They arrange for its contents to be incorporated into the zone file -when it next gets signed with -.Xr dnssec-signzone 8 . -A copy of the generated -.Ar signedkey -file should be kept by the parent zone's DNS administrator, since -it will be needed when signing the parent zone. -.Sh EXAMPLE -The DNS administrator for a DNSSEC-aware -.Dv .com -zone would use the following command to make -.Nm dnssec-signkey -sign the -.Ar keyset -file for -.Dv example.com -created in the example shown in the man page for -.Xr dnssec-makekeyset 8 : -.Pp -.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944 -.Pp -where -.Dv Kcom.+003+51944 -was a key file identifier that was produced when -.Xr dnssec-keygen 8 -generated a key for the -.Dv .com -zone. -.Pp -.Nm dnssec-signkey -will produce a file called -.Dv signedkey-example.com. -which has the keys for -.Dv example.com -signed by the -.Dv com -zone's zone key. -.Sh FILES -.Pa /dev/random -.Sh SEE ALSO -.Xr RFC2535, -.Xr dnssec-keygen 8 , -.Xr dnssec-makekeyset 8 , -.Xr dnssec-signzone 8 . diff --git a/doc/man/dnssec/dnssec-signzone.8 b/doc/man/dnssec/dnssec-signzone.8 deleted file mode 100644 index 0fe3b1cb47..0000000000 --- a/doc/man/dnssec/dnssec-signzone.8 +++ /dev/null @@ -1,285 +0,0 @@ -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -.\" $Id: dnssec-signzone.8,v 1.17 2001/01/09 21:47:25 bwelling Exp $ - -.Dd Jun 30, 2000 -.Dt DNSSEC-SIGNZONE 8 -.Os BIND9 9 -.ds vT BIND9 Programmer's Manual -.Sh NAME -.Nm dnssec-signzone -.Nd DNSSEC zone signing tool -.Sh SYNOPSIS -.Nm dnssec-signzone -.Op Fl a -.Op Fl c Ar class -.Op Fl d Ar directory -.Op Fl s Ar start-time -.Op Fl e Ar end-time -.Op Fl i Ar interval -.Op Fl o Ar origin -.Op Fl f Ar output-file -.Op Fl p -.Op Fl r Ar randomdev -.Op Fl t -.Op Fl v Ar level -.Op Fl n Ar nthreads -.Ar zonefile -.Op keyfile .... -.Sh DESCRIPTION -.Pp -.Nm dnssec-signzone -is used to sign a zone. -Any -.Ar signedkey -files for the zone to be signed should be present in the current -directory, along with the keys that will be used to sign the zone. -If no -.Ar keyfile -arguments are supplied, the default behaviour is to use all of the zone's -keys that are present in the current directory. -Providing specific -.Ar keyfile -arguments constrains -.Nm dnssec-signzone -to only use those keys for signing the zone. -Each -.Ar keyfile -argument would be an identification string for a key created with -.Xr dnssec-keygen 8 . -If the zone to be signed has any secure subzones, the -.Ar signedkey -files for those subzones need to be available in the -current working directory used by -.Nm dnssec-signzone . -.Pp -.Ar zonefile -is the name of the unsigned zone file. -Unless the file name is the same as the name of the zone, the -.Fl o -option should be given. -.Ar origin -will be the fully qualified domain origin for the zone. -.Pp -.Nm dnssec-signzone -will generate NXT and SIG records for the zone and produce a signed -version of the zone. -If there is a -.Ar signedkey -file from the zone's parent, the parent's signatures will be -incorporated into the generated signed zone file. -The security status of delegations from the the signed zone -- i.e. whether the child zones are DNSSEC-aware or not - is -set according to the presence or absence of a -.Ar signedkey -file for the child in case. -.Pp -By default, -.Nm dnssec-signzone -generates a file called -.Ar zonefile.signed -containing the signed zone file. -The output file name can be overridden usign the -.Fl f -option. -.\" Don't hyphenate YYYYMMDDHHMMSS -.nh YYYYMMDDHHMMSS -.Pp -.Nm dnssec-signzone -does not verify the signatures by default. -The -.Fl a -option makes it verify the signatures it generated. -.Pp -The date and time when the generated -SIG records become valid can be specified with the -.Fl s -option. -.Ar start-time -can either be an absolute or relative date. -An absolute start time is indicated by a number in YYYYMMDDHHMMSS -notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. -A relative start time is supplied when -.Ar start-time -is given as +N: N seconds from the current time. -If no -.Fl s -option is supplied, the current date and time is used for the start -time of the SIG records. -.Pp -The expiry date for the SIG records can be set by the -.Fl e -option. -Note that in this context, the expiry date specifies when the SIG -records are no longer valid, not when they are deleted from caches on name -servers. -.Ar end-date -also represents an absolute or relative date. -YYYYMMDDHHMMSS notation is used as before to indicate an absolute date -and time. -When -.Ar end-date -is +N, -it indicates that the SIG records will expire in N seconds after their -start date. -If -.Ar end-date -is supplied as now+N, -the SIG records will expire in N seconds after the current time. -When no expiry date is set for the SIG records, -.Nm dnssec-signzone -defaults to an expire time of 30 days from the start time of the SIG -records. -.Pp -When a previously signed zone is passed as input to -.Nm dnssec-signzone , -records may be resigned. Whether or not to resign records is configurable -by using the -.Fl i -option, which specifies the cycle interval as an offset from the current time -(in seconds). If a SIG record expires after the cycle interval, it is -retained. Otherwise, it is considered to be expiring soon, and -.Nm dnssec-signzone -will remove it and generate a new SIG record to replace it. -.Pp -The default cycle interval is one quarter of the difference between the -specified signature end and start dates. So if the -.Fl e -and -.Fl s -options are not specified, -.Nm dnssec-signzone -generates signatures that are valid for 30 days from the current date -by default, with a cycle interval of 7.5 days. Therefore, if any SIG records -are due to expire in less than 7.5 days, they would be replaced -with new ones. -.Pp -.Nm dnssec-signzone -may need random numbers in the process of signing the zone. -If the system does not have a -.Pa /dev/random -device that can be used for generating random numbers, -.Nm dnssec-signzone -will prompt for keyboard input and use the time intervals between -keystrokes to provide randomness. -The -.Fl r -option overrides this behaviour, making -.Nm dnssec-signzone -use -.Ar randomdev -as a source of random data. -.Pp -The -.Fl p -option instructs -.Nm dnssec-signzone -to use pseudo-random data when signing the keys. This is faster, but -less secure, than using genuinely random data for signing. -This option may be useful when signing large zones or when the -entropy source is limited. -.Pp -The -.Fl t -option causes -.Nm dnssec-signzone -to print various statistics after signing the zone. -.Pp -The -.Fl c -option specifies that the KEY records in the input and output key sets should -have the specified class instead of IN. -.Pp -The -.Fl d -option specifies that -.Nm dnssec-signzone -should look in a directory other than the current directory for signedkey -files. -.Pp -An option of -.Fl h -makes -.Nm dnssec-signzone -print a short summary of its command line options -and arguments. -.Pp -The -.Fl v -option can be used to make -.Nm dnssec-signzone -more verbose. -As the debugging/tracing level -.Ar level -increases, -.Nm dnssec-signzone -generates increasingly detailed reports about what it is doing. -The default level is zero. -.Pp -The -.Fl n -option can be used to change the threading behavior. By default, -.Nm dnssec-signzone -attempts to determine the number of CPUs present, and create one thread -per CPU. The -.Fl n -option causes a different number of threads to be created. -.Sh EXAMPLE -The example below shows how -.Nm dnssec-signzone -could be used to sign the -.Dv example.com -zone with the key that was generated in the example given in the -man page for -.Xr dnssec-keygen 8 . -The zone file for this zone is -.Dv example.com , -which is the same as the origin, so there is no need to use the -.Fl o -option to set the origin. -The zone's keys were either appended to the zone file or -incorporated using a -.Dv $INCLUDE -statement. -If there was a -.Ar signedkey -file from the parent zone - i.e. -.Dv signedkey-example.com. -- it should be present in the current directory. -This allows the parent zone's signature to be included in the signed -version of the -.Dv example.com -zone. -.Pp -.Dl # dnssec-signzone example.com Kexample.com.+003+26160 -.Pp -.Nm dnssec-signzone -will create a file called -.Dv example.com.signed , -the signed version of the -.Dv example.com -zone. -This file can then be referenced in a -.Dv zone{} -statement in -.Pa /etc/named.conf -so that it can be loaded by the name server. -.Sh FILES -.Pa /dev/random -.Sh SEE ALSO -.Xr RFC2535, -.Xr dnssec-keygen 8 , -.Xr dnssec-signkey 8 .