table of contents
other versions
- wheezy 1.6.13-1+deb7u1
- wheezy-backports 1.6.17-5~bpo70+1
- jessie 1.6.17-5+b1
- testing 1.7.0-1
- unstable 1.7.0-1
ldns-signzone(1) | General Commands Manual | ldns-signzone(1) |
NAME¶
ldns-signzone - sign a zonefile with DNSSEC dataSYNOPSIS¶
ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ... ]DESCRIPTION¶
ldns-signzone is used to generate a DNSSEC signed zone. When run it will create a new zonefile that contains RRSIG and NSEC resource records, as specified in RFC 4033, RFC 4034 and RFC 4035.OPTIONS¶
- -b
- Augments the zone and the RR's with extra comment texts for
a more readable layout, easier to debug. DS records will have a
bubblebabble version of the data in the comment text, NSEC3 records will
have the original NSEC3 in the comment text.
- -d
- Normally, if the DNSKEY RR for a key that is used to sign
the zone is not found in the zone file, it will be read from .key, or
derived from the private key (in that order). This option turns that
feature off, so that only the signatures are added to the zone.
- -e date
- Set expiration date of the signatures to this date, the
format can be YYYYMMDD[hhmmss], or a timestamp.
- -f file
- Use this file to store the signed zone in (default
<originalfile>.signed)
- -i date
- Set inception date of the signatures to this date, the
format can be YYYYMMDD[hhmmss], or a timestamp.
- -o origin
- Use this as the origin of the zone
- -v
- Print the version and exit
- -A
- Sign the DNSKEY record with all keys. By default it is
signed with a minimal number of keys, to keep the response size for the
DNSKEY query small, and only the SEP keys that are passed are used. If
there are no SEP keys, the DNSKEY RRset is signed with the non-SEP keys.
This option turns off the default and all keys are used to sign the DNSKEY
RRset.
- -E name
- Use the EVP cryptographic engine with the given name for
signing. This can have some extra options; see ENGINE OPTIONS for more
information.
- -k id,int
- Use the key with the given id as the signing key for
algorithm int as a Zone signing key. This option is used when you use an
OpenSSL engine, see ENGINE OPTIONS for more information.
- -K id,int
-
- -n
- Use NSEC3 instead of NSEC.
- If you use NSEC3, you can specify the following extra options:
-
- -a algorithm
- Algorithm used to create the hashed NSEC3 owner names
- -p
- Opt-out. All NSEC3 records in the zone will have the
Opt-out flag set. After signing, you can add insecure delegations to the
signed zone.
- -s string
- Salt
- -t number
- Number of hash iterations
ENGINE OPTIONS¶
You can modify the possible engines, if supported, by setting an OpenSSL configuration file. This is done through the environment variable OPENSSL_CONF. If you use -E with a non-existent engine name, ldns-signzone will print a list of engines supported by your configuration.<id>
<slot>:<id>
id_<id>
slot_<slot>-id_<id>
label_<label>
slot_<slot>-label_<label>
EXAMPLES¶
- ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
- Sign the zone in the file 'nlnetlabs.nl' with the key in
the files 'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY is not present
in the zone, use the key in the file 'Knlnetlabs.nl.+005+12273.key'. If
that is not present, generate one with default values from
'Knlnetlabs.nl.+005+12273.private'.
AUTHOR¶
Written by the ldns team as an example for ldns usage.REPORTING BUGS¶
Report bugs to <ldns-team@nlnetlabs.nl>.COPYRIGHT¶
Copyright (C) 2005-2008 NLnet Labs. This is free software. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.30 May 2005 |