160 lines
4.5 KiB
Groff
160 lines
4.5 KiB
Groff
|
.TH ldns-signzone 1 "30 May 2005"
|
||
|
|
.SH NAME
|
||
|
|
ldns-signzone \- sign a zonefile with DNSSEC data
|
||
|
|
.SH SYNOPSIS
|
||
|
|
.B ldns-signzone
|
||
|
|
[
|
||
|
|
.IR OPTIONS
|
||
|
|
]
|
||
|
|
.IR ZONEFILE
|
||
|
|
.IR
|
||
|
|
KEY
|
||
|
|
[KEY
|
||
|
|
[KEY] ...
|
||
|
|
]
|
||
|
|
|
||
|
|
.SH DESCRIPTION
|
||
|
|
|
||
|
|
\fBldns-signzone\fR is used to generate a DNSSEC signed zone. When run it
|
||
|
|
will create a new zonefile that contains RRSIG and NSEC resource records, as
|
||
|
|
specified in RFC 4033, RFC 4034 and RFC 4035.
|
||
|
|
|
||
|
|
Keys must be specified by their base name (i.e. without .private). If
|
||
|
|
the DNSKEY that belongs to the key in the .private file is not present
|
||
|
|
in the zone, it will be read from the file <base name>.key. If that
|
||
|
|
file does not exist, the DNSKEY value will be generated from the
|
||
|
|
private key.
|
||
|
|
|
||
|
|
Multiple keys can be specified, Key Signing Keys are used as such when
|
||
|
|
they are either already present in the zone, or specified in a .key
|
||
|
|
file, and have the KSK bit set.
|
||
|
|
|
||
|
|
.SH OPTIONS
|
||
|
|
.TP
|
||
|
|
\fB-d\fR
|
||
|
|
Normally, if the DNSKEY RR for a key that is used to sign the zone is
|
||
|
|
not found in the zone file, it will be read from .key, or derived from
|
||
|
|
the private key (in that order). This option turns that feature off,
|
||
|
|
so that only the signatures are added to the zone.
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-e\fR \fIdate\fR
|
||
|
|
Set expiration date of the signatures to this date, the format can be
|
||
|
|
YYYYMMDD[hhmmss], or a timestamp.
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-f\fR \fIfile\fR
|
||
|
|
Use this file to store the signed zone in (default <originalfile>.signed)
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-i\fR \fIdate\fR
|
||
|
|
Set inception date of the signatures to this date, the format can be
|
||
|
|
YYYYMMDD[hhmmss], or a timestamp.
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-l\fR
|
||
|
|
Leave old DNSSEC RRSIGS and NSEC records intact (by default, they are
|
||
|
|
removed from the zone)
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-o\fR \fIorigin\fR
|
||
|
|
Use this as the origin of the zone
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-v\fR
|
||
|
|
Print the version and exit
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-A\fR
|
||
|
|
Sign the DNSKEY record with all keys. By default it is signed with a
|
||
|
|
minimal number of keys, to keep the response size for the DNSKEY query
|
||
|
|
small, and only the SEP keys that are passed are used. If there are no
|
||
|
|
SEP keys, the DNSKEY RRset is signed with the non\-SEP keys. This option
|
||
|
|
turns off the default and all keys are used to sign the DNSKEY RRset.
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-E\fR \fIname\fR
|
||
|
|
Use the EVP cryptographic engine with the given name for signing. This
|
||
|
|
can have some extra options; see ENGINE OPTIONS for more information.
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-k\fR \fIid,int\fR
|
||
|
|
Use the key with the given id as the signing key for algorithm int as
|
||
|
|
a Zone signing key. This option is used when you use an OpenSSL
|
||
|
|
engine, see ENGINE OPTIONS for more information.
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-K\fR \fIid,int\fR
|
||
|
|
|
||
|
|
Use the key with the given id as the signing key for algorithm int as
|
||
|
|
a Key signing key. This options is used when you use an OpenSSL engine,
|
||
|
|
see ENGINE OPTIONS for more information.
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-n\fR
|
||
|
|
Use NSEC3 instead of NSEC.
|
||
|
|
|
||
|
|
.TP
|
||
|
|
If you use NSEC3, you can specify the following extra options:
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-a\fR \fIalgorithm\fR
|
||
|
|
Algorithm used to create the hashed NSEC3 owner names
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-p\fR
|
||
|
|
Opt-out. All NSEC3 records in the zone will have the Opt-out flag set. After signing, you can add insecure delegations to the signed zone.
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-s\fR \fIstring\fR
|
||
|
|
Salt
|
||
|
|
|
||
|
|
.TP
|
||
|
|
\fB-t\fR \fInumber\fR
|
||
|
|
Number of hash iterations
|
||
|
|
|
||
|
|
.SH ENGINE OPTIONS
|
||
|
|
You can modify the possible engines, if supported, by setting an
|
||
|
|
OpenSSL configuration file. This is done through the environment
|
||
|
|
variable OPENSSL_CONF. If you use -E with a non-existent engine name,
|
||
|
|
ldns-signzone will print a list of engines supported by your
|
||
|
|
configuration.
|
||
|
|
|
||
|
|
The key options (-k and -K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can be any of the following:
|
||
|
|
|
||
|
|
<id>
|
||
|
|
<slot>:<id>
|
||
|
|
id_<id>
|
||
|
|
slot_<slot>-id_<id>
|
||
|
|
label_<label>
|
||
|
|
slot_<slot>-label_<label>
|
||
|
|
|
||
|
|
Where '<id>' is the PKCS #11 key identifier in hexadecimal
|
||
|
|
notation, '<label>' is the PKCS #11 human-readable label, and '<slot>'
|
||
|
|
is the slot number where the token is present.
|
||
|
|
|
||
|
|
If not already present, a DNSKEY RR is generated from the key
|
||
|
|
data, and added to the zone.
|
||
|
|
|
||
|
|
.SH EXAMPLES
|
||
|
|
|
||
|
|
.TP
|
||
|
|
ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
|
||
|
|
Sign the zone in the file 'nlnetlabs.nl' with the key in the
|
||
|
|
files 'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY is not present
|
||
|
|
in the zone, use the key in the
|
||
|
|
file 'Knlnetlabs.nl.+005+12273.key'. If that is not present, generate
|
||
|
|
one with default values from 'Knlnetlabs.nl.+005+12273.private'.
|
||
|
|
|
||
|
|
|
||
|
|
.SH AUTHOR
|
||
|
|
Written by the ldns team as an example for ldns usage.
|
||
|
|
|
||
|
|
.SH REPORTING BUGS
|
||
|
|
Report bugs to <ldns-team@nlnetlabs.nl>.
|
||
|
|
|
||
|
|
.SH COPYRIGHT
|
||
|
|
Copyright (C) 2005-2008 NLnet Labs. This is free software. There is NO
|
||
|
|
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||
|
|
PURPOSE.
|