GNU.WIKI: The GNU/Linux Knowledge Base

  [HOME] [PHP Manual] [HowTo] [ABS] [MAN1] [MAN2] [MAN3] [MAN4] [MAN5] [MAN6] [MAN7] [MAN8] [MAN9]

  [0-9] [Aa] [Bb] [Cc] [Dd] [Ee] [Ff] [Gg] [Hh] [Ii] [Jj] [Kk] [Ll] [Mm] [Nn] [Oo] [Pp] [Qq] [Rr] [Ss] [Tt] [Uu] [Vv] [Ww] [Xx] [Yy] [Zz]


NAME

       zonesigner - Generates encryption keys and signs a DNS zone

SYNOPSIS

         zonesigner [options] <zone-file> <signed-zone-file>

         # get started immediately examples:

         # first run on a zone for example.com:
         zonesigner -genkeys -endtime +2678400 example.com

         # future runs before expiration time (reuses the same keys):
         zonesigner -endtime +2678400 example.com

DESCRIPTION

       This script combines into a single command many actions that are
       required to sign a DNS zone.  It generates the required KSK and ZSK
       keys, adds the key data to a zone record file, signs the zone file, and
       runs checks to ensure that everything worked properly.  It also keeps
       records about the keys and how the zone was signed in order to
       facilitate re-signing of the zone in the future.

       The zonesigner-specific zone-signing records are kept in keyrec files.
       Using keyrec files, defined and maintained by DNSSEC-Tools, zonesigner
       can automatically gather many of the options used to previously sign
       and generate a zone and its keys.  This allows the zone to be
       maintained using the same key lengths and expiration times, for
       example, without an administrator needing to manually track these
       fields.

QUICK START

       The following are examples that will allow a quick start on using
       zonesigner:

       first run on example.com
           The following command will generate keys and sign the zone file for
           example.com, giving an expiration date 31 days in the future.  The
           zone file is named example.com and the signed zone file will be
           named example.com.signed.

               zonesigner -genkeys -endtime +2678400 example.com

       subsequent runs on example.com
           The following command will re-sign example.com's zone file, but
           will not generate new keys.  The files and all key-generation and
           zone-signing arguments will remain the same.

               zonesigner example.com

USING ZONESIGNER

       zonesigner is used in this way:

           zonesigner [options] <zone-file> <signed-zone-file>

       The zone-file argument is required.

       zone-file is the name of the zone file from which a signed zone file
       will be created.  If the -zone option is not given, then zone-file will
       be used as the name of the zone that will be signed.  Generated keys
       are given this name as their base.

       Once zonesigner has created a set of keys for a zone and signed the
       zone, it may be used to re-sign the as the zonefile changes.  When run
       without any options, zonesigner will consult the zone's keyrec to find
       the appropriate set of keys and will then sign the specified zone with
       them.

       The zone file is modified to have include commands, which will include
       the KSK and ZSK keys.  These lines are placed at the end of the file
       and should not be modified by the user.  If the zone file already
       includes any key files, those inclusions will be deleted.  These lines
       are distinguished by starting with "$INCLUDE" and end with ".key".
       Only the actual include lines are deleted; any related comment lines
       are left untouched.

       An intermediate file is used in signing the zone.  zone-file is copied
       to the intermediate file and is modified in preparation of signing the
       zone file.  Several $INCLUDE lines will be added at the end of the file
       and the SOA serial number will be incremented.

       signed-zone is the name of the signed zone file.  If it is not given on
       the command line, the default signed zone filename is the zone-file
       appended with ".signed".  Thus, executing zonesigner example.com will
       result in the signed zone being stored in example.com.signed.

       Unless the -genkeys, -genksk, -genzsk, or -newpubksk options are
       specified, the last keys generated for a particular zone will be used
       in subsequent zonesigner executions.  DS records will be included in
       signing operations unless the -nogends option is used.

       zonesigner can be used with a rollover manager, such as rollerd, to
       provide automated management of a zone, its keys, and the signing of
       the zone.  If a rollerd-managed zonefile changes while rollerd is
       waiting for a zone rollover to begin or a rollover phase to complete,
       zonesigner may be used to sign the zone with the proper set of keys;
       rollerd will not be disrupted by this.

KEYREC FILES

       keyrec files retain information about previous key-generation and zone-
       signing operations.  If a keyrec file is not specified (by way of the
       -krfile option), then a default keyrec file is used.  If this default
       is not specified in the system's DNSSEC-Tools configuration file, the
       filename will be the zone name appended with .krf.  If the -nokrfile
       option is given, then no keyrec file will be consulted or saved.

       Each keyrec contains a set of "key/value" entries, one per line.
       Example 4 below contains the contents of a sample keyrec file.

       keyrec files contain three types of entries:  zone keyrecs, set
       keyrecs, and key keyrecs.  Zone keyrecs contain information
       specifically about the zone, such as the number of ZSKs used to sign
       the zone, the end-time for the zone, and the key signing set names
       (names of set keyrecs.)  Set keyrecs contain lists of key keyrec names
       used for a specific purpose, such as the current ZSK keys or the
       published ZSK keys.  Key keyrecs contain information about the
       generated keys themselves, such as encryption algorithm, key length,
       and key lifetime.

       As a zone proceeds through key rollover, new cryptographic keys will be
       generated for the zone.  The various key parameters (e.g., key length
       and crypto algorithm) will be the same as the parameters previously
       used to generate keys for that zone.  The keymod command allows these
       key parameters to be modified as needs change.  If a particular
       parameter is changed, such as the KSK length changing from 1024 to
       2048, then future keys will reflect that change; current and past keys
       will not be modified.

   Keyrec Files and RFC5011 KSK Revocation
       If RFC5011 processing is enabled, there is special handling of the
       zone's set keyrec of revoked KSK keys.  The "kskrev" field in the
       zone's keyrec points to a set keyrec, marked as being of type "kskrev".
       This set keyrec, in turn, points to a number of other set keyrecs, all
       of which are also marked as being of type "kskrev".  The group of all
       revoked KSK keys is found by consulting that subsidiary set of "kskrev"
       set keyrecs.  When the ages of these revoked keys exceeds their
       revocation periods, they are marked as being obsolete ("kskobs").  If
       this happens as part of normal rollover, these revoked key and set
       keyrecs are all removed from the chain of active, revoked keyrecs.  If
       this happens to a key that's part of a larger set of keys, it is
       removed from that signing set and put in its own new signing set.

ENTROPY

       On some systems, the implementation of the pseudo-random number
       generator requires keyboard activity.  This keyboard activity is used
       to fill a buffer in the system's random number generator.  If
       zonesigner appears hung, you may have to add entropy to the random
       number generator by randomly striking keys until the program completes.
       Display of this message is controlled by the entropy_msg configuration
       file parameter.

DETERMINING OPTION VALUES

       zonesigner checks four places in order to determine option values.  In
       descending order of precedence, these places are:

           command line options

           keyrec file

           DNSSEC-Tools configuration file

           zonesigner defaults

       Each is checked until a value is found.  That value is then used for
       that zonesigner execution and the value is stored in the keyrec file.

   Example
       For example, the KSK length has the following values:

           -ksklength command line option:     8192

           keyrec file:                        1024

           DNSSEC-Tools configuration file:     512

           zonesigner defaults:                2048

       If all are present, then the KSK length will be 8192.

       If the -ksklength command line option wasn't given, the KSK length will
       be 1024.

       If the KSK length wasn't given in the configuration file, it will be
       8192.

       If the KSK length wasn't in the keyrec file or the configuration file,
       the KSK length will be 8192.

       If the -ksklength command line option wasn't given and the KSK length
       wasn't in the configuration file, it'll be 1024.

       If the command line option wasn't given, the KSK length wasn't in the
       keyrec file, and it wasn't in the configuration file, then the KSK
       length will be 512.

OPTIONS

       Three types of options may be given, based on the command for which
       they are intended.  These commands are  dnssec-keygen, dnssec-signzone,
       and zonesigner.

   zonesigner-specific Options
       -archivedir
           The key archive directory.  If a key archive directory hasn't been
           specified (on the command line or in the DNSSEC-Tools configuration
           file) and the -nosave option was not given, then zonesigner will
           leave the keys in the current directory.

           When the files are saved into the archive directory, the existing
           file names are prepended with a timestamp.  The timestamp indicates
           when the files are archived.

           This directory may not be the root directory.

       -droprevoked
           Explicitly obsolete currently revoked KSKs and remove them from the
           signing set before resigning.  This is mutually exclusive from
           -nodroprevoked.  If neither -droprevoked nor -nodroprevoked are
           given, then -droprevoked functionality is assumed..

       -dsdir
           Specify a directory for storing dssets.  This directory will be
           created if it does not exist.

           The directory must be writable and may not be the root directory.

       -genkeys
           Generate new KSKs and ZSKs for the zone.

       -genksk
           Generate new Current KSKs for the zone.  Any existing Current KSKs
           will be marked as obsolete.  If this option is not given, the last
           KSKs generated for this zone will be used.

       -genzsk
           Generate new ZSKs for the zone.  By default, the last ZSKs
           generated for this zone will be used.

       -help
           Display a usage message.

       -intermediate
           Filename to use for the temporary zone file.  The zone file will be
           copied to this file and then the key names appended.

       -keydirectory
           The directory in which KSK and ZSK keys will be stored.  The
           default is to store the keys in the directory in which zonesigner
           is executed.

           This directory may not be the root directory.

       -krfile
           keyrec file to use in processing options.  See the man page for
           Net::DNS::SEC::Tools::tooloptions.pm for more details about this
           file.

       -ksignset
           The name of the KSK signing set to use.  If the signing set does
           not exist, then this must be used in conjunction with either
           -genkeys or -genksk.  The name may contain alphanumerics,
           underscores, hyphens, periods, and commas.

           The name may contain alphanumerics, underscores, hyphens, periods,
           and commas.  The default signing set name is "zone-signset-N",
           where zone is the zone being signed and N is a number.

           If -ksignset is not specified, then zonesigner will use the default
           and increment the number for subsequent signing sets.

       -kskcount
           The number of KSK keys to generate and with which to sign the zone.
           The default is to use a single KSK key.

       -kskdirectory
           The directory in which KSK keys will be stored.  The default is to
           store the keys in the directory in which zonesigner is executed.

           This directory may not be the root directory.

       -ksklife
           The time between KSK rollovers.  This is measured in seconds.

       -newpubksk
           Generate new Published KSKs for the zone.  Any existing Published
           KSKs will be marked as obsolete.

       -nodroprevoked
           Explicitly turn off obsoleting currently revoked KSKs and remove
           them from the signing set before resigning.  This is mutually
           exclusive from -droprevoked.  If neither -droprevoked nor
           -nodroprevoked are given, then -droprevoked functionality is
           assumed..

       -nokrfile
           No keyrec file will be consulted or created.

       -norfc5011
           Disable RFC5011 KSK revocation when rolling or replacing existing
           KSK key sets.  By default, zonesigner performs RFC5011 KSK
           revocation and this option supersedes this behavior and any option
           setting within the keyrec file.

       -nosave
           Do not save obsolete keys to the key archive directory.  The
           default behavior is to save obsolete keys.

       -phase
           Specify an rollover option based on the rollover phase, as opposed
           to using the option naming the specific action to be performed.
           The purpose of this option is to bring clarity and greater
           understanding to how zonesigner is used in the rollover process.

           The following are the mappings between the -phase options and the
           action options.

               Phase Option             Action-based Option
               -phase ksk2              -newpubksk
               -phase ksk4              -rollksk
               -phase zsk2              -usezskpub
               -phase zsk4b             -rollzsk
               -phase zsk4b             (no option)

           Warning:  The -phase option should only be used if you know what
           you're doing.

       -rollksk
           Force a rollover of the KSK keys.  The Current KSK keys are marked
           as Obsolete and the Published KSK keys are marked as Current.  The
           zone is then signed with the new set of Current KSK keys.  If the
           zone's keyrec does not list a Current or Published KSK, an error
           message is printed and zonesigner stops execution.

           The zone's keyrec file is updated to show the new key state.

           The keyrecs of the KSK keys are adjusted as follows:

               The Current KSK keys are marked as Obsolete.
               The Published KSK keys are marked as Current.
               The Obsolete KSK keys are moved to the archive directory.

           If RFC5011 processing is enabled, then the KSK rollover sequence is
           modified as follows:

               The Current KSK keys are marked as Revoked.
               The Published KSK keys are marked as Current.
               The Revoked KSK keys are checked to see if they are still
               within their revocation period.  If not, they are marked
               as Obsolete.
               The Obsolete KSK keys are moved to the archive directory.

           Warning:  The timing of key-rolling is critical.  Great care must
           be taken when using this option.  In the future, rollerd will
           automate the KSK rollover process and may be used to safely take
           care of this aspect of DNSSEC management.

           Warning:  Using the -rollksk option should only be used if you know
           what you're doing.

           Warning:  This is may be a temporary method of KSK rollover.  It
           may be changed in the future.

       -rollmgr
           The zone's rollover manager.  This indicates that the zone is under
           control of a rollover manager.  If a user wishes to sign a zone in
           the middle of a rollover wait phase, this field helps zonesigner
           and the rollover manager to determine how best to handle the zone-
           signing operation.

       -rollzsk
           Force a rollover of the ZSK keys using the Pre-Publish Key Rollover
           method.  The rollover process adjusts the keys used to sign the
           specified zone, generates new keys, signs the zone with the
           appropriate keys, and updates the keyrec file.  The Pre-Publish Key
           Rollover process is described in the DNSSEC Operational Practices
           document.

           Three sets of ZSK keys are used in the rollover process:  Current,
           Published, and New.  Current ZSKs are those which are used to sign
           the zone.  Published ZSKs are available in the zone data, and
           therefore in cached zone data, but are not yet used to sign the
           zone.  New ZSKs are not available in zone data nor yet used to sign
           the zone, but are waiting in the wings for future use.

           The keyrecs of the ZSK keys are adjusted as follows:

               The Current ZSK keys are marked as obsolete.
               The Published ZSK keys are marked as Current.
               The New ZSK keys, if they exist, are marked as Published.
               Another set of ZSK keys are generated, which will be
                   marked as the New ZSK keys.
               The Published ZSK keys' zsklife field is copied to the
                   new ZSK keys' keyrecs.
               The obsolete ZSK keys are moved to the archive directory.

           The quick summary of proper ZSK rolling (which rollerd does for you
           if you use it):

               - wait 2 * max(TTL in zone)
               - run zonesigner using -usezskpub
               - wait 2 * max(TTL in zone)
               - run zonesigner using -rollzsk
               - wait 2 * max(TTL in zone)

           Warning:  The timing of key-rolling is critical.  Great care must
           be taken when using this option.  rollerd automates the rollover
           process and may be used to safely take care of this aspect of
           DNSSEC management.  Using the -rollzsk option should only be used
           if you know what you're doing.

       -showkeycmd
           Display the actual key-generation command (with options and
           arguments) that is executed.  This is a small subset of verbose
           level 3 output.

       -showsigncmd
           Display the actual zone-signing command (with options and
           arguments) that is executed.  This is a small subset of verbose
           level 3 output.

       -signonly
           Sign the zone without performing any key generation or key rollover
           operations.  The keys used in the most recent zonesigner signing of
           this zone will be the keys used for this signing.

       -signset
           The name of the ZSK signing set to use as the Current ZSK signing
           set.  The zone is signed and the given signing set becomes the
           zone's new Current ZSK signing set.  If the signing set does not
           exist, then this must be used in conjunction with either -genkeys
           or -genzsk.

           The name may contain alphanumerics, underscores, hyphens, periods,
           and commas.  The default signing set name is "zonesignset-N", where
           zone is the zone being signed and N is a number.

           If -signset is not specified, then zonesigner will use the default
           and increment the number for subsequent signing sets.

       -threshold
           Sign the zone if a threshold condition is met.  Depending on how
           the threshold is specified, it may be relative to the last time the
           zone was signed or to the zone's expiration date.

           threshold-time is the threshold value, given as a numeric value,
           with an optional unit specifier.  The unit may be 's', 'm', 'h', or
           'd', for seconds, minutes, hours, or days.  If the unit is not
           given, then the value is in seconds.  The threshold value must have
           either the '-' prefix or the '+' prefix to indicate which threshold
           to measure.  The threshold value +10d refers to ten days prior to a
           zone's expiration date.

           If the '-' prefix is used, then the zone will be re-signed if
           zonesigner is executed no more than threshold-time after the last
           time the zone was signed.  threshold-time is determined by
           subtracting the threshold value from the upcoming midnight.  If
           this would put the threshold time in the future, then it is
           calculated from the current time.

           If the '+' prefix is used, then the zone will be re-signed if
           zonesigner is executed no more than threshold-time before the
           zone's expiration date.  threshold-time is determined by
           subtracting the threshold value from the previous midnight.  If
           this would put threshold-time in the past, then it is calculated
           from the current time.

       -useboth
           Use the existing Current and Published ZSKs to sign the zone.

       -usezskpub
           Use the existing Published ZSKs to sign the zone.

       -Version
           Display the version information for zonesigner and the DNSSEC-Tools
           package.

       -verbose
           Verbose output will be given.  As more instances of -verbose are
           given on the command line, additional levels of verbosity are
           achieved.

               level       output
               -----       ------
                 1         operations being performed
                             (e.g., generating key files, signing zone)
                 2         details on operations and some operation results
                             (e.g., new key names, zone serial number)
                 3         operations' parameters and additional details
                             (e.g., key lengths, encryption algorithm,
                             executed commands)

           Higher levels of verbosity are cumulative.  Specifying two
           instances of -verbose will get the output from the first and second
           levels of output.

       -xc Display a message associated with a zonesigner exit value.  This
           option is intended for use by those programs who wish for
           zonesigner to run silently, but need a description for why
           zonesigner has exited with an error.

           The following are the exit codes and their associated messages.

           0 - successful execution
           1 - -rfc5011 and -norfc5011 may not be specified together
           2 - -droprevoked and -nodroprevoked may not be specified together
           3 - -keydirectory and -kskdirectory may not be specified together
           4 - -keydirectory and -zskdirectory may not be specified together
           5 - KSK count must be positive
           6 - ZSK count must be positive
           7 - no key archive directory was specified
           8 - key archive directory is not a directory
           9 - key archive directory must not be /
           10 - -savekeys and -nosave may not be specified together
           11 - either a KSK or a ZSK directory was incorrectly specified
           12 - either a specified KSK or a specified ZSK directory is not a
           directory
           13 - neither the KSK nor the ZSK directory may be the root
           directory
           14 - zone file, output file, and intermediate file must all have
           distinct names
           15 - zone file does not exist
           16 - zone file is empty
           17 - zone file already signed
           18 - specified signing set does not exist
           19 - specified Current ZSK signing set does not exist
           20 - specified Published ZSK signing set does not exist
           21 - specified new signing-set name already exists
           22 - specified KSK signing set already exists
           23 - no KSK signing set was specified
           24 - specified Current KSK signing set does not exist
           25 - specified Published KSK signing set does not exist
           26 - unable to generate KSK key file
           27 - ZSK keyrec does not exist in keyrec file
           28 - unable to generate ZSK key file
           29 - unable to archive keys because key archive directory is not a
           directory
           30 - KSK repository is not a directory
           31 - ZSK repository is not a directory
           32 - unable to update serial number in zonefile
           33 - zone file's modified contents are empty
           34 - unable to sign zone
           35 - no Published KSKs have been created
           36 - zone has no Published ZSKs to rollover to Current ZSKs
           37 - no keys defined for a particular signing set for zone
           38 - no keyrec exists for required signing set
           39 - error in keyrec file -- a particular signing set keyrec is not
           a set keyrec
           40 - specified signing set does not contain any keys
           41 - no key keyrec exists for a particular key
           42 - keyrec of specified key has an unexpected type
           43 - usage message printed
           44 - invalid exit code given to -xc
           45 - named-checkzone returned an error
           46 - unable to create dsset archive directory
           47 - dsset archive directory is not a directory
           48 - dsset archive directory is not writable
           49 - dsset archive directory must not be /
           50 - invalid threshold
           51 - invalid format end-date

           An error message will be printed if an invalid exit code is given.

       -Cthulhu
           This option is for internal use only and should never be used by a
           user.  If this warning is ignored, then undefined, unnameable
           eldritch horrors may be visited upon your zone files.  Do not use.

       -zone
           Name of the zone that will be signed.  This zone name may be given
           with this option or as the first non-option command line argument.
           In the second case, if the argument contains directory separators,
           then final element of the path will be used for the zone name.

       -zskcount
           The number of ZSK keys to generate and with which to sign the zone.
           The default is to use a single ZSK key.

       -zskdirectory
           The directory in which ZSK keys will be stored.  The default is to
           store the keys in the directory in which zonesigner is executed.

           This directory may not be the root directory.

       -zsklife
           The time between ZSK rollovers.  This is measured in seconds.

   dnssec-keygen-specific Options
       -algorithm
           Cryptographic algorithm used to generate the zone's keys.  The
           default value is RSASHA1.  The option value is passed to dnssec-
           keygen as the -a flag.  Consult dnssec-keygen's manual page to
           determine legal values.

       -kgopts
           Additional options for dnssec-keygen may be specified using this
           option.  The additional options are passed as a single string value
           as an argument to the -kgopts option.

       -ksklength
           Bit length of the zone's KSK key.  The default is 2048.

       -nsec3optout
           When this flag and the -usensec3 flag are set, the zone will be
           signed using the Opt-Out support described in RFC5155.  A quick
           summary is that only sub-domains with valid DS or public keys
           available will be signed and the rest will not be.  This greatly
           reduces the computational and memory requirements of extremely
           large zones with lots of unsigned children.

       -random
           Source of randomness used to generate the zone's keys. This is
           assumed to be a file, for example /dev/urandom.

       -usensec3
           Signs the zone using NSEC3 (see RFC5155) proof-of-non-existence
           records rather than NSEC records.  The keys used to sign the zone
           must support the use of NSEC3 or else zone-signing will fail.
           Zonesigner will automatically generate new keys of the correct type
           if one of the -genkeys or similar options is used.

       -zsklength
           Bit length of the zone's ZSK key.  The default is 1024.

   dnssec-signzone-specific Options
       -endtime
           Time that the zone expires, as measured from the current time.  If
           given as a number, it is a count of seconds.  If it is given as a
           number followed by 's', 'm', 'h', or 'd', then it is the number of
           seconds, minutes, hours, or days.  The default value is 2764800
           seconds (32 days.)

       -gends
           Force dnssec-signzone to generate DS records for the zone.  This
           option is translated into -g when passed to dnssec-signzone.

           This option is obsolete.  DS records are generated by default.  Use
           the -nogends option if DS records should not be generated.

       -ksdir
           Specify a directory for storing keysets.  This is passed to dnssec-
           signzone as the -d option.

       -nogends
           Prevent dnssec-signzone from generating DS records for the zone.

       -szopts
           Additional options for dnssec-signzone may be specified using this
           option.  The additional options are passed as a single string value
           as an argument to the -szopts option.

           The default value for this option is "-i local", set in
           defaults.pm.  This value has been found to greatly improve the
           amount of time it takes named-checkzone to run.

   Other Options
       -zcopts
           Additional options for named-checkzone may be specified using this
           option.  The additional options are passed as a single string value
           as an argument to the -zcopts option.

EXAMPLES

       Example 1.

       In the first example, an existing keyrec file is used to assist in
       signing the example.com domain.  Zone data are stored in example.com,
       and the keyrec is in example.krf.  The final signed zone file will be
       db.example.com.signed.  Using this execution:

           # zonesigner -krfile example.krf example.com db.example.com.signed

       the following files are created:

           Kexample.com.+005+45842.private
           Kexample.com.+005+45842.key
           Kexample.com.+005+50186.private
           Kexample.com.+005+50186.key
           Kexample.com.+005+59143.private
           Kexample.com.+005+59143.key

           dsset-example.com.
           keyset-example.com.

           db.example.com.signed

       The first six files are the KSK and ZSK keys required for the zone.
       The next two files are created by the zone-signing process.  The last
       file is the final signed zone file.

       Example 2.

       In the second example, an existing keyrec file is used to assist in
       signing the example.com domain.  Zone data are stored in example.com,
       and the keyrec is in example.krf.  The generated keys, an intermediate
       zone file, and final signed zone file will use example.com as a base.
       Using this execution:

           # zonesigner -krfile example.krf -intermediate example.zs example.com

       the following files are created:

           Kdb.example.com.+005+12354.key
           Kdb.example.com.+005+12354.private
           Kdb.example.com.+005+82197.key
           Kdb.example.com.+005+82197.private
           Kdb.example.com.+005+55888.key
           Kdb.example.com.+005+55888.private

           dsset-db.example.com.
           keyset-db.example.com.

           example.zs
           example.com.signed

       The first six files are the KSK and ZSK keys required for the zone.
       The next two files are created by the zone-signing process.  The second
       last file is an intermediate file that will be signed.  The last file
       is file is the final signed zone.

       Example 3.

       In the third example, no keyrec file is specified for the signing of
       the example.com domain.  In addition to files created as shown in
       previous examples, a new keyrec file is created.  The new keyrec file
       uses the domain name as its base.  Using this execution:

           # zonesigner example.com db.example.com

       the following keyrec file is created:

           example.com.krf

       The signed zone file is created in:

           db.example.com

       Example 4.

       This example shows a keyrec file generated by zonesigner.

       The command executed is:

           # zonesigner example.com db.example.com

       The generated keyrec file contains six keyrecs:  a zone keyrec, two set
       keyrecs, one KSK keyrec, and two ZSK keyrecs.

           zone        "example.com"
               zonefile        "example.com"
               signedzone      "db.example.com"
               endtime         "+2764800"
               kskcur          "example.com.signset-24"
               kskdirectory    "."
               zskcur          "example.com.signset-42"
               zskpub          "example.com.signset-43"
               zskdirectory    "."
               keyrec_type     "zone"
               keyrec_signsecs "1115166642"
               keyrec_signdate "Wed May  4 00:30:42 2005"

           set         "example.com.signset-24"
               zonename        "example.com"
               keys            "Kexample.com.+005+24082"
               keyrec_setsecs  "1110000042"
               keyrec_setdate  "Sat Mar  5 05:20:42 2005"

           set         "example.com.signset-42"
               zonename        "example.com"
               keys            "Kexample.com.+005+53135"
               keyrec_setsecs  "1115166640"
               keyrec_setdate  "Wed May  4 00:30:40 2005"

           set         "example.com.signset-43"
               zonename        "example.com"
               keys            "Kexample.com.+005+13531"
               keyrec_setsecs  "1115166641"
               keyrec_setdate  "Wed May  4 00:30:41 2005"

           key         "Kexample.com.+005+24082"
               zonename        "example.com"
               keyrec_type     "kskcur"
               algorithm       "rsasha1"
               random          "/dev/urandom"
               keypath         "./Kexample.com.+005+24082.key"
               ksklength       "2048"
               ksklife         "15768000"
               keyrec_gensecs  "1110000042"
               keyrec_gendate  "Sat Mar  5 05:20:42 2005"

           key         "Kexample.com.+005+53135"
               zonename        "example.com"
               keyrec_type     "zskcur"
               algorithm       "rsasha1"
               random          "/dev/urandom"
               keypath         "./Kexample.com.+005+53135.key"
               zsklength       "1024"
               zsklife         "604800"
               keyrec_gensecs  "1115166638"
               keyrec_gendate  "Wed May  4 00:30:38 2005"

           key         "Kexample.com.+005+13531"
               zonename        "example.com"
               keyrec_type     "zskpub"
               algorithm       "rsasha1"
               random          "/dev/urandom"
               keypath         "./Kexample.com.+005+13531.key"
               zsklength       "1024"
               zsklife         "604800"
               keyrec_gensecs  "1115166638"
               keyrec_gendate  "Wed May  4 00:30:38 2005"

NOTES

       1.  One Zone in a keyrec File
           There is a bug in the signing-set code that necessitates only
           storing one zone in a keyrec file.

       2.  SOA Serial Numbers
           Serial numbers in SOA records are merely incremented in this
           version.  Future plans are to allow for more flexible serial number
           manipulation.

COPYRIGHT

       Copyright 2004-2013 SPARTA, Inc.  All rights reserved.  See the COPYING
       file included with the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@tislabs.com

SEE ALSO

       keymod(8), lskrf(1), rollerd(1)

       dnssec-keygen(8), dnssec-signzone(8)

       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
       Net::DNS::SEC::Tools::keyrec.pm(3),
       Net::DNS::SEC::Tools::tooloptions.pm(3)

       keyrec(5)



  All copyrights belong to their respective owners. Other content (c) 2014-2018, GNU.WIKI. Please report site errors to webmaster@gnu.wiki.
Page load time: 0.107 seconds. Last modified: November 04 2018 12:49:43.