summaryrefslogtreecommitdiff
path: root/examples/ldns-signzone.1
blob: c33e15210f35860273de8f25545d1e2cc7f78501 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
.TH ldns-signzone 1 "30 May 2005"
.SH NAME
ldns-signzone \- sign a zonefile with DNSSEC data
.SH SYNOPSIS
.B ldns-signzone 
[
.IR OPTIONS
]
.IR ZONEFILE 
.IR
KEY 
[KEY 
[KEY] ...
]

.SH DESCRIPTION

\fBldns-signzone\fR is used to generate a DNSSEC signed zone. When run it
will create a new zonefile that contains RRSIG and NSEC resource records, as
specified in RFC 4033, RFC 4034 and RFC 4035.

Keys must be specified by their base name (i.e. without .private). If
the DNSKEY that belongs to the key in the .private file is not present
in the zone, it will be read from the file <base name>.key. If that
file does not exist, the DNSKEY value will be generated from the
private key.

Multiple keys can be specified, Key Signing Keys are used as such when
they are either already present in the zone, or specified in a .key
file, and have the KSK bit set.

.SH OPTIONS
.TP
\fB-b\fR
Augments the zone and the RR's with extra comment texts for a more readable
layout, easier to debug. DS records will have a bubblebabble version of
the data in the comment text, NSEC3 records will have the original NSEC3
in the comment text.

Without this option, only DNSKEY RR's will have their Key Tag annotated in
the comment text.

.TP
\fB-d\fR
Normally, if the DNSKEY RR for a key that is used to sign the zone is
not found in the zone file, it will be read from .key, or derived from
the private key (in that order). This option turns that feature off,
so that only the signatures are added to the zone.

.TP
\fB-e\fR \fIdate\fR
Set expiration date of the signatures to this date, the format can be
YYYYMMDD[hhmmss], or a timestamp.

.TP
\fB-f\fR \fIfile\fR
Use this file to store the signed zone in (default <originalfile>.signed)

.TP
\fB-i\fR \fIdate\fR
Set inception date of the signatures to this date, the format can be
YYYYMMDD[hhmmss], or a timestamp.

.TP
\fB-o\fR \fIorigin\fR
Use this as the origin of the zone

.TP
\fB-v\fR
Print the version and exit

.TP
\fB-A\fR
Sign the DNSKEY record with all keys.  By default it is signed with a
minimal number of keys, to keep the response size for the DNSKEY query
small, and only the SEP keys that are passed are used.  If there are no
SEP keys, the DNSKEY RRset is signed with the non\-SEP keys.  This option
turns off the default and all keys are used to sign the DNSKEY RRset.

.TP
\fB-E\fR \fIname\fR
Use the EVP cryptographic engine with the given name for signing. This
can have some extra options; see ENGINE OPTIONS for more information.

.TP
\fB-k\fR \fIid,int\fR
Use the key with the given id as the signing key for algorithm int as
a Zone signing key. This option is used when you use an OpenSSL
engine, see ENGINE OPTIONS for more information.

.TP
\fB-K\fR \fIid,int\fR

Use the key with the given id as the signing key for algorithm int as
a Key signing key. This options is used when you use an OpenSSL engine,
see ENGINE OPTIONS for more information.

.TP
\fB-n\fR
Use NSEC3 instead of NSEC.

.TP
If you use NSEC3, you can specify the following extra options:

.TP
\fB-a\fR \fIalgorithm\fR
Algorithm used to create the hashed NSEC3 owner names

.TP
\fB-p\fR
Opt-out. All NSEC3 records in the zone will have the Opt-out flag set. After signing, you can add insecure delegations to the signed zone.

.TP
\fB-s\fR \fIstring\fR
Salt

.TP
\fB-t\fR \fInumber\fR
Number of hash iterations

.SH ENGINE OPTIONS
You can modify the possible engines, if supported, by setting an
OpenSSL configuration file. This is done through the environment
variable OPENSSL_CONF. If you use \-E with a non-existent engine name,
ldns-signzone will print a list of engines supported by your
configuration.

The key options (\-k and \-K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can be any of the following:

    <id>
    <slot>:<id>
    id_<id>
    slot_<slot>-id_<id>
    label_<label>
    slot_<slot>-label_<label>

Where '<id>' is the PKCS #11 key identifier in hexadecimal
notation, '<label>' is the PKCS #11 human-readable label, and '<slot>'
is the slot number where the token is present.

If not already present, a DNSKEY RR is generated from the key
data, and added to the zone.

.SH EXAMPLES

.TP
ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
Sign the zone in the file 'nlnetlabs.nl' with the key in the
files 'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY is not present
in the zone, use the key in the
file 'Knlnetlabs.nl.+005+12273.key'. If that is not present, generate
one with default values from 'Knlnetlabs.nl.+005+12273.private'.


.SH AUTHOR
Written by the ldns team as an example for ldns usage.

.SH REPORTING BUGS
Report bugs to <ldns-team@nlnetlabs.nl>. 

.SH COPYRIGHT
Copyright (C) 2005-2008 NLnet Labs. This is free software. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.