Provided by: ldnsutils_1.7.0-4.1ubuntu1_amd64 bug

NAME
       ldns-signzone - sign a zonefile with DNSSEC data


SYNOPSIS
       ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ...  ]


DESCRIPTION
       ldns-signzone  is  used  to  generate  a  DNSSEC signed zone. When run it will create a new zonefile that
       contains RRSIG and NSEC resource records, as specified in RFC 4033, RFC 4034 and RFC 4035.

       Keys must be specified by their base name (i.e. without .private). If the DNSKEY that belongs to the  key
       in  the  .private file is not present in the zone, it will be read from the file <base name>.key. If that
       file does not exist, the DNSKEY value will be generated from the private key.

       Multiple keys can be specified, Key Signing Keys are used as such when they are either already present in
       the zone, or specified in a .key file, and have the KSK bit set.


OPTIONS
       -b     Augments  the  zone  and  the  RR's with extra comment texts for a more readable layout, easier to
              debug. DS records will have a bubblebabble version of the data in the comment text, NSEC3  records
              will have the original NSEC3 in the comment text.

              Without this option, only DNSKEY RR's will have their Key Tag annotated in the comment text.

       -d     Normally,  if the DNSKEY RR for a key that is used to sign the zone is not found in the zone file,
              it will be read from .key, or derived from the private key (in that order). This option turns that
              feature off, so that only the signatures are added to the zone.

       -e date
              Set  expiration  date  of  the  signatures  to this date, the format can be YYYYMMDD[hhmmss], or a
              timestamp.

       -f file
              Use this file to store the signed zone in (default <originalfile>.signed)

       -i date
              Set inception date of the signatures to this date,  the  format  can  be  YYYYMMDD[hhmmss],  or  a
              timestamp.

       -o origin
              Use this as the origin of the zone

       -v     Print the version and exit

       -A     Sign  the  DNSKEY record with all keys.  By default it is signed with a minimal number of keys, to
              keep the response size for the DNSKEY query small, and only the SEP keys that are passed are used.
              If there are no SEP keys, the DNSKEY RRset is signed with the non-SEP keys.  This option turns off
              the default and all keys are used to sign the DNSKEY RRset.

       -E name
              Use the EVP cryptographic engine with the given  name  for  signing.  This  can  have  some  extra
              options; see ENGINE OPTIONS for more information.

       -k id,int
              Use  the  key  with  the given id as the signing key for algorithm int as a Zone signing key. This
              option is used when you use an OpenSSL engine, see ENGINE OPTIONS for more information.

       -K id,int

              Use the key with the given id as the signing key for algorithm int as  a  Key  signing  key.  This
              options is used when you use an OpenSSL engine, see ENGINE OPTIONS for more information.

       -n     Use NSEC3 instead of NSEC.

       If you use NSEC3, you can specify the following extra options:

       -a algorithm
              Algorithm used to create the hashed NSEC3 owner names

       -p     Opt-out.  All NSEC3 records in the zone will have the Opt-out flag set. After signing, you can add
              insecure delegations to the signed zone.

       -s string
              Salt

       -t number
              Number of hash iterations


ENGINE OPTIONS
       You can modify the possible engines, if supported, by setting an OpenSSL configuration file. This is done
       through  the  environment  variable  OPENSSL_CONF.  If  you use -E with a non-existent engine name, ldns-
       signzone will print a list of engines supported by your configuration.

       The key options (-k and -K) work as follows; you specify a key id, and a  DNSSEC  algorithm  number  (for
       instance, 5 for RSASHA1). The key id can be any of the following:

           <id>
           <slot>:<id>
           id_<id>
           slot_<slot>-id_<id>
           label_<label>
           slot_<slot>-label_<label>

       Where  '<id>'  is  the  PKCS #11 key identifier in hexadecimal notation, '<label>' is the PKCS #11 human-
       readable label, and '<slot>' is the slot number where the token is present.

       If not already present, a DNSKEY RR is generated from the key data, and added to the zone.


EXAMPLES
       ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
              Sign   the   zone   in   the    file    'nlnetlabs.nl'    with    the    key    in    the    files
              'Knlnetlabs.nl.+005+12273.private'.  If  the DNSKEY is not present in the zone, use the key in the
              file 'Knlnetlabs.nl.+005+12273.key'. If that is not present, generate one with default values from
              'Knlnetlabs.nl.+005+12273.private'.


AUTHOR
       Written by the ldns team as an example for ldns usage.


REPORTING BUGS
       Report bugs to <ldns-team@nlnetlabs.nl>.


COPYRIGHT
       Copyright  (C)  2005-2008  NLnet  Labs.  This  is  free  software.  There  is  NO  warranty; not even for
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

                                                   30 May 2005                                  ldns-signzone(1)