1*00b67f09SDavid van Moolenbroek<!-- 2*00b67f09SDavid van Moolenbroek - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 3*00b67f09SDavid van Moolenbroek - Copyright (C) 2000-2003 Internet Software Consortium. 4*00b67f09SDavid van Moolenbroek - 5*00b67f09SDavid van Moolenbroek - Permission to use, copy, modify, and/or distribute this software for any 6*00b67f09SDavid van Moolenbroek - purpose with or without fee is hereby granted, provided that the above 7*00b67f09SDavid van Moolenbroek - copyright notice and this permission notice appear in all copies. 8*00b67f09SDavid van Moolenbroek - 9*00b67f09SDavid van Moolenbroek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10*00b67f09SDavid van Moolenbroek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11*00b67f09SDavid van Moolenbroek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12*00b67f09SDavid van Moolenbroek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13*00b67f09SDavid van Moolenbroek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14*00b67f09SDavid van Moolenbroek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15*00b67f09SDavid van Moolenbroek - PERFORMANCE OF THIS SOFTWARE. 16*00b67f09SDavid van Moolenbroek--> 17*00b67f09SDavid van Moolenbroek<!-- $Id: man.dnssec-signzone.html,v 1.5 2015/09/03 07:33:34 christos Exp $ --> 18*00b67f09SDavid van Moolenbroek<html> 19*00b67f09SDavid van Moolenbroek<head> 20*00b67f09SDavid van Moolenbroek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21*00b67f09SDavid van Moolenbroek<title>dnssec-signzone</title> 22*00b67f09SDavid van Moolenbroek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23*00b67f09SDavid van Moolenbroek<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 24*00b67f09SDavid van Moolenbroek<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> 25*00b67f09SDavid van Moolenbroek<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime"> 26*00b67f09SDavid van Moolenbroek<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify"> 27*00b67f09SDavid van Moolenbroek</head> 28*00b67f09SDavid van Moolenbroek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> 29*00b67f09SDavid van Moolenbroek<div class="navheader"> 30*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation header"> 31*00b67f09SDavid van Moolenbroek<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr> 32*00b67f09SDavid van Moolenbroek<tr> 33*00b67f09SDavid van Moolenbroek<td width="20%" align="left"> 34*00b67f09SDavid van Moolenbroek<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td> 35*00b67f09SDavid van Moolenbroek<th width="60%" align="center">Manual pages</th> 36*00b67f09SDavid van Moolenbroek<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a> 37*00b67f09SDavid van Moolenbroek</td> 38*00b67f09SDavid van Moolenbroek</tr> 39*00b67f09SDavid van Moolenbroek</table> 40*00b67f09SDavid van Moolenbroek<hr> 41*00b67f09SDavid van Moolenbroek</div> 42*00b67f09SDavid van Moolenbroek<div class="refentry" lang="en"> 43*00b67f09SDavid van Moolenbroek<a name="man.dnssec-signzone"></a><div class="titlepage"></div> 44*00b67f09SDavid van Moolenbroek<div class="refnamediv"> 45*00b67f09SDavid van Moolenbroek<h2>Name</h2> 46*00b67f09SDavid van Moolenbroek<p><span class="application">dnssec-signzone</span> — DNSSEC zone signing tool</p> 47*00b67f09SDavid van Moolenbroek</div> 48*00b67f09SDavid van Moolenbroek<div class="refsynopsisdiv"> 49*00b67f09SDavid van Moolenbroek<h2>Synopsis</h2> 50*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-M <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> 51*00b67f09SDavid van Moolenbroek</div> 52*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 53*00b67f09SDavid van Moolenbroek<a name="id2642845"></a><h2>DESCRIPTION</h2> 54*00b67f09SDavid van Moolenbroek<p><span><strong class="command">dnssec-signzone</strong></span> 55*00b67f09SDavid van Moolenbroek signs a zone. It generates 56*00b67f09SDavid van Moolenbroek NSEC and RRSIG records and produces a signed version of the 57*00b67f09SDavid van Moolenbroek zone. The security status of delegations from the signed zone 58*00b67f09SDavid van Moolenbroek (that is, whether the child zones are secure or not) is 59*00b67f09SDavid van Moolenbroek determined by the presence or absence of a 60*00b67f09SDavid van Moolenbroek <code class="filename">keyset</code> file for each child zone. 61*00b67f09SDavid van Moolenbroek </p> 62*00b67f09SDavid van Moolenbroek</div> 63*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 64*00b67f09SDavid van Moolenbroek<a name="id2642865"></a><h2>OPTIONS</h2> 65*00b67f09SDavid van Moolenbroek<div class="variablelist"><dl> 66*00b67f09SDavid van Moolenbroek<dt><span class="term">-a</span></dt> 67*00b67f09SDavid van Moolenbroek<dd><p> 68*00b67f09SDavid van Moolenbroek Verify all generated signatures. 69*00b67f09SDavid van Moolenbroek </p></dd> 70*00b67f09SDavid van Moolenbroek<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> 71*00b67f09SDavid van Moolenbroek<dd><p> 72*00b67f09SDavid van Moolenbroek Specifies the DNS class of the zone. 73*00b67f09SDavid van Moolenbroek </p></dd> 74*00b67f09SDavid van Moolenbroek<dt><span class="term">-C</span></dt> 75*00b67f09SDavid van Moolenbroek<dd><p> 76*00b67f09SDavid van Moolenbroek Compatibility mode: Generate a 77*00b67f09SDavid van Moolenbroek <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code> 78*00b67f09SDavid van Moolenbroek file in addition to 79*00b67f09SDavid van Moolenbroek <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code> 80*00b67f09SDavid van Moolenbroek when signing a zone, for use by older versions of 81*00b67f09SDavid van Moolenbroek <span><strong class="command">dnssec-signzone</strong></span>. 82*00b67f09SDavid van Moolenbroek </p></dd> 83*00b67f09SDavid van Moolenbroek<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt> 84*00b67f09SDavid van Moolenbroek<dd><p> 85*00b67f09SDavid van Moolenbroek Look for <code class="filename">dsset-</code> or 86*00b67f09SDavid van Moolenbroek <code class="filename">keyset-</code> files in <code class="option">directory</code>. 87*00b67f09SDavid van Moolenbroek </p></dd> 88*00b67f09SDavid van Moolenbroek<dt><span class="term">-D</span></dt> 89*00b67f09SDavid van Moolenbroek<dd><p> 90*00b67f09SDavid van Moolenbroek Output only those record types automatically managed by 91*00b67f09SDavid van Moolenbroek <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC, 92*00b67f09SDavid van Moolenbroek NSEC3 and NSEC3PARAM records. If smart signing 93*00b67f09SDavid van Moolenbroek (<code class="option">-S</code>) is used, DNSKEY records are also 94*00b67f09SDavid van Moolenbroek included. The resulting file can be included in the original 95*00b67f09SDavid van Moolenbroek zone file with <span><strong class="command">$INCLUDE</strong></span>. This option 96*00b67f09SDavid van Moolenbroek cannot be combined with <code class="option">-O raw</code>, 97*00b67f09SDavid van Moolenbroek <code class="option">-O map</code>, or serial number updating. 98*00b67f09SDavid van Moolenbroek </p></dd> 99*00b67f09SDavid van Moolenbroek<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt> 100*00b67f09SDavid van Moolenbroek<dd> 101*00b67f09SDavid van Moolenbroek<p> 102*00b67f09SDavid van Moolenbroek When applicable, specifies the hardware to use for 103*00b67f09SDavid van Moolenbroek cryptographic operations, such as a secure key store used 104*00b67f09SDavid van Moolenbroek for signing. 105*00b67f09SDavid van Moolenbroek </p> 106*00b67f09SDavid van Moolenbroek<p> 107*00b67f09SDavid van Moolenbroek When BIND is built with OpenSSL PKCS#11 support, this defaults 108*00b67f09SDavid van Moolenbroek to the string "pkcs11", which identifies an OpenSSL engine 109*00b67f09SDavid van Moolenbroek that can drive a cryptographic accelerator or hardware service 110*00b67f09SDavid van Moolenbroek module. When BIND is built with native PKCS#11 cryptography 111*00b67f09SDavid van Moolenbroek (--enable-native-pkcs11), it defaults to the path of the PKCS#11 112*00b67f09SDavid van Moolenbroek provider library specified via "--with-pkcs11". 113*00b67f09SDavid van Moolenbroek </p> 114*00b67f09SDavid van Moolenbroek</dd> 115*00b67f09SDavid van Moolenbroek<dt><span class="term">-g</span></dt> 116*00b67f09SDavid van Moolenbroek<dd><p> 117*00b67f09SDavid van Moolenbroek Generate DS records for child zones from 118*00b67f09SDavid van Moolenbroek <code class="filename">dsset-</code> or <code class="filename">keyset-</code> 119*00b67f09SDavid van Moolenbroek file. Existing DS records will be removed. 120*00b67f09SDavid van Moolenbroek </p></dd> 121*00b67f09SDavid van Moolenbroek<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> 122*00b67f09SDavid van Moolenbroek<dd><p> 123*00b67f09SDavid van Moolenbroek Key repository: Specify a directory to search for DNSSEC keys. 124*00b67f09SDavid van Moolenbroek If not specified, defaults to the current directory. 125*00b67f09SDavid van Moolenbroek </p></dd> 126*00b67f09SDavid van Moolenbroek<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt> 127*00b67f09SDavid van Moolenbroek<dd><p> 128*00b67f09SDavid van Moolenbroek Treat specified key as a key signing key ignoring any 129*00b67f09SDavid van Moolenbroek key flags. This option may be specified multiple times. 130*00b67f09SDavid van Moolenbroek </p></dd> 131*00b67f09SDavid van Moolenbroek<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> 132*00b67f09SDavid van Moolenbroek<dd><p> 133*00b67f09SDavid van Moolenbroek Generate a DLV set in addition to the key (DNSKEY) and DS sets. 134*00b67f09SDavid van Moolenbroek The domain is appended to the name of the records. 135*00b67f09SDavid van Moolenbroek </p></dd> 136*00b67f09SDavid van Moolenbroek<dt><span class="term">-M <em class="replaceable"><code>maxttl</code></em></span></dt> 137*00b67f09SDavid van Moolenbroek<dd><p> 138*00b67f09SDavid van Moolenbroek Sets the maximum TTL for the signed zone. 139*00b67f09SDavid van Moolenbroek Any TTL higher than <em class="replaceable"><code>maxttl</code></em> in the 140*00b67f09SDavid van Moolenbroek input zone will be reduced to <em class="replaceable"><code>maxttl</code></em> 141*00b67f09SDavid van Moolenbroek in the output. This provides certainty as to the largest 142*00b67f09SDavid van Moolenbroek possible TTL in the signed zone, which is useful to know when 143*00b67f09SDavid van Moolenbroek rolling keys because it is the longest possible time before 144*00b67f09SDavid van Moolenbroek signatures that have been retrieved by resolvers will expire 145*00b67f09SDavid van Moolenbroek from resolver caches. Zones that are signed with this 146*00b67f09SDavid van Moolenbroek option should be configured to use a matching 147*00b67f09SDavid van Moolenbroek <code class="option">max-zone-ttl</code> in <code class="filename">named.conf</code>. 148*00b67f09SDavid van Moolenbroek (Note: This option is incompatible with <code class="option">-D</code>, 149*00b67f09SDavid van Moolenbroek because it modifies non-DNSSEC data in the output zone.) 150*00b67f09SDavid van Moolenbroek </p></dd> 151*00b67f09SDavid van Moolenbroek<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt> 152*00b67f09SDavid van Moolenbroek<dd><p> 153*00b67f09SDavid van Moolenbroek Specify the date and time when the generated RRSIG records 154*00b67f09SDavid van Moolenbroek become valid. This can be either an absolute or relative 155*00b67f09SDavid van Moolenbroek time. An absolute start time is indicated by a number 156*00b67f09SDavid van Moolenbroek in YYYYMMDDHHMMSS notation; 20000530144500 denotes 157*00b67f09SDavid van Moolenbroek 14:45:00 UTC on May 30th, 2000. A relative start time is 158*00b67f09SDavid van Moolenbroek indicated by +N, which is N seconds from the current time. 159*00b67f09SDavid van Moolenbroek If no <code class="option">start-time</code> is specified, the current 160*00b67f09SDavid van Moolenbroek time minus 1 hour (to allow for clock skew) is used. 161*00b67f09SDavid van Moolenbroek </p></dd> 162*00b67f09SDavid van Moolenbroek<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt> 163*00b67f09SDavid van Moolenbroek<dd><p> 164*00b67f09SDavid van Moolenbroek Specify the date and time when the generated RRSIG records 165*00b67f09SDavid van Moolenbroek expire. As with <code class="option">start-time</code>, an absolute 166*00b67f09SDavid van Moolenbroek time is indicated in YYYYMMDDHHMMSS notation. A time relative 167*00b67f09SDavid van Moolenbroek to the start time is indicated with +N, which is N seconds from 168*00b67f09SDavid van Moolenbroek the start time. A time relative to the current time is 169*00b67f09SDavid van Moolenbroek indicated with now+N. If no <code class="option">end-time</code> is 170*00b67f09SDavid van Moolenbroek specified, 30 days from the start time is used as a default. 171*00b67f09SDavid van Moolenbroek <code class="option">end-time</code> must be later than 172*00b67f09SDavid van Moolenbroek <code class="option">start-time</code>. 173*00b67f09SDavid van Moolenbroek </p></dd> 174*00b67f09SDavid van Moolenbroek<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt> 175*00b67f09SDavid van Moolenbroek<dd> 176*00b67f09SDavid van Moolenbroek<p> 177*00b67f09SDavid van Moolenbroek Specify the date and time when the generated RRSIG records 178*00b67f09SDavid van Moolenbroek for the DNSKEY RRset will expire. This is to be used in cases 179*00b67f09SDavid van Moolenbroek when the DNSKEY signatures need to persist longer than 180*00b67f09SDavid van Moolenbroek signatures on other records; e.g., when the private component 181*00b67f09SDavid van Moolenbroek of the KSK is kept offline and the KSK signature is to be 182*00b67f09SDavid van Moolenbroek refreshed manually. 183*00b67f09SDavid van Moolenbroek </p> 184*00b67f09SDavid van Moolenbroek<p> 185*00b67f09SDavid van Moolenbroek As with <code class="option">start-time</code>, an absolute 186*00b67f09SDavid van Moolenbroek time is indicated in YYYYMMDDHHMMSS notation. A time relative 187*00b67f09SDavid van Moolenbroek to the start time is indicated with +N, which is N seconds from 188*00b67f09SDavid van Moolenbroek the start time. A time relative to the current time is 189*00b67f09SDavid van Moolenbroek indicated with now+N. If no <code class="option">extended end-time</code> is 190*00b67f09SDavid van Moolenbroek specified, the value of <code class="option">end-time</code> is used as 191*00b67f09SDavid van Moolenbroek the default. (<code class="option">end-time</code>, in turn, defaults to 192*00b67f09SDavid van Moolenbroek 30 days from the start time.) <code class="option">extended end-time</code> 193*00b67f09SDavid van Moolenbroek must be later than <code class="option">start-time</code>. 194*00b67f09SDavid van Moolenbroek </p> 195*00b67f09SDavid van Moolenbroek</dd> 196*00b67f09SDavid van Moolenbroek<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt> 197*00b67f09SDavid van Moolenbroek<dd><p> 198*00b67f09SDavid van Moolenbroek The name of the output file containing the signed zone. The 199*00b67f09SDavid van Moolenbroek default is to append <code class="filename">.signed</code> to 200*00b67f09SDavid van Moolenbroek the input filename. If <code class="option">output-file</code> is 201*00b67f09SDavid van Moolenbroek set to <code class="literal">"-"</code>, then the signed zone is 202*00b67f09SDavid van Moolenbroek written to the standard output, with a default output 203*00b67f09SDavid van Moolenbroek format of "full". 204*00b67f09SDavid van Moolenbroek </p></dd> 205*00b67f09SDavid van Moolenbroek<dt><span class="term">-h</span></dt> 206*00b67f09SDavid van Moolenbroek<dd><p> 207*00b67f09SDavid van Moolenbroek Prints a short summary of the options and arguments to 208*00b67f09SDavid van Moolenbroek <span><strong class="command">dnssec-signzone</strong></span>. 209*00b67f09SDavid van Moolenbroek </p></dd> 210*00b67f09SDavid van Moolenbroek<dt><span class="term">-V</span></dt> 211*00b67f09SDavid van Moolenbroek<dd><p> 212*00b67f09SDavid van Moolenbroek Prints version information. 213*00b67f09SDavid van Moolenbroek </p></dd> 214*00b67f09SDavid van Moolenbroek<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt> 215*00b67f09SDavid van Moolenbroek<dd> 216*00b67f09SDavid van Moolenbroek<p> 217*00b67f09SDavid van Moolenbroek When a previously-signed zone is passed as input, records 218*00b67f09SDavid van Moolenbroek may be resigned. The <code class="option">interval</code> option 219*00b67f09SDavid van Moolenbroek specifies the cycle interval as an offset from the current 220*00b67f09SDavid van Moolenbroek time (in seconds). If a RRSIG record expires after the 221*00b67f09SDavid van Moolenbroek cycle interval, it is retained. Otherwise, it is considered 222*00b67f09SDavid van Moolenbroek to be expiring soon, and it will be replaced. 223*00b67f09SDavid van Moolenbroek </p> 224*00b67f09SDavid van Moolenbroek<p> 225*00b67f09SDavid van Moolenbroek The default cycle interval is one quarter of the difference 226*00b67f09SDavid van Moolenbroek between the signature end and start times. So if neither 227*00b67f09SDavid van Moolenbroek <code class="option">end-time</code> or <code class="option">start-time</code> 228*00b67f09SDavid van Moolenbroek are specified, <span><strong class="command">dnssec-signzone</strong></span> 229*00b67f09SDavid van Moolenbroek generates 230*00b67f09SDavid van Moolenbroek signatures that are valid for 30 days, with a cycle 231*00b67f09SDavid van Moolenbroek interval of 7.5 days. Therefore, if any existing RRSIG records 232*00b67f09SDavid van Moolenbroek are due to expire in less than 7.5 days, they would be 233*00b67f09SDavid van Moolenbroek replaced. 234*00b67f09SDavid van Moolenbroek </p> 235*00b67f09SDavid van Moolenbroek</dd> 236*00b67f09SDavid van Moolenbroek<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt> 237*00b67f09SDavid van Moolenbroek<dd><p> 238*00b67f09SDavid van Moolenbroek The format of the input zone file. 239*00b67f09SDavid van Moolenbroek Possible formats are <span><strong class="command">"text"</strong></span> (default), 240*00b67f09SDavid van Moolenbroek <span><strong class="command">"raw"</strong></span>, and <span><strong class="command">"map"</strong></span>. 241*00b67f09SDavid van Moolenbroek This option is primarily intended to be used for dynamic 242*00b67f09SDavid van Moolenbroek signed zones so that the dumped zone file in a non-text 243*00b67f09SDavid van Moolenbroek format containing updates can be signed directly. 244*00b67f09SDavid van Moolenbroek The use of this option does not make much sense for 245*00b67f09SDavid van Moolenbroek non-dynamic zones. 246*00b67f09SDavid van Moolenbroek </p></dd> 247*00b67f09SDavid van Moolenbroek<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt> 248*00b67f09SDavid van Moolenbroek<dd> 249*00b67f09SDavid van Moolenbroek<p> 250*00b67f09SDavid van Moolenbroek When signing a zone with a fixed signature lifetime, all 251*00b67f09SDavid van Moolenbroek RRSIG records issued at the time of signing expires 252*00b67f09SDavid van Moolenbroek simultaneously. If the zone is incrementally signed, i.e. 253*00b67f09SDavid van Moolenbroek a previously-signed zone is passed as input to the signer, 254*00b67f09SDavid van Moolenbroek all expired signatures have to be regenerated at about the 255*00b67f09SDavid van Moolenbroek same time. The <code class="option">jitter</code> option specifies a 256*00b67f09SDavid van Moolenbroek jitter window that will be used to randomize the signature 257*00b67f09SDavid van Moolenbroek expire time, thus spreading incremental signature 258*00b67f09SDavid van Moolenbroek regeneration over time. 259*00b67f09SDavid van Moolenbroek </p> 260*00b67f09SDavid van Moolenbroek<p> 261*00b67f09SDavid van Moolenbroek Signature lifetime jitter also to some extent benefits 262*00b67f09SDavid van Moolenbroek validators and servers by spreading out cache expiration, 263*00b67f09SDavid van Moolenbroek i.e. if large numbers of RRSIGs don't expire at the same time 264*00b67f09SDavid van Moolenbroek from all caches there will be less congestion than if all 265*00b67f09SDavid van Moolenbroek validators need to refetch at mostly the same time. 266*00b67f09SDavid van Moolenbroek </p> 267*00b67f09SDavid van Moolenbroek</dd> 268*00b67f09SDavid van Moolenbroek<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt> 269*00b67f09SDavid van Moolenbroek<dd><p> 270*00b67f09SDavid van Moolenbroek When writing a signed zone to "raw" or "map" format, set the 271*00b67f09SDavid van Moolenbroek "source serial" value in the header to the specified serial 272*00b67f09SDavid van Moolenbroek number. (This is expected to be used primarily for testing 273*00b67f09SDavid van Moolenbroek purposes.) 274*00b67f09SDavid van Moolenbroek </p></dd> 275*00b67f09SDavid van Moolenbroek<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt> 276*00b67f09SDavid van Moolenbroek<dd><p> 277*00b67f09SDavid van Moolenbroek Specifies the number of threads to use. By default, one 278*00b67f09SDavid van Moolenbroek thread is started for each detected CPU. 279*00b67f09SDavid van Moolenbroek </p></dd> 280*00b67f09SDavid van Moolenbroek<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt> 281*00b67f09SDavid van Moolenbroek<dd> 282*00b67f09SDavid van Moolenbroek<p> 283*00b67f09SDavid van Moolenbroek The SOA serial number format of the signed zone. 284*00b67f09SDavid van Moolenbroek Possible formats are <span><strong class="command">"keep"</strong></span> (default), 285*00b67f09SDavid van Moolenbroek <span><strong class="command">"increment"</strong></span> and 286*00b67f09SDavid van Moolenbroek <span><strong class="command">"unixtime"</strong></span>. 287*00b67f09SDavid van Moolenbroek </p> 288*00b67f09SDavid van Moolenbroek<div class="variablelist"><dl> 289*00b67f09SDavid van Moolenbroek<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt> 290*00b67f09SDavid van Moolenbroek<dd><p>Do not modify the SOA serial number.</p></dd> 291*00b67f09SDavid van Moolenbroek<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt> 292*00b67f09SDavid van Moolenbroek<dd><p>Increment the SOA serial number using RFC 1982 293*00b67f09SDavid van Moolenbroek arithmetics.</p></dd> 294*00b67f09SDavid van Moolenbroek<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt> 295*00b67f09SDavid van Moolenbroek<dd><p>Set the SOA serial number to the number of seconds 296*00b67f09SDavid van Moolenbroek since epoch.</p></dd> 297*00b67f09SDavid van Moolenbroek</dl></div> 298*00b67f09SDavid van Moolenbroek</dd> 299*00b67f09SDavid van Moolenbroek<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt> 300*00b67f09SDavid van Moolenbroek<dd><p> 301*00b67f09SDavid van Moolenbroek The zone origin. If not specified, the name of the zone file 302*00b67f09SDavid van Moolenbroek is assumed to be the origin. 303*00b67f09SDavid van Moolenbroek </p></dd> 304*00b67f09SDavid van Moolenbroek<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt> 305*00b67f09SDavid van Moolenbroek<dd><p> 306*00b67f09SDavid van Moolenbroek The format of the output file containing the signed zone. 307*00b67f09SDavid van Moolenbroek Possible formats are <span><strong class="command">"text"</strong></span> (default), 308*00b67f09SDavid van Moolenbroek which is the standard textual representation of the zone; 309*00b67f09SDavid van Moolenbroek <span><strong class="command">"full"</strong></span>, which is text output in a 310*00b67f09SDavid van Moolenbroek format suitable for processing by external scripts; 311*00b67f09SDavid van Moolenbroek and <span><strong class="command">"map"</strong></span>, <span><strong class="command">"raw"</strong></span>, 312*00b67f09SDavid van Moolenbroek and <span><strong class="command">"raw=N"</strong></span>, which store the zone in 313*00b67f09SDavid van Moolenbroek binary formats for rapid loading by <span><strong class="command">named</strong></span>. 314*00b67f09SDavid van Moolenbroek <span><strong class="command">"raw=N"</strong></span> specifies the format version of 315*00b67f09SDavid van Moolenbroek the raw zone file: if N is 0, the raw file can be read by 316*00b67f09SDavid van Moolenbroek any version of <span><strong class="command">named</strong></span>; if N is 1, the file 317*00b67f09SDavid van Moolenbroek can be read by release 9.9.0 or higher; the default is 1. 318*00b67f09SDavid van Moolenbroek </p></dd> 319*00b67f09SDavid van Moolenbroek<dt><span class="term">-p</span></dt> 320*00b67f09SDavid van Moolenbroek<dd><p> 321*00b67f09SDavid van Moolenbroek Use pseudo-random data when signing the zone. This is faster, 322*00b67f09SDavid van Moolenbroek but less secure, than using real random data. This option 323*00b67f09SDavid van Moolenbroek may be useful when signing large zones or when the entropy 324*00b67f09SDavid van Moolenbroek source is limited. 325*00b67f09SDavid van Moolenbroek </p></dd> 326*00b67f09SDavid van Moolenbroek<dt><span class="term">-P</span></dt> 327*00b67f09SDavid van Moolenbroek<dd> 328*00b67f09SDavid van Moolenbroek<p> 329*00b67f09SDavid van Moolenbroek Disable post sign verification tests. 330*00b67f09SDavid van Moolenbroek </p> 331*00b67f09SDavid van Moolenbroek<p> 332*00b67f09SDavid van Moolenbroek The post sign verification test ensures that for each algorithm 333*00b67f09SDavid van Moolenbroek in use there is at least one non revoked self signed KSK key, 334*00b67f09SDavid van Moolenbroek that all revoked KSK keys are self signed, and that all records 335*00b67f09SDavid van Moolenbroek in the zone are signed by the algorithm. 336*00b67f09SDavid van Moolenbroek This option skips these tests. 337*00b67f09SDavid van Moolenbroek </p> 338*00b67f09SDavid van Moolenbroek</dd> 339*00b67f09SDavid van Moolenbroek<dt><span class="term">-Q</span></dt> 340*00b67f09SDavid van Moolenbroek<dd> 341*00b67f09SDavid van Moolenbroek<p> 342*00b67f09SDavid van Moolenbroek Remove signatures from keys that are no longer active. 343*00b67f09SDavid van Moolenbroek </p> 344*00b67f09SDavid van Moolenbroek<p> 345*00b67f09SDavid van Moolenbroek Normally, when a previously-signed zone is passed as input 346*00b67f09SDavid van Moolenbroek to the signer, and a DNSKEY record has been removed and 347*00b67f09SDavid van Moolenbroek replaced with a new one, signatures from the old key 348*00b67f09SDavid van Moolenbroek that are still within their validity period are retained. 349*00b67f09SDavid van Moolenbroek This allows the zone to continue to validate with cached 350*00b67f09SDavid van Moolenbroek copies of the old DNSKEY RRset. The <code class="option">-Q</code> 351*00b67f09SDavid van Moolenbroek forces <span><strong class="command">dnssec-signzone</strong></span> to remove 352*00b67f09SDavid van Moolenbroek signatures from keys that are no longer active. This 353*00b67f09SDavid van Moolenbroek enables ZSK rollover using the procedure described in 354*00b67f09SDavid van Moolenbroek RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover"). 355*00b67f09SDavid van Moolenbroek </p> 356*00b67f09SDavid van Moolenbroek</dd> 357*00b67f09SDavid van Moolenbroek<dt><span class="term">-R</span></dt> 358*00b67f09SDavid van Moolenbroek<dd> 359*00b67f09SDavid van Moolenbroek<p> 360*00b67f09SDavid van Moolenbroek Remove signatures from keys that are no longer published. 361*00b67f09SDavid van Moolenbroek </p> 362*00b67f09SDavid van Moolenbroek<p> 363*00b67f09SDavid van Moolenbroek This option is similar to <code class="option">-Q</code>, except it 364*00b67f09SDavid van Moolenbroek forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from 365*00b67f09SDavid van Moolenbroek keys that are no longer published. This enables ZSK rollover 366*00b67f09SDavid van Moolenbroek using the procedure described in RFC 4641, section 4.2.1.2 367*00b67f09SDavid van Moolenbroek ("Double Signature Zone Signing Key Rollover"). 368*00b67f09SDavid van Moolenbroek </p> 369*00b67f09SDavid van Moolenbroek</dd> 370*00b67f09SDavid van Moolenbroek<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> 371*00b67f09SDavid van Moolenbroek<dd><p> 372*00b67f09SDavid van Moolenbroek Specifies the source of randomness. If the operating 373*00b67f09SDavid van Moolenbroek system does not provide a <code class="filename">/dev/random</code> 374*00b67f09SDavid van Moolenbroek or equivalent device, the default source of randomness 375*00b67f09SDavid van Moolenbroek is keyboard input. <code class="filename">randomdev</code> 376*00b67f09SDavid van Moolenbroek specifies 377*00b67f09SDavid van Moolenbroek the name of a character device or file containing random 378*00b67f09SDavid van Moolenbroek data to be used instead of the default. The special value 379*00b67f09SDavid van Moolenbroek <code class="filename">keyboard</code> indicates that keyboard 380*00b67f09SDavid van Moolenbroek input should be used. 381*00b67f09SDavid van Moolenbroek </p></dd> 382*00b67f09SDavid van Moolenbroek<dt><span class="term">-S</span></dt> 383*00b67f09SDavid van Moolenbroek<dd> 384*00b67f09SDavid van Moolenbroek<p> 385*00b67f09SDavid van Moolenbroek Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to 386*00b67f09SDavid van Moolenbroek search the key repository for keys that match the zone being 387*00b67f09SDavid van Moolenbroek signed, and to include them in the zone if appropriate. 388*00b67f09SDavid van Moolenbroek </p> 389*00b67f09SDavid van Moolenbroek<p> 390*00b67f09SDavid van Moolenbroek When a key is found, its timing metadata is examined to 391*00b67f09SDavid van Moolenbroek determine how it should be used, according to the following 392*00b67f09SDavid van Moolenbroek rules. Each successive rule takes priority over the prior 393*00b67f09SDavid van Moolenbroek ones: 394*00b67f09SDavid van Moolenbroek </p> 395*00b67f09SDavid van Moolenbroek<div class="variablelist"><dl> 396*00b67f09SDavid van Moolenbroek<dt></dt> 397*00b67f09SDavid van Moolenbroek<dd><p> 398*00b67f09SDavid van Moolenbroek If no timing metadata has been set for the key, the key is 399*00b67f09SDavid van Moolenbroek published in the zone and used to sign the zone. 400*00b67f09SDavid van Moolenbroek </p></dd> 401*00b67f09SDavid van Moolenbroek<dt></dt> 402*00b67f09SDavid van Moolenbroek<dd><p> 403*00b67f09SDavid van Moolenbroek If the key's publication date is set and is in the past, the 404*00b67f09SDavid van Moolenbroek key is published in the zone. 405*00b67f09SDavid van Moolenbroek </p></dd> 406*00b67f09SDavid van Moolenbroek<dt></dt> 407*00b67f09SDavid van Moolenbroek<dd><p> 408*00b67f09SDavid van Moolenbroek If the key's activation date is set and in the past, the 409*00b67f09SDavid van Moolenbroek key is published (regardless of publication date) and 410*00b67f09SDavid van Moolenbroek used to sign the zone. 411*00b67f09SDavid van Moolenbroek </p></dd> 412*00b67f09SDavid van Moolenbroek<dt></dt> 413*00b67f09SDavid van Moolenbroek<dd><p> 414*00b67f09SDavid van Moolenbroek If the key's revocation date is set and in the past, and the 415*00b67f09SDavid van Moolenbroek key is published, then the key is revoked, and the revoked key 416*00b67f09SDavid van Moolenbroek is used to sign the zone. 417*00b67f09SDavid van Moolenbroek </p></dd> 418*00b67f09SDavid van Moolenbroek<dt></dt> 419*00b67f09SDavid van Moolenbroek<dd><p> 420*00b67f09SDavid van Moolenbroek If either of the key's unpublication or deletion dates are set 421*00b67f09SDavid van Moolenbroek and in the past, the key is NOT published or used to sign the 422*00b67f09SDavid van Moolenbroek zone, regardless of any other metadata. 423*00b67f09SDavid van Moolenbroek </p></dd> 424*00b67f09SDavid van Moolenbroek</dl></div> 425*00b67f09SDavid van Moolenbroek</dd> 426*00b67f09SDavid van Moolenbroek<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt> 427*00b67f09SDavid van Moolenbroek<dd><p> 428*00b67f09SDavid van Moolenbroek Specifies a TTL to be used for new DNSKEY records imported 429*00b67f09SDavid van Moolenbroek into the zone from the key repository. If not 430*00b67f09SDavid van Moolenbroek specified, the default is the TTL value from the zone's SOA 431*00b67f09SDavid van Moolenbroek record. This option is ignored when signing without 432*00b67f09SDavid van Moolenbroek <code class="option">-S</code>, since DNSKEY records are not imported 433*00b67f09SDavid van Moolenbroek from the key repository in that case. It is also ignored if 434*00b67f09SDavid van Moolenbroek there are any pre-existing DNSKEY records at the zone apex, 435*00b67f09SDavid van Moolenbroek in which case new records' TTL values will be set to match 436*00b67f09SDavid van Moolenbroek them, or if any of the imported DNSKEY records had a default 437*00b67f09SDavid van Moolenbroek TTL value. In the event of a a conflict between TTL values in 438*00b67f09SDavid van Moolenbroek imported keys, the shortest one is used. 439*00b67f09SDavid van Moolenbroek </p></dd> 440*00b67f09SDavid van Moolenbroek<dt><span class="term">-t</span></dt> 441*00b67f09SDavid van Moolenbroek<dd><p> 442*00b67f09SDavid van Moolenbroek Print statistics at completion. 443*00b67f09SDavid van Moolenbroek </p></dd> 444*00b67f09SDavid van Moolenbroek<dt><span class="term">-u</span></dt> 445*00b67f09SDavid van Moolenbroek<dd><p> 446*00b67f09SDavid van Moolenbroek Update NSEC/NSEC3 chain when re-signing a previously signed 447*00b67f09SDavid van Moolenbroek zone. With this option, a zone signed with NSEC can be 448*00b67f09SDavid van Moolenbroek switched to NSEC3, or a zone signed with NSEC3 can 449*00b67f09SDavid van Moolenbroek be switch to NSEC or to NSEC3 with different parameters. 450*00b67f09SDavid van Moolenbroek Without this option, <span><strong class="command">dnssec-signzone</strong></span> will 451*00b67f09SDavid van Moolenbroek retain the existing chain when re-signing. 452*00b67f09SDavid van Moolenbroek </p></dd> 453*00b67f09SDavid van Moolenbroek<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> 454*00b67f09SDavid van Moolenbroek<dd><p> 455*00b67f09SDavid van Moolenbroek Sets the debugging level. 456*00b67f09SDavid van Moolenbroek </p></dd> 457*00b67f09SDavid van Moolenbroek<dt><span class="term">-x</span></dt> 458*00b67f09SDavid van Moolenbroek<dd><p> 459*00b67f09SDavid van Moolenbroek Only sign the DNSKEY RRset with key-signing keys, and omit 460*00b67f09SDavid van Moolenbroek signatures from zone-signing keys. (This is similar to the 461*00b67f09SDavid van Moolenbroek <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in 462*00b67f09SDavid van Moolenbroek <span><strong class="command">named</strong></span>.) 463*00b67f09SDavid van Moolenbroek </p></dd> 464*00b67f09SDavid van Moolenbroek<dt><span class="term">-z</span></dt> 465*00b67f09SDavid van Moolenbroek<dd><p> 466*00b67f09SDavid van Moolenbroek Ignore KSK flag on key when determining what to sign. This 467*00b67f09SDavid van Moolenbroek causes KSK-flagged keys to sign all records, not just the 468*00b67f09SDavid van Moolenbroek DNSKEY RRset. (This is similar to the 469*00b67f09SDavid van Moolenbroek <span><strong class="command">update-check-ksk no;</strong></span> zone option in 470*00b67f09SDavid van Moolenbroek <span><strong class="command">named</strong></span>.) 471*00b67f09SDavid van Moolenbroek </p></dd> 472*00b67f09SDavid van Moolenbroek<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt> 473*00b67f09SDavid van Moolenbroek<dd><p> 474*00b67f09SDavid van Moolenbroek Generate an NSEC3 chain with the given hex encoded salt. 475*00b67f09SDavid van Moolenbroek A dash (<em class="replaceable"><code>salt</code></em>) can 476*00b67f09SDavid van Moolenbroek be used to indicate that no salt is to be used when generating the NSEC3 chain. 477*00b67f09SDavid van Moolenbroek </p></dd> 478*00b67f09SDavid van Moolenbroek<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt> 479*00b67f09SDavid van Moolenbroek<dd><p> 480*00b67f09SDavid van Moolenbroek When generating an NSEC3 chain, use this many iterations. The 481*00b67f09SDavid van Moolenbroek default is 10. 482*00b67f09SDavid van Moolenbroek </p></dd> 483*00b67f09SDavid van Moolenbroek<dt><span class="term">-A</span></dt> 484*00b67f09SDavid van Moolenbroek<dd> 485*00b67f09SDavid van Moolenbroek<p> 486*00b67f09SDavid van Moolenbroek When generating an NSEC3 chain set the OPTOUT flag on all 487*00b67f09SDavid van Moolenbroek NSEC3 records and do not generate NSEC3 records for insecure 488*00b67f09SDavid van Moolenbroek delegations. 489*00b67f09SDavid van Moolenbroek </p> 490*00b67f09SDavid van Moolenbroek<p> 491*00b67f09SDavid van Moolenbroek Using this option twice (i.e., <code class="option">-AA</code>) 492*00b67f09SDavid van Moolenbroek turns the OPTOUT flag off for all records. This is useful 493*00b67f09SDavid van Moolenbroek when using the <code class="option">-u</code> option to modify an NSEC3 494*00b67f09SDavid van Moolenbroek chain which previously had OPTOUT set. 495*00b67f09SDavid van Moolenbroek </p> 496*00b67f09SDavid van Moolenbroek</dd> 497*00b67f09SDavid van Moolenbroek<dt><span class="term">zonefile</span></dt> 498*00b67f09SDavid van Moolenbroek<dd><p> 499*00b67f09SDavid van Moolenbroek The file containing the zone to be signed. 500*00b67f09SDavid van Moolenbroek </p></dd> 501*00b67f09SDavid van Moolenbroek<dt><span class="term">key</span></dt> 502*00b67f09SDavid van Moolenbroek<dd><p> 503*00b67f09SDavid van Moolenbroek Specify which keys should be used to sign the zone. If 504*00b67f09SDavid van Moolenbroek no keys are specified, then the zone will be examined 505*00b67f09SDavid van Moolenbroek for DNSKEY records at the zone apex. If these are found and 506*00b67f09SDavid van Moolenbroek there are matching private keys, in the current directory, 507*00b67f09SDavid van Moolenbroek then these will be used for signing. 508*00b67f09SDavid van Moolenbroek </p></dd> 509*00b67f09SDavid van Moolenbroek</dl></div> 510*00b67f09SDavid van Moolenbroek</div> 511*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 512*00b67f09SDavid van Moolenbroek<a name="id2675108"></a><h2>EXAMPLE</h2> 513*00b67f09SDavid van Moolenbroek<p> 514*00b67f09SDavid van Moolenbroek The following command signs the <strong class="userinput"><code>example.com</code></strong> 515*00b67f09SDavid van Moolenbroek zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> 516*00b67f09SDavid van Moolenbroek (Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option 517*00b67f09SDavid van Moolenbroek is not being used, the zone's keys must be in the master file 518*00b67f09SDavid van Moolenbroek (<code class="filename">db.example.com</code>). This invocation looks 519*00b67f09SDavid van Moolenbroek for <code class="filename">dsset</code> files, in the current directory, 520*00b67f09SDavid van Moolenbroek so that DS records can be imported from them (<span><strong class="command">-g</strong></span>). 521*00b67f09SDavid van Moolenbroek </p> 522*00b67f09SDavid van Moolenbroek<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \ 523*00b67f09SDavid van MoolenbroekKexample.com.+003+17247 524*00b67f09SDavid van Moolenbroekdb.example.com.signed 525*00b67f09SDavid van Moolenbroek%</pre> 526*00b67f09SDavid van Moolenbroek<p> 527*00b67f09SDavid van Moolenbroek In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates 528*00b67f09SDavid van Moolenbroek the file <code class="filename">db.example.com.signed</code>. This 529*00b67f09SDavid van Moolenbroek file should be referenced in a zone statement in a 530*00b67f09SDavid van Moolenbroek <code class="filename">named.conf</code> file. 531*00b67f09SDavid van Moolenbroek </p> 532*00b67f09SDavid van Moolenbroek<p> 533*00b67f09SDavid van Moolenbroek This example re-signs a previously signed zone with default parameters. 534*00b67f09SDavid van Moolenbroek The private keys are assumed to be in the current directory. 535*00b67f09SDavid van Moolenbroek </p> 536*00b67f09SDavid van Moolenbroek<pre class="programlisting">% cp db.example.com.signed db.example.com 537*00b67f09SDavid van Moolenbroek% dnssec-signzone -o example.com db.example.com 538*00b67f09SDavid van Moolenbroekdb.example.com.signed 539*00b67f09SDavid van Moolenbroek%</pre> 540*00b67f09SDavid van Moolenbroek</div> 541*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 542*00b67f09SDavid van Moolenbroek<a name="id2675187"></a><h2>SEE ALSO</h2> 543*00b67f09SDavid van Moolenbroek<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, 544*00b67f09SDavid van Moolenbroek <em class="citetitle">BIND 9 Administrator Reference Manual</em>, 545*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>. 546*00b67f09SDavid van Moolenbroek </p> 547*00b67f09SDavid van Moolenbroek</div> 548*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 549*00b67f09SDavid van Moolenbroek<a name="id2675214"></a><h2>AUTHOR</h2> 550*00b67f09SDavid van Moolenbroek<p><span class="corpauthor">Internet Systems Consortium</span> 551*00b67f09SDavid van Moolenbroek </p> 552*00b67f09SDavid van Moolenbroek</div> 553*00b67f09SDavid van Moolenbroek</div> 554*00b67f09SDavid van Moolenbroek<div class="navfooter"> 555*00b67f09SDavid van Moolenbroek<hr> 556*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation footer"> 557*00b67f09SDavid van Moolenbroek<tr> 558*00b67f09SDavid van Moolenbroek<td width="40%" align="left"> 559*00b67f09SDavid van Moolenbroek<a accesskey="p" href="man.dnssec-settime.html">Prev</a>�</td> 560*00b67f09SDavid van Moolenbroek<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> 561*00b67f09SDavid van Moolenbroek<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-verify.html">Next</a> 562*00b67f09SDavid van Moolenbroek</td> 563*00b67f09SDavid van Moolenbroek</tr> 564*00b67f09SDavid van Moolenbroek<tr> 565*00b67f09SDavid van Moolenbroek<td width="40%" align="left" valign="top"> 566*00b67f09SDavid van Moolenbroek<span class="application">dnssec-settime</span>�</td> 567*00b67f09SDavid van Moolenbroek<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> 568*00b67f09SDavid van Moolenbroek<td width="40%" align="right" valign="top">�<span class="application">dnssec-verify</span> 569*00b67f09SDavid van Moolenbroek</td> 570*00b67f09SDavid van Moolenbroek</tr> 571*00b67f09SDavid van Moolenbroek</table> 572*00b67f09SDavid van Moolenbroek</div> 573*00b67f09SDavid van Moolenbroek<p style="text-align: center;">BIND 9.10.2-P4</p> 574*00b67f09SDavid van Moolenbroek</body> 575*00b67f09SDavid van Moolenbroek</html> 576