Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > D


BIND 9.3
HP-UX 11i Version 3: February 2007

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index


dnssec-signzone — DNSSEC zone signing tool


dnssec-signzone [-aghptz] [-c class] [-d directory] [-e end-time] [-f output-file] [-k key]... [-l domain] [-i interval] [-n nthreads] [-o origin] [-r randomdev] [-s start-time] [-v level] zonefile key...


dnssec-signzone is used to sign a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a keyset file for each child zone.

If the zone to be signed has any secure subzones, the .signedkey files for those subzones need to be available in the current working directory used by dnssec-signzone.


dnssec-signzone has the following options:


Force verification of the signatures generated by dnssec-signzone. By default, the signature files are not verified.

-c class

Specify the DNS class of the zone.

-d directory

Look for keyset files in directory . The default is the current directory.

-e end-time

Set the expiration time for the RRSIG records. As with the start-time, end-time can represent an absolute or relative date.

Use the YYYYMMDDhhmmss notation to indicate absolute date and time and the +N notation for relative time.

When end-time is +N, it indicates that the RRSIG records will expire in N seconds after their start time. A time relative to the current time is indicated with now+N. If -e is omitted, the default is 30 days from the start time.

See also the -s option.

-f output-file

Override the use of the default signed zone file, zonefile.signed.


Generate DS records for child zones from keyset files. Existing DS records will be removed.


Print a short summary of the dnssec-signzone options and operands.

-i interval

When a previously signed zone is passed as input, records may be re-signed. The -i option specifies the cycle interval as an offset from the current time (in seconds). If an RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.

The default cycle interval is one quarter of the difference between the signature end and start times. So if neither -s nor -e is specified, dnssec-signzone generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.

-k key

Treat key as a key-signing key, ignoring any key flags. This option may be specified multiple times.

-l domain

Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.

-n ncpus

Specify the number of CPUs to create threads for. By default, one thread is started for each detected CPU.

-o origin

Specify the zone origin. If not specified, the zone origin defaults to the name of the zone file.


Use pseudo-random data when signing the keys. This is faster, but less secure, than using genuinely random data for signing. This option may be useful when there are many child zone key sets to sign or if the entropy source is limited. It could also be used for short-lived keys and signatures that don't require as much protection against cryptanalysis, such as when the key will be discarded long before it could be compromised.

-r randomdev

Override the behavior of dnssec-signzone to use random numbers to seed the process of signing the zone. If the system does not have a /dev/random device to generate random numbers, dnssec-signzone will prompt for keyboard input and use the time intervals between keystrokes to provide randomness. With this option, it will use randomdev as a source of random data.

-s start-time

Specify the date and time when the generated RRSIG records become valid. start-time can either be an absolute or relative date.

An absolute start time is indicated by a number in YYYYMMDDhhmmss notation; for example, 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.

A relative start time is supplied when start-time is given as +N, specifying N seconds from the current time.

If -s is omitted, the default value is the current time minus 1 hour (to allow for clock skew).

See also the -e option.


Print the statistics at the time of completion.

-v level

Set the verbosity level. As the debugging/tracing level level increases, dnssec-signzone generates increasingly detailed reports about what it is doing. The default level is 0.


Ignore the KSK flag on the key when determining what to sign.


dnssec-signzone has the following operands:


A key used to sign the zone. If no keys are specified, the default is all zone keys that have private key files in the current directory.


The name of the unsigned zone file.


This example shows how dnssec-signzone can be used to sign the example.com zone with the DSA key that was generated in the example given in the manpage for dnssec-keygen (see dnssec-keygen(1)). The zone's keys must be in the zone. If there are keyset files associated with child zones, they must be in the current directory.

$ dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160

dnssec-signzone creates a file called example.com.signed, the signed version of the example.com zone. This file can then be referenced in a zone{} statement in /etc/named.conf so that it can be loaded by the name server.


dnssec-signzone was developed by the Internet Systems Consortium (ISC).





Requests for Comments (RFC): 2535, available online at http://www.rfc-editor.org/.

HP-UX IP Address and Client Management Administrator's Guide, available online at http://docs.hp.com.

BIND 9 Administrator Reference Manual, available from the Internet Systems Consortium at http://www.isc.org/sw/bind/arm93.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.