dnssec-signzone(1)

Force verification of the signatures generated by dnssec-signzone. By default, the signature files are not verified.

Specify the DNS class of the zone.

Look for keyset files in directory . The default is the current directory.

Set the expiration time for the RRSIG records. As with the start-time, end-time can represent an absolute or relative date.

Use the YYYYMMDDhhmmss notation to indicate absolute date and time and the +N notation for relative time.

When end-time is +N, it indicates that the RRSIG records will expire in N seconds after their start time. A time relative to the current time is indicated with now+N. If -e is omitted, the default is 30 days from the start time.

See also the -s option.

Override the use of the default signed zone file, zonefile.signed.

Generate DS records for child zones from keyset files. Existing DS records will be removed.

Print a short summary of the dnssec-signzone options and operands.

When a previously signed zone is passed as input, records may be re-signed. The -i option specifies the cycle interval as an offset from the current time (in seconds). If an RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.

The default cycle interval is one quarter of the difference between the signature end and start times. So if neither -s nor -e is specified, dnssec-signzone generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.

Treat key as a key-signing key, ignoring any key flags. This option may be specified multiple times.

Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.

Specify the number of CPUs to create threads for. By default, one thread is started for each detected CPU.

Specify the zone origin. If not specified, the zone origin defaults to the name of the zone file.

Use pseudo-random data when signing the keys. This is faster, but less secure, than using genuinely random data for signing. This option may be useful when there are many child zone key sets to sign or if the entropy source is limited. It could also be used for short-lived keys and signatures that don't require as much protection against cryptanalysis, such as when the key will be discarded long before it could be compromised.

Override the behavior of dnssec-signzone to use random numbers to seed the process of signing the zone. If the system does not have a /dev/random device to generate random numbers, dnssec-signzone will prompt for keyboard input and use the time intervals between keystrokes to provide randomness. With this option, it will use randomdev as a source of random data.

Specify the date and time when the generated RRSIG records become valid. start-time can either be an absolute or relative date.

An absolute start time is indicated by a number in YYYYMMDDhhmmss notation; for example, 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.

A relative start time is supplied when start-time is given as +N, specifying N seconds from the current time.

If -s is omitted, the default value is the current time minus 1 hour (to allow for clock skew).

See also the -e option.

Print the statistics at the time of completion.

Set the verbosity level. As the debugging/tracing level level increases, dnssec-signzone generates increasingly detailed reports about what it is doing. The default level is 0.

Ignore the KSK flag on the key when determining what to sign.

A key used to sign the zone. If no keys are specified, the default is all zone keys that have private key files in the current directory.

The name of the unsigned zone file.