dnssec-signzone(1)dnssec-signzone(1)NAMEdnssec-signzone - DNSSEC zone signing tool
class] directory] end-time] output-file] key]... domain] interval]
nthreads] origin] randomdev] start-time] level] zonefile key...
is used to sign a zone. It generates NSEC and RRSIG records and pro‐
duces a signed version of the zone. The security status of delegations
from the signed zone (that is, whether the child zones are secure or
not) is determined by the presence or absence of a file for each child
If the zone to be signed has any secure subzones, the files for those
subzones need to be available in the current working directory used by
has the following options:
Force verification of the signatures generated by
By default, the signature files are not verified.
Specify the DNS class of the zone.
Look for files in directory . The default is the current directory.
Set the expiration time for the RRSIG records.
As with the start-time, end-time can represent an absolute or
Use the YYYYMMDDhhmmss notation to indicate absolute date and
time and the notation for relative time.
When end-time is it indicates that the RRSIG records will
expire in N seconds after their start time. A time relative
to the current time is indicated with If is omitted, the
default is 30 days from the start time.
See also the option.
Override the use of the default signed zone file,
Generate DS records for child zones from
files. Existing DS records will be removed.
Print a short summary of the
options and operands.
When a previously signed zone is passed as input,
records may be re-signed. The option specifies the cycle
interval as an offset from the current time (in seconds). If
an RRSIG record expires after the cycle interval, it is
retained. Otherwise, it is considered to be expiring soon,
and it will be replaced.
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither nor
is specified, generates signatures that are valid for 30
days, with a cycle interval of 7.5 days. Therefore, if any
existing RRSIG records are due to expire in less than 7.5
days, they would be replaced.
Treat key as a key-signing key, ignoring any key flags. This
option may be specified multiple times.
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
Specify the number of CPUs to create threads for.
By default, one thread is started for each detected CPU.
Specify the zone origin.
If not specified, the zone origin defaults to the name of the
Use pseudo-random data when signing the keys.
This is faster, but less secure, than using genuinely random
data for signing. This option may be useful when there are
many child zone key sets to sign or if the entropy source is
limited. It could also be used for short-lived keys and sig‐
natures that don't require as much protection against crypt‐
analysis, such as when the key will be discarded long before
it could be compromised.
Override the behavior of
to use random numbers to seed the process of signing the
zone. If the system does not have a device to generate ran‐
dom numbers, will prompt for keyboard input and use the time
intervals between keystrokes to provide randomness. With
this option, it will use randomdev as a source of random
Specify the date and time when the generated
RRSIG records become valid. start-time can either be an
absolute or relative date.
An absolute start time is indicated by a number in YYYYMMD‐
Dhhmmss notation; for example, denotes 14:45:00 UTC on May
A relative start time is supplied when start-time is given as
specifying N seconds from the current time.
If is omitted, the default value is the current time minus 1
hour (to allow for clock skew).
See also the option.
Print the statistics at the time of completion.
Set the verbosity level.
As the debugging/tracing level level increases, generates
increasingly detailed reports about what it is doing. The
default level is
Ignore the KSK flag on the key when determining what to sign.
has the following operands:
key A key used to sign the zone. If no keys are specified, the
default is all zone keys that have private key files in the
zonefile The name of the unsigned zone file.
This example shows how can be used to sign the zone with the DSA key
that was generated in the example given in the manpage for (see dnssec-
keygen(1)). The zone's keys must be in the zone. If there are files
associated with child zones, they must be in the current directory.
creates a file called the signed version of the zone. This file can
then be referenced in a statement in so that it can be loaded by the
was developed by the Internet Systems Consortium (ISC).
Requests for Comments (RFC): 2535, available online at
available online at
available from the Internet Systems Consortium at
BIND 9.3 dnssec-signzone(1)