dnssec-signzone man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

dnssec-signzone(1)					    dnssec-signzone(1)

       dnssec-signzone - DNSSEC zone signing tool

       class]  directory]  end-time]  output-file]  key]...  domain] interval]
	      nthreads] origin] randomdev] start-time] level] zonefile key...

       is used to sign a zone.	It generates NSEC and RRSIG records  and  pro‐
       duces a signed version of the zone.  The security status of delegations
       from the signed zone (that is, whether the child zones  are  secure  or
       not)  is determined by the presence or absence of a file for each child

       If the zone to be signed has any secure subzones, the files  for	 those
       subzones need to be available in the current working directory used by

       has the following options:

       Force verification of the signatures generated by
		 By default, the signature files are not verified.

       Specify the DNS class of the zone.

       Look for	 files in directory .  The default is the current directory.

       Set the expiration time for the RRSIG records.
		 As with the start-time, end-time can represent an absolute or
		 relative date.

		 Use the YYYYMMDDhhmmss notation to indicate absolute date and
		 time and the notation for relative time.

		 When  end-time	 is  it	 indicates that the RRSIG records will
		 expire in N seconds after their start time.  A time  relative
		 to  the  current  time	 is  indicated with If is omitted, the
		 default is 30 days from the start time.

		 See also the option.

       Override the use of the default signed zone file,

       Generate DS records for child zones from
		 files.	 Existing DS records will be removed.

       Print a short summary of the
		 options and operands.

       When a previously signed zone is passed as input,
		 records may be re-signed.  The	 option	 specifies  the	 cycle
		 interval as an offset from the current time (in seconds).  If
		 an RRSIG record expires  after	 the  cycle  interval,	it  is
		 retained.   Otherwise,	 it is considered to be expiring soon,
		 and it will be replaced.

		 The default cycle interval is one quarter of  the  difference
		 between the signature end and start times.  So if neither nor
		 is specified, generates signatures  that  are	valid  for  30
		 days,	with  a cycle interval of 7.5 days.  Therefore, if any
		 existing RRSIG records are due to expire  in  less  than  7.5
		 days, they would be replaced.

       Treat	 key  as  a  key-signing  key,	ignoring  any key flags.  This
		 option may be specified multiple times.

       Generate a DLV set in addition to the key (DNSKEY) and DS sets.
		 The domain is appended to the name of the records.

       Specify the number of CPUs to create threads for.
		 By default, one thread is started for each detected CPU.

       Specify the zone origin.
		 If not specified, the zone origin defaults to the name of the
		 zone file.

       Use pseudo-random data when signing the keys.
		 This  is faster, but less secure, than using genuinely random
		 data for signing.  This option may be useful when  there  are
		 many  child zone key sets to sign or if the entropy source is
		 limited.  It could also be used for short-lived keys and sig‐
		 natures  that don't require as much protection against crypt‐
		 analysis, such as when the key will be discarded long	before
		 it could be compromised.

       Override the behavior of
		 to  use  random  numbers  to  seed the process of signing the
		 zone.	If the system does not have a device to generate  ran‐
		 dom  numbers, will prompt for keyboard input and use the time
		 intervals between keystrokes  to  provide  randomness.	  With
		 this  option,	it  will  use  randomdev as a source of random

       Specify the date and time when the generated
		 RRSIG records become valid.   start-time  can	either	be  an
		 absolute or relative date.

		 An  absolute  start time is indicated by a number in YYYYMMD‐
		 Dhhmmss notation; for example, denotes 14:45:00  UTC  on  May
		 30th, 2000.

		 A relative start time is supplied when start-time is given as
		 specifying N seconds from the current time.

		 If is omitted, the default value is the current time minus  1
		 hour (to allow for clock skew).

		 See also the option.

       Print the statistics at the time of completion.

       Set the verbosity level.
		 As  the  debugging/tracing  level  level increases, generates
		 increasingly detailed reports about what it  is  doing.   The
		 default level is

       Ignore the KSK flag on the key when determining what to sign.

       has the following operands:

       key	 A  key	 used to sign the zone.	 If no keys are specified, the
		 default is all zone keys that have private key files  in  the
		 current directory.

       zonefile	 The name of the unsigned zone file.

       This  example  shows  how can be used to sign the zone with the DSA key
       that was generated in the example given in the manpage for (see dnssec-
       keygen(1)).   The  zone's keys must be in the zone.  If there are files
       associated with child zones, they must be in the current directory.

       creates a file called the signed version of the zone.   This  file  can
       then  be	 referenced  in a statement in so that it can be loaded by the
       name server.

       was developed by the Internet Systems Consortium (ISC).


       Requests for Comments (RFC): 2535, available online at

       available online at

       available from the Internet Systems Consortium at

				   BIND 9.3		    dnssec-signzone(1)

List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net