An unfortunate side-effect of this flexibility is that dnssec-signzone
does not check to make sure it's signing a zone with any valid keys at
-all; an attempt to sign a zone with no keys may appear to have succeeded.
+all. An attempt to sign a zone without any keys will appear to succeed,
+producing a "signed" zone with no signatures. There is no warning issued
+when a zone is not signed.
-This will be corrected in the next release. In the meantime, ISC
+This will be corrected in a future release. In the meantime, ISC
recommends examining the output of dnssec-signzone to confirm that
-the zone is properly signed by all keys.
+the zone is properly signed by all keys before using it.
-.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-signzone.8,v 1.47.44.3 2009/06/08 22:23:06 each Exp $
+.\" $Id: dnssec-signzone.8,v 1.47.44.4 2009/06/09 01:47:19 each Exp $
.\"
.hy 0
.ad l
.el .ne 3
.IP "\\$1" \\$2
..
-.TH "DNSSEC-SIGNZONE" 8 "June 05, 2009" "" ""
+.TH "DNSSEC-SIGNZONE" 8 "June 08, 2009" "" ""
.SH NAME
dnssec-signzone \- DNSSEC zone signing tool
.SH "SYNOPSIS"
db\&.example\&.com\&.signed
%
.fi
+.SH "KNOWN BUGS"
+.PP
+ \fBdnssec\-signzone\fR was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys needed to produce a fully\-signed zone\&. This permits a zone administrator, for example, to sign a zone with one key on one machine, move the resulting partially\-signed zone to a second machine, and sign it again with a second key\&.
+.PP
+An unfortunate side\-effect of this flexibility is that \fBdnssec\-signzone\fR does not check to make sure it's signing a zone with any valid keys at all\&. An attempt to sign a zone without any keys will appear to succeed, producing a "signed" zone with no signatures\&. There is no warning issued when a zone is not fully signed\&.
+.PP
+This will be corrected in a future release\&. In the meantime, ISC recommends examining the output of \fBdnssec\-signzone\fR to confirm that the zone is properly signed by all keys before using it\&.
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8), BIND 9 Administrator Reference Manual, RFC 4033\&.
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.docbook,v 1.31.44.5 2009/06/08 23:47:00 tbox Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.31.44.6 2009/06/09 01:47:19 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
- <date>June 05, 2009</date>
+ <date>June 08, 2009</date>
</refentryinfo>
<refmeta>
%</programlisting>
</refsect1>
+ <refsect1>
+ <title>KNOWN BUGS</title>
+ <para>
+ <command>dnssec-signzone</command> was designed so that it could
+ sign a zone partially, using only a subset of the DNSSEC keys
+ needed to produce a fully-signed zone. This permits a zone
+ administrator, for example, to sign a zone with one key on one
+ machine, move the resulting partially-signed zone to a second
+ machine, and sign it again with a second key.
+ </para>
+ <para>
+ An unfortunate side-effect of this flexibility is that
+ <command>dnssec-signzone</command> does not check to make sure
+ it's signing a zone with any valid keys at all. An attempt to
+ sign a zone without any keys will appear to succeed, producing
+ a "signed" zone with no signatures. There is no warning issued
+ when a zone is not fully signed.
+ </para>
+
+ <para>
+ This will be corrected in a future release. In the meantime, ISC
+ recommends examining the output of <command>dnssec-signzone</command>
+ to confirm that the zone is properly signed by all keys before
+ using it.
+ </para>
+ </refsect1>
+
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.html,v 1.33.44.3 2009/06/08 22:23:07 each Exp $ -->
+<!-- $Id: dnssec-signzone.html,v 1.33.44.4 2009/06/09 01:47:19 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id215233"></a><h2>DESCRIPTION</h2>
+<a name="id215236"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id215250"></a><h2>OPTIONS</h2>
+<a name="id215253"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id216041"></a><h2>EXAMPLE</h2>
+<a name="id216044"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
%</pre>
</div>
<div class="refsect1" lang="en">
-<a name="id216094"></a><h2>SEE ALSO</h2>
+<a name="id216098"></a><h2>KNOWN BUGS</h2>
+<p>
+ <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
+ sign a zone partially, using only a subset of the DNSSEC keys
+ needed to produce a fully-signed zone. This permits a zone
+ administrator, for example, to sign a zone with one key on one
+ machine, move the resulting partially-signed zone to a second
+ machine, and sign it again with a second key.
+ </p>
+<p>
+ An unfortunate side-effect of this flexibility is that
+ <span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
+ it's signing a zone with any valid keys at all. An attempt to
+ sign a zone without any keys will appear to succeed, producing
+ a "signed" zone with no signatures. There is no warning issued
+ when a zone is not fully signed.
+ </p>
+<p>
+ This will be corrected in a future release. In the meantime, ISC
+ recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
+ to confirm that the zone is properly signed by all keys before
+ using it.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id216132"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id216118"></a><h2>AUTHOR</h2>
+<a name="id216155"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
projects / thirdparty / bind9.git / commitdiff
