\fBldns-signzone\fR is used to generate a DNSSEC signed zone. When run it
will create a new zonefile that contains RRSIG and NSEC resource records, as
-specified in RFC 4033, RFC 4034 and RFC 4035. It will add the DNSKEY(s)
-that is/are used to sign the zone.
+specified in RFC 4033, RFC 4034 and RFC 4035.
-Keys must be specified by their base name (i.e. without .key and .private)
-and both the public and private key must be present in the specified
-location. Multiple keys can be specified.
+Keys must be specified by their base name (i.e. without .private). If
+the DNSKEY that belongs to the key in the .private file is not present
+in the zone, it will be read from the file <base name>.key. If that
+file does not exist, the DNSKEY value will be generated from the
+private key.
+
+Multiple keys can be specified, Key Signing Keys are used as such when
+they are either already present in the zone, or specified in a .key
+file, and have the KSK bit set.
.SH OPTIONS
.TP
.TP
\fB-l\fR
-Leave old DNSSEC RRSIGS and NSEC records intact (by default, they are removed from the zone)
+Leave old DNSSEC RRSIGS and NSEC records intact (by default, they are
+removed from the zone)
.TP
\fB-o\fR \fIorigin\fR
-Use this as the origin of the zone, if it cannot be read from the zonefile
+Use this as the origin of the zone
.TP
\fB-v\fR
.TP
\fB-E\fR \fIname\fR
-Use the EVP cryptographic engine with the given name for signing. This can have some extra options; see ENGINE OPTIONS for more information.
-
+Use the EVP cryptographic engine with the given name for signing. This
+can have some extra options; see ENGINE OPTIONS for more information.
.TP
\fB-k\fR \fIid,int\fR
-Use the key with the given id as the signing key for algorithm int as a Zone signing key.
+Use the key with the given id as the signing key for algorithm int as
+a Zone signing key. This option is used when you use an OpenSSL
+engine, see ENGINE OPTIONS for more information.
.TP
\fB-K\fR \fIid,int\fR
-Use the key with the given id as the signing key for algorithm int as a Key signing key.
+
+Use the key with the given id as the signing key for algorithm int as
+a Key signing key. This options is used when you ue an OpenSSL engine,
+see ENGINE OPTIONS for more information.
+
+.TP
+\fB-n\fR
+Use NSEC3 instead of NSEC.
+
+.TP
+If you use NSEC3, you can specify the following extra options:
+
+.TP
+\fB-a\fR \fIalgorithm\fR
+Algorithm used to create the hashed NSEC3 owner names
+
+.TP
+\fB-t\fR \fInumber\fR
+Number of hash iterations
+
+.TP
+\fB-s\fR \fIstring\fR
+Salt
+
+.SH ENGINE OPTIONS
+You can modify the possible engines, if supported, by setting an
+OpenSSL configuration file. This is done through the environment
+variable OPENSSL_CONF. If you use -E with a non-existent engine name,
+ldns-signzone will print a list of engines supported by your
+configuration.
+
+The key options (-k and -K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can be any of the following:
+
+ <id>
+ <slot>:<id>
+ id_<id>
+ slot_<slot>-id_<id>
+ label_<label>
+ slot_<slot>-label_<label>
+
+Where '<id>' is the PKCS #11 key identifier in hexadecimal
+notation, '<label>' is the PKCS #11 human-readable label, and '<slot>'
+is the slot number where the token is present.
+
+If not already present, a DNSKEY RR is generated from the key
+data, and added to the zone.
+
+.SH EXAMPLES
+
+.TP
+ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
+Sign the zone in the file 'nlnetlabs.nl' with the key in the
+files 'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY is not present
+in the zone, use the key in the
+file 'Knlnetlabs.nl.+005+12273.key'. If that is not present, generate
+one with default values from 'Knlnetlabs.nl.+005+12273.private'.
.SH AUTHOR
Report bugs to <ldns-team@nlnetlabs.nl>.
.SH COPYRIGHT
-Copyright (C) 2005 NLnet Labs. This is free software. There is NO
+Copyright (C) 2005-2008 NLnet Labs. This is free software. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
projects / thirdparty / ldns.git / commitdiff
