Provided by: ldnsutils_1.7.1-2ubuntu4_amd64 bug

NAME
       ldns-signzone - sign a zonefile with DNSSEC data


SYNOPSIS
       ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ...  ]


DESCRIPTION
       ldns-signzone  is  used  to  generate  a  DNSSEC signed zone. When run it will create a new zonefile that
       contains RRSIG and NSEC resource records, as specified in RFC 4033, RFC 4034 and RFC 4035.

       Keys must be specified by their base name (i.e. without .private). If the DNSKEY that belongs to the  key
       in  the  .private file is not present in the zone, it will be read from the file <base name>.key. If that
       file does not exist, the DNSKEY value will be generated from the private key.

       Multiple keys can be specified, Key Signing Keys are used as such when they are either already present in
       the zone, or specified in a .key file, and have the KSK bit set.


OPTIONS
       -b     Augments the zone and the RR's with extra comment texts for a  more  readable  layout,  easier  to
              debug.  DS records will have a bubblebabble version of the data in the comment text, NSEC3 records
              will have the original NSEC3 in the comment text.

              Without this option, only DNSKEY RR's will have their Key Tag annotated in the comment text.

       -d     Normally, if the DNSKEY RR for a key that is used to sign the zone is not found in the zone  file,
              it will be read from .key, or derived from the private key (in that order). This option turns that
              feature off, so that only the signatures are added to the zone.

       -e date
              Set  expiration  date  of  the  signatures  to this date, the format can be YYYYMMDD[hhmmss], or a
              timestamp.

       -f file
              Use this file to store the signed zone in (default <originalfile>.signed)

       -i date
              Set inception date of the signatures to this date,  the  format  can  be  YYYYMMDD[hhmmss],  or  a
              timestamp.

       -o origin
              Use this as the origin of the zone

       -v     Print the version and exit

       -A     Sign  the  DNSKEY record with all keys.  By default it is signed with a minimal number of keys, to
              keep the response size for the DNSKEY query small, and only the SEP keys that are passed are used.
              If there are no SEP keys, the DNSKEY RRset is signed with the non-SEP keys.  This option turns off
              the default and all keys are used to sign the DNSKEY RRset.

       -E name
              Use the EVP cryptographic engine with the given  name  for  signing.  This  can  have  some  extra
              options; see ENGINE OPTIONS for more information.

       -K algorithm-id,key-id

              Use  the  key `key-id' as the signing key for algorithm `algorithm-id' as a Key Signing Key (KSK).
              This option is used when you use an OpenSSL engine, see ENGINE OPTIONS for more information.

       -k algorithm-id,key-id
              Use the key `key-id' as the signing key for algorithm `algorithm-id' as a Zone Signing Key  (ZSK).
              This option is used when you use an OpenSSL engine, see ENGINE OPTIONS for more information.

       -n     Use NSEC3 instead of NSEC.

       If you use NSEC3, you can specify the following extra options:

       -a algorithm
              Algorithm used to create the hashed NSEC3 owner names

       -p     Opt-out.  All NSEC3 records in the zone will have the Opt-out flag set. After signing, you can add
              insecure delegations to the signed zone.

       -s string
              Salt

       -t number
              Number of hash iterations


ENGINE OPTIONS
       You can modify the possible engines, if supported, by setting an OpenSSL configuration file. This is done
       through the environment variable OPENSSL_CONF.

       The key options (-k and -K) work as follows: you specify a DNSSEC algorithm (using its symbolic name, for
       instance, RSASHA256 or its numeric identifier, for instance, 8), followed by a comma and a key identifier
       (white space is not allowed between the algorithm and the  comma  and  between  the  comma  and  the  key
       identifier).

       The key identifier can be any of the following:

           <id>
           <slot>:<id>
           id_<id>
           slot_<slot>-id_<id>
           label_<label>
           slot_<slot>-label_<label>

       Where  '<id>'  is  the  PKCS #11 key identifier in hexadecimal notation, '<label>' is the PKCS #11 human-
       readable label, and '<slot>' is the slot number where the token is present.

       More recent versions of OpenSSL engines may support the PKCS #11 URI scheme (RFC  7512),  please  consult
       your engine's documentation.

       If not already present, a DNSKEY RR is generated from the key data, and added to the zone.


EXAMPLES
       ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
              Sign    the    zone    in    the    file    'nlnetlabs.nl'    with    the   key   in   the   files
              'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY is not present in the zone, use the key  in  the
              file 'Knlnetlabs.nl.+005+12273.key'. If that is not present, generate one with default values from
              'Knlnetlabs.nl.+005+12273.private'.


AUTHORS
       Written by the ldns team as an example for ldns usage.
       Portions of engine support by Vadim Penzin <vadim@penzin.net>.


REPORTING BUGS
       Report bugs to <ldns-team@nlnetlabs.nl>.


COPYRIGHT
       Copyright  (C)  2005-2008  NLnet  Labs.  This  is  free  software.  There  is  NO  warranty; not even for
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

                                                  13 March 2018                                 ldns-signzone(1)