ldns-signzone(1) | General Commands Manual | ldns-signzone(1) |
ldns-signzone - sign a zonefile with DNSSEC data
ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ... ]
ldns-signzone is used to generate a DNSSEC signed zone. When run it will create a new zonefile that contains RRSIG and NSEC resource records, as specified in RFC 4033, RFC 4034 and RFC 4035.
Keys must be specified by their base name (i.e. without .private). If the DNSKEY that belongs to the key in the .private file is not present in the zone, it will be read from the file <base name>.key. If that file does not exist, the DNSKEY value will be generated from the private key.
Multiple keys can be specified, Key Signing Keys are used as such when they are either already present in the zone, or specified in a .key file, and have the KSK bit set.
Without this option, only DNSKEY RR's will have their Key Tag annotated in the comment text.
Use the key `key-id' as the signing key for algorithm `algorithm-id' as a Key Signing Key (KSK). This option is used when you use an OpenSSL engine, see ENGINE OPTIONS for more information.
You can modify the possible engines, if supported, by setting an OpenSSL configuration file. This is done through the environment variable OPENSSL_CONF.
The key options (-k and -K) work as follows: you specify a DNSSEC algorithm (using its symbolic name, for instance, RSASHA256 or its numeric identifier, for instance, 8), followed by a comma and a key identifier (white space is not allowed between the algorithm and the comma and between the comma and the key identifier).
The key identifier can be any of the following:
<id>
<slot>:<id>
id_<id>
slot_<slot>-id_<id>
label_<label>
slot_<slot>-label_<label>
Where '<id>' is the PKCS #11 key identifier in hexadecimal notation, '<label>' is the PKCS #11 human-readable label, and '<slot>' is the slot number where the token is present.
More recent versions of OpenSSL engines may support the PKCS #11 URI scheme (RFC 7512), please consult your engine's documentation.
If not already present, a DNSKEY RR is generated from the key data, and added to the zone.
Written by the ldns team as an example for ldns usage.
Portions of engine support by Vadim Penzin <vadim@penzin.net>.
Report bugs to <ldns-team@nlnetlabs.nl>.
Copyright (C) 2005-2008 NLnet Labs. This is free software. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
13 March 2018 |