kzonesign - DNSSEC signing utility
kzonesign [config_option config_argument]
[options] zone_name
This utility reads the zone's zone file, signs the zone according
to given configuration, and writes the signed zone file back. An alternative
mode is DNSSEC validation of the given zone. The signing or validation can
run in parallel if enabled in the configuration (see policy.signing-threads
and zone.adjust-threads).
- -c, --config
file
- Use a textual configuration file (default is
/etc/knot/knot.conf).
- -C, --confdb
directory
- Use a binary configuration database directory (default is
/var/lib/knot/confdb). The default configuration database, if
exists, has a preference to the default configuration file.
- -o, --outdir
dir_name
- Write the output zone file to the specified directory instead of the
configured one.
- -r,
--rollover
- Allow key roll-overs and NSEC3 re-salt. In order to finish possible KSK
submission, set the KSK's active timestamp to now (+0) using
keymgr.
- -v, --verify
- Instead of (re-)signing the zone, just verify that the zone is correctly
signed.
- -t, --time
timestamp
- Sign/verify the zone (and roll the keys if necessary) as if it was at the
time specified by timestamp.
- -h, --help
- Print the program help.
- -V, --version
- Print the program version.
Exit status of 0 means successful operation. Any other exit status
indicates an error.
CZ.NIC Labs <https://www.knot-dns.cz>
Copyright 2010–2023, CZ.NIC, z.s.p.o.