Open System Services Shell and Utilities Reference Manual (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

891

892

893

894

895

896

897

898

899

900

dnssec-signzone(8) OSS Shell and Utilities Reference Manual

-f output-file The name of the output ﬁle containing the signed zone. The default is to append

.signed to the input ﬁle.

-h Prints a short help summary of the ﬂags and values to dnssec-signzone.

-i interval When a previously signed zone is passed as input, records may be re-signed.

The interval option speciﬁes the cycle interval as an offset from the current time

(in seconds). If an RRSIG record expires after the cycle interval, it is retained.

Otherwise, it is considered to be expiring soon, and it is replaced.

The default cycle interval is one quarter of the difference between the signature

end and start times. If neither end_time nor start_time are speciﬁed, dnssec-

signzone generates signatures that are valid for 30 days, with a cycle interval of

7.5 days. Therefore, if any existing RRSIG records are due to expire in less than

7.5 days, they would be replaced.

-n nthreads Speciﬁes the number of threads to use. By default, one thread is started for each

detected processor.

-o origin Speciﬁes the zone origin. If not speciﬁed, the name of the zone ﬁle is assumed to

be the origin.

-p Use pseudo-random data when signing the zone. This is faster, but less secure,

than using real random data. This option may be useful when signing large

zones or when the entropy source is limited.

-r randomdev Speciﬁes the source of randomness. If the operating system does not provide a

/dev/random or equivalent device, the default source of randomness is keyboard

input. (The OSS environment does not have a /dev/random device.)

randomdev speciﬁes the name of a character device or ﬁle containing random

data to be used instead of the default. The special value keyboard indicates that

keyboard input should be used.

-t Print statistics at completion.

-v level Sets the debugging level.

-z Ignore a KSK ﬂag on a key when determining what to sign.

Operands

zonefile The name of the ﬁle containing the zone to be signed.

key ... The keys used to sign the zone. These keys are expressed in the form

Knnnn.+aaa+iiiii as generated by dnssec-keygen.

If no keys are speciﬁed, the default values used are all zone keys that have

private key ﬁles in the current directory.

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed

version of the zone ﬁle. The security status of delegations from the signed zone (that is, whether

the child zones are secure or not) is determined by the presence or absence of a keyset ﬁle for

each child zone.

12−18 Hewlett-Packard Company 527188-021