dnssec-signzone(1)

This is the name of the unsigned zone file.

If no keyfile arguments are supplied, the default behaviour is to use all of the zone's keys that are present in the current directory. Providing specific keyfile arguments constrains dnssec-signzone to only use those keys for signing the zone. Each keyfile argument would be an identification string for a key created with dnssec-keygen.

This option is used to force verification of the signatures generated by dnssec-signzone. By default the signature files are not verified.

This option is used to configure the cycle period which is used for resigning records when a previously signed zone is passed as input to dnssec-signzone. The cycle period is an offset from the current time (in seconds). If a SIG record expires after the cycle period, it is retained. Otherwise, it is considered to be expiring soon, and dnssec-signzone will remove it and generate a new SIG record to replace it.

This option is used to set the expiration time for the SIG records. The expiration time specifies when the SIG records are no longer valid, not when they are deleted from caches on name servers. end-time can represent an absolute or relative date.

The YYYYMMDDHHMMSS notation is used to indicate an absolute date and time.

When end-time is +N, it indicates that the SIG records will expire in N seconds after their start time.

This option is used to override the use of the default signed zone file, zonefile.signed by dnssec-signzone.

This option is used to specify the fully qualified domain origin for the zone. This option is used only when the zone file name and the name of the zone are identical.

This option instructs dnssec-signkey to use pseudo-random data when signing the keys. This is faster, but less secure, than using genuinely random data for signing. This option may be useful when there are many child zone key sets to sign or if the entropy source is limited. It could also be used for short-lived keys and signatures that don't require as much protection against cryptanalysis, such as when the key will be discarded long before it could be compromised.

This option overrides the behaviour of dnssec-signzone to use random numbers to seed the process of signing the zone. If the system does not have a /dev/random device to generate random numbers, the dnssec-signzone program will prompt for keyboard input and use the time intervals between keystrokes to provide randomness. With this option, it will use randomdev as a source of random data.

This option is used to specify the date and time when the generated SIG records become valid. start-time can either be an absolute or relative date.

An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; such as, 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.

A relative start time is supplied when start-time is given as +N specifying N seconds from the current time.

If no -s option is supplied, the current date and time is used for the start time of the SIG records.

This option is used to make dnssec-signzone more verbose. As the debugging/tracing level level increases, dnssec-signzone generates increasingly detailed reports about what it is doing. The default level is zero.