Skip to content
David Blacka edited this page Jan 17, 2017 · 1 revision

jdnssec-signzone

This is the main zone signing tool. It will take an unsigned or previously-signed zone and sign it.

usage: jdnssec-signzone [..options..] zone_file [key_file ...]
 -3,--use-nsec3                             use NSEC3 instead of NSEC
 -A,--alg-alias <alias:original:mnemonic>   Define an alias for an
                                            algorithm
 -a,--verify                                verify generated signatures>
 -d,--keyset-directory <dir>                directory to find keyset files
                                            (default '.').
 -D,--key-directory <dir>                   directory to find key files
                                            (default '.').
    --ds-digest <id>                        Digest algorithm to use for
                                            generated DSs
 -e,--expire-time <time/offset>             signature expiration time
                                            (default is start-time + 30
                                            days).
 -F,--fully-sign-keyset                     sign the zone apex keyset with
                                            all available keys.
 -f <outfile>                               file the signed zone is written
                                            to (default is
                                            <origin>.signed).
 -h,--help                                  Print this message.
 -I,--include-file <file>                   include names in this file in
                                            the NSEC/NSEC3 chain.
    --iterations <value>                    use this value for the
                                            iterations in NSEC3.
 -k,--ksk-file <KSK file>                   this key is a key signing key
                                            (may repeat).
 -m,--multiline                             Output DNS records using
                                            'multiline' format
    --nsec3paramttl <ttl>                   use this value for the
                                            NSEC3PARAM RR ttl
 -O,--use-opt-out                           generate a fully Opt-Out zone
                                            (only valid with NSEC3).
 -R,--random-salt <length>                  generate a random salt.
 -s,--start-time <time/offset>              signature starting time
                                            (default is now - 1 hour)
 -S,--salt <hex value>                      supply a salt value.
 -v,--verbose <level>                       verbosity level -- 0 is
                                            silence, 3 is info, 5 is debug
                                            information, 6 is trace
                                            information. default is level 2
                                            (warning)
 -V,--verbose-signing                       Display verbose signing
                                            activity.
Clone this wiki locally