dnssigner - add signatures to DNS zone files
dnssigner [signer-name default_signer] [boot-file file] [debug-file file] [out-dir directory] [seq-no number] [expiration-time [(+ =)]time] [hide] [noaxfr] [nosign] [verify] [update-zonekey] [-dlevel]
Dnssigner (Sign DNS zone database) is a tool to generate signatures for DNS (Domain Name System) resource records. It also generates NXT records for each zone.
signer-name default_signer
Specifies a name of the key to use if no signer is defined
using the $SIGNER directive in the boot files.
boot-file file
Specifies the control file for dnssigner, which is in the
same format as the BIND-4 named.boot file.
debug-file file
Redirect debug output to the specified file; default is
signer_out in the current directory.
out-dir directory
Write signed files to thie specified directory; default is to
use /tmp.
NOTE: Specify the full path to this directory; relative paths may not work.
expiration-time [(+ | =)] time
Time when the signature records are to expire. Using either
``='' or no sign before the time argument (i.e., ``[=]
time''), the time is interpreted as an absolute time in seconds
when the records will expire. (NOTE: All such times
are interpreted as Universal Times.) With ``+'' specified
(i.e., ``+time''), the time time is interpreted as an offset
into the future.
If not specified on the command line, the default expirationtime is 3600*24*30 sec (30 days).
seq-no number
Force the serial number in the SOA records to the specified
value. If this parameter is not set, the serial number will
be set to a value based on the current time.
files, and to have boot files sorted into DNSSEC order.
update-zonekey
If this flag is specified, then the zonekeys used to sign
files will be updated with new records. Specify this flag if
one or more of the keys have been updated. If there are no
zonekeys specified in the boot files, this flag will insert
them. Omitting zonekeys will cause primary nameservers to reject
the zone.
Dnssigner reads BIND-4 named.boot and zone files, adds SIG and NXT records and writes out the records (to one file per zone, regardless of how many include files the original zone was in). The files generated by dnssigner are ordinary textual zone files and are then normally loaded by NAMED(8) to serve the zone. Dnssigner requires that the PRIVATE key(s) reside in the input directory.
Making manual changes to the output files is hazardous, because most changes will invalidate one or more signatures contained therein. This will cause the zone to fail to load into NAMED(8) , or will cause subsequent failures in retrieving records from the zone. It is far better to make changes in dnssigner's input files, and rerun dnssigner.
When dnssigner detects a delegation point, it creates a special file <zone_name>.PARENT which contains the RR's the parent zone signs for the child zone (NS, KEY, NXT). The intent is that the child will include this file when loading primary nameservers. Similarly, each zone file ends with the ``#include <zone_name>.PARENT'' command. The records in the .PARENT files are omitted from the SIG(AXFR) calculations as these records usualy are on a different signing cycle.
The ``$SIGNER [keyname]'' directive can be used to change signers in a zone. If keyname is omitted, signing is turned off. Keys are loaded the first time the keys are accessed. Only records that are signed by the zone signer (the key that signs the SOA) are included in the SIG(AXFR) calculation. It is not generally recommended that multiple keys sign records in the same zone, unless this is useful for dynamic updates.
No environmental variables are used.
NAMED(8) , RSAREF documentation, Internet-Draft draft-ietf-dnssec-secext-10.txt on Secure DNS, or its successor.
Olafur Gudmundsson (ogud@tis.com)
The underlying crypto math is done by the RSAREF or BSAFE libraries.