1<!-- Creator : groff version 1.20.1 --> 2<!-- CreationDate: Sat Nov 27 20:13:08 2010 --> 3<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 4"http://www.w3.org/TR/html4/loose.dtd"> 5<html> 6<head> 7<meta name="generator" content="groff -Thtml, see www.gnu.org"> 8<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII"> 9<meta name="Content-Style" content="text/css"> 10<style type="text/css"> 11 p { margin-top: 0; margin-bottom: 0; vertical-align: top } 12 pre { margin-top: 0; margin-bottom: 0; vertical-align: top } 13 table { margin-top: 0; margin-bottom: 0; vertical-align: top } 14 h1 { text-align: center } 15</style> 16<title>zkt-signer</title> 17 18</head> 19<body> 20 21<h1 align="center">zkt-signer</h1> 22 23<a href="#NAME">NAME</a><br> 24<a href="#SYNOPSYS">SYNOPSYS</a><br> 25<a href="#DESCRIPTION">DESCRIPTION</a><br> 26<a href="#OPTIONS">OPTIONS</a><br> 27<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br> 28<a href="#Zone setup and initial preparation">Zone setup and initial preparation</a><br> 29 30<hr> 31 32 33<h2>NAME 34<a name="NAME"></a> 35</h2> 36 37 38<p style="margin-left:11%; margin-top: 1em">zkt-signer 39— Secure DNS zone signing tool</p> 40 41<h2>SYNOPSYS 42<a name="SYNOPSYS"></a> 43</h2> 44 45 46 47<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer</b> 48[<b>−L</b> <i>file</i>] [<b>−V</b> <i>view</i>] 49[<b>−c</b> <i>file</i>] [<b>−O</b> 50<i>optstr</i>] [<b>−fhnr</b>] [<b>−v</b> 51[<b>−v</b>]] <b>−N</b> <i>named.conf</i> 52[<i>zone ...</i>] <b><br> 53zkt-signer</b> [<b>−L</b> <i>file</i>] 54[<b>−V</b> <i>view</i>] [<b>−c</b> <i>file</i>] 55[<b>−O</b> <i>optstr</i>] [<b>−fhnr</b>] 56[<b>−v</b> [<b>−v</b>]] [<b>−D</b> 57<i>directory</i>] [<i>zone ...</i>] <b><br> 58zkt-signer</b> [<b>−L</b> <i>file</i>] 59[<b>−V</b> <i>view</i>] [<b>−c</b> <i>file</i>] 60[<b>−O</b> <i>optstr</i>] [<b>−fhnr</b>] 61[<b>−v</b> [<b>−v</b>]] <b>−o</b> 62<i>origin</i> [<i>zonefile</i>]</p> 63 64<h2>DESCRIPTION 65<a name="DESCRIPTION"></a> 66</h2> 67 68 69<p style="margin-left:11%; margin-top: 1em">The 70<i>zkt-signer</i> command is a wrapper around 71<i>dnssec-signzone(8)</i> and <i>dnssec-keygen(8)</i> to 72sign a zone and manage the necessary zone keys. It is able 73to increment the serial number before signing the zone and 74can trigger <i>named(8)</i> to reload the signed zone file. 75The command controls several secure zones and, if started in 76regular intervals via <i>cron(8)</i>, can do all that stuff 77automatically.</p> 78 79<p style="margin-left:11%; margin-top: 1em">In the most 80useful usage scenario the command will be called with option 81<b>−N</b> to read the secure zones out of the given 82<i>named.conf</i> file. If you have a configuration file 83with views, you have to use option -V viewname or --view 84viewname to specify the name of the view. Alternately you 85could link the executable file to a second name like 86<i>zkt-signer-viewname</i> and use that command to specify 87the name of the view. <br> 88All master zone statements will be scanned for filenames 89ending with ".signed". These zones will be checked 90if the necessary zone- and key signing keys are existent and 91fresh enough to be used in the signing process. If one or 92more out-dated keys are found, new keying material will be 93generated via the <i>dnssec-keygen(8)</i> command and the 94old keys will be marked as depreciated. So the command do 95anything needed for a zone key rollover as defined by 96[2].</p> 97 98<p style="margin-left:11%; margin-top: 1em">If the 99resigning interval is reached or any new key must be 100announced, the serial number of the zone will be incremented 101and the <i>dnssec-signzone(8)</i> command will be evoked to 102sign the zone. After that, if the option <b>−r</b> is 103given, the <i>rndc(8)</i> command will be called to reload 104the zone on the nameserver.</p> 105 106<p style="margin-left:11%; margin-top: 1em">In the second 107form of the command it is possible to specify a directory 108tree with the option <b>−D</b> <i>dir</i>. Every 109secure zone found in a subdirectory below <i>dir</i> will be 110signed. However, it is also possible to reduce the signing 111to those zones given as arguments. <br> 112If <b>−D</b> is ommitted (and neither <b>−N</b> 113nor <b>−o</b><i>origin</i> is specified) the default 114directory specified in the <i>dnssec.conf</i> file by the 115parameter <i>zonedir</i> will be used as top level 116directory.</p> 117 118<h2>OPTIONS 119<a name="OPTIONS"></a> 120</h2> 121 122 123 124<p style="margin-left:11%; margin-top: 1em"><b>−L</b> 125<i>file|dir</i><b>, 126−−logfile=</b><i>file|dir</i></p> 127 128<p style="margin-left:22%;">Specify the name of a log file 129or a directory where logfiles are created with a name like 130zkt-<i>YYYY-MM-DD</i>T<i>hhmmss</i>Z.log<i>.</i> If the 131argument is not an absolute path name and a zone directory 132is specified in the config file, this will be prepended to 133the given name. This option is also settable in the 134dnssec.conf file via the parameter <b>LogFile</b><i>.</i> 135<br> 136The default is no file logging, but error logging to syslog 137with facility <b>USER</b> at level <b>ERROR</b> is enabled 138by default. These parameters are settable via the config 139file parameter <b>SyslogFacility</b><i>,</i> 140<b>SyslogLevel</b><i>,</i> <b>LogFile</b> and 141<b>Loglevel</b><i>.</i> <br> 142The additional parameter <b>VerboseLog</b> specifies the 143verbosity (0|1|2) of messages that will be logged with level 144<b>DEBUG</b> to file and syslog.</p> 145 146<p style="margin-left:11%;"><b>−V</b> <i>view</i><b>, 147−−view=</b><i>view</i></p> 148 149<p style="margin-left:22%;">Try to read the default 150configuration out of a file named 151<i>dnssec-<view>.conf .</i> Instead of specifying the 152−V or --view option every time, it is also possible to 153create a hard- or softlink to the executable file with an 154additional name like <i>zkt-signer-<view> .</i></p> 155 156<p style="margin-left:11%;"><b>−c</b> <i>file</i><b>, 157−−config=</b><i>file</i></p> 158 159<p style="margin-left:22%;">Read configuration values out 160of the specified file. Otherwise the default config file is 161read or build-in defaults will be used.</p> 162 163<p style="margin-left:11%;"><b>−O</b> 164<i>optstr</i><b>, 165−−config-option=</b><i>optstr</i></p> 166 167<p style="margin-left:22%;">Set any config file option via 168the commandline. Several config file options can be 169specified via the argument string but have to be delimited 170by semicolon (or newline).</p> 171 172<p style="margin-left:11%;"><b>−f</b>, 173<b>−−force</b></p> 174 175<p style="margin-left:22%;">Force a resigning of the zone, 176regardless if the resigning interval is reached or new keys 177must be announced.</p> 178 179<p style="margin-left:11%;"><b>−n</b>, 180<b>−−noexec</b></p> 181 182<p style="margin-left:22%;">Don’t execute the 183<i>dnssec-signzone(8)</i> command. Currently this option is 184of very limited usage.</p> 185 186<p style="margin-left:11%;"><b>−r</b>, 187<b>−−reload</b></p> 188 189<p style="margin-left:22%;">Reload the zone via 190<i>rndc(8)</i> after successful signing. In a production 191environment it is recommended to use this option to be sure 192that a freshly signed zone will be immediately propagated. 193However, that’s only feasable if named runs on the 194signing machine, which is not recommended.</p> 195 196<p style="margin-left:11%;"><b>−v</b>, 197<b>−−verbose</b></p> 198 199<p style="margin-left:22%;">Verbose mode (recommended). A 200second <b>−v</b> will be a little more verbose.</p> 201 202<p style="margin-left:11%;"><b>−h</b>, 203<b>−−help</b></p> 204 205<p style="margin-left:22%;">Print out the online help.</p> 206 207<h2>SAMPLE USAGE 208<a name="SAMPLE USAGE"></a> 209</h2> 210 211 212<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer 213−N /var/named/named.conf −r −v 214−v</b></p> 215 216<p style="margin-left:22%;">Sign all secure zones found in 217the named.conf file and, if necessary, trigger a reload of 218the zone. Print some explanatory remarks on stdout.</p> 219 220<p style="margin-left:11%;"><b>zkt-signer −D 221zonedir/example.net. −f −v −v</b></p> 222 223<p style="margin-left:22%;">Force the signing of the zone 224found in the directory <i>zonedir/example.net .</i> Do not 225reload the zone.</p> 226 227<p style="margin-left:11%;"><b>zkt-signer −D zonedir 228−f −v −v example.net.</b></p> 229 230<p style="margin-left:22%;">Same as above.</p> 231 232<p style="margin-left:11%;"><b>zkt-signer −f −v 233−v example.net.</b></p> 234 235<p style="margin-left:22%;">Same as above if the 236<i>dnssec.conf</i> file contains the path of the parent 237directory of the <i>example.net</i> zone.</p> 238 239<p style="margin-left:11%;"><b>zkt-signer −f −v 240−v −o example.net. zone.db</b></p> 241 242<p style="margin-left:22%;">Same as above if we are in the 243directory containing the <i>example.net</i> files.</p> 244 245<p style="margin-left:11%;"><b>zkt-signer 246−−config-option=’ResignInterval 1d; 247Sigvalidity 28h; \</b></p> 248 249<p style="margin-left:22%;"><b>ZSKlifetime 2d;’ 250−v −v −o example.net. zone.db</b> <br> 251Sign the example.net zone but override some config file 252values with parameters given on the commandline.</p> 253 254<h2>Zone setup and initial preparation 255<a name="Zone setup and initial preparation"></a> 256</h2> 257 258 259<p style="margin-left:11%; margin-top: 1em">Create a 260separate directory for every secure zone.</p> 261 262<p style="margin-left:22%;">This is useful because there 263are many additional files needed to secure a zone. Besides 264the zone file (<i>zone.db</i>), there is a signed zone file 265(<i>zone.db.signed),</i> a minimum of four files containing 266the key material, a file called <i>dnskey.db</i> with the 267current used keys, and the <i>dsset-</i> and 268<i>keyset-</i>files created by the <i>dnssec-signzone(8)</i> 269command. So in summary there is a minimum of nine files used 270per secure zone. For every additional key there are two 271extra files and every delegated subzone creates also two or 272three files.</p> 273 274<p style="margin-left:11%;">Name the directory just like 275the zone.</p> 276 277<p style="margin-left:22%;">That’s only needed if you 278want to use the zkt-signer command in directory mode 279(<b>−D</b>). Then the name of the zone will be parsed 280out of the directory name.</p> 281 282<p style="margin-left:11%;">Change the name of the zone 283file to <i>zone.db</i></p> 284 285<p style="margin-left:22%;">Otherwise you have to set the 286name via the <i>dnssec.conf</i> parameter <i>zonefile</i>, 287or you have to use the option <b>−o</b> to name the 288zone and specify the zone file as argument.</p> 289 290<p style="margin-left:11%;">Add the name of the signed 291zonefile to the <i>named.conf</i> file</p> 292 293<p style="margin-left:22%;">The filename is the name of the 294zone file with the extension <i>.signed</i>. Create an empty 295file with the name <i>zone.db</i><b>.signed</b> in the zone 296directory.</p> 297 298<p style="margin-left:11%;">Include the keyfile in the 299zone.</p> 300 301<p style="margin-left:22%;">The name of the keyfile is 302settable by the <i>dnssec.conf</i> parameter <i>keyfile 303.</i> The default is <i>dnskey.db .</i></p> 304<hr> 305</body> 306</html> 307