1<!-- Creator     : groff version 1.20.1 -->
2<!-- CreationDate: Sat Nov 27 20:13:08 2010 -->
3<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
4"http://www.w3.org/TR/html4/loose.dtd">
5<html>
6<head>
7<meta name="generator" content="groff -Thtml, see www.gnu.org">
8<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
9<meta name="Content-Style" content="text/css">
10<style type="text/css">
11       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
12       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
13       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
14       h1      { text-align: center }
15</style>
16<title>zkt-signer</title>
17
18</head>
19<body>
20
21<h1 align="center">zkt-signer</h1>
22
23<a href="#NAME">NAME</a><br>
24<a href="#SYNOPSYS">SYNOPSYS</a><br>
25<a href="#DESCRIPTION">DESCRIPTION</a><br>
26<a href="#OPTIONS">OPTIONS</a><br>
27<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
28<a href="#Zone setup and initial preparation">Zone setup and initial preparation</a><br>
29
30<hr>
31
32
33<h2>NAME
34<a name="NAME"></a>
35</h2>
36
37
38<p style="margin-left:11%; margin-top: 1em">zkt-signer
39&mdash; Secure DNS zone signing tool</p>
40
41<h2>SYNOPSYS
42<a name="SYNOPSYS"></a>
43</h2>
44
45
46
47<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer</b>
48[<b>&minus;L</b> <i>file</i>] [<b>&minus;V</b> <i>view</i>]
49[<b>&minus;c</b> <i>file</i>] [<b>&minus;O</b>
50<i>optstr</i>] [<b>&minus;fhnr</b>] [<b>&minus;v</b>
51[<b>&minus;v</b>]] <b>&minus;N</b> <i>named.conf</i>
52[<i>zone ...</i>] <b><br>
53zkt-signer</b> [<b>&minus;L</b> <i>file</i>]
54[<b>&minus;V</b> <i>view</i>] [<b>&minus;c</b> <i>file</i>]
55[<b>&minus;O</b> <i>optstr</i>] [<b>&minus;fhnr</b>]
56[<b>&minus;v</b> [<b>&minus;v</b>]] [<b>&minus;D</b>
57<i>directory</i>] [<i>zone ...</i>] <b><br>
58zkt-signer</b> [<b>&minus;L</b> <i>file</i>]
59[<b>&minus;V</b> <i>view</i>] [<b>&minus;c</b> <i>file</i>]
60[<b>&minus;O</b> <i>optstr</i>] [<b>&minus;fhnr</b>]
61[<b>&minus;v</b> [<b>&minus;v</b>]] <b>&minus;o</b>
62<i>origin</i> [<i>zonefile</i>]</p>
63
64<h2>DESCRIPTION
65<a name="DESCRIPTION"></a>
66</h2>
67
68
69<p style="margin-left:11%; margin-top: 1em">The
70<i>zkt-signer</i> command is a wrapper around
71<i>dnssec-signzone(8)</i> and <i>dnssec-keygen(8)</i> to
72sign a zone and manage the necessary zone keys. It is able
73to increment the serial number before signing the zone and
74can trigger <i>named(8)</i> to reload the signed zone file.
75The command controls several secure zones and, if started in
76regular intervals via <i>cron(8)</i>, can do all that stuff
77automatically.</p>
78
79<p style="margin-left:11%; margin-top: 1em">In the most
80useful usage scenario the command will be called with option
81<b>&minus;N</b> to read the secure zones out of the given
82<i>named.conf</i> file. If you have a configuration file
83with views, you have to use option -V viewname or --view
84viewname to specify the name of the view. Alternately you
85could link the executable file to a second name like
86<i>zkt-signer-viewname</i> and use that command to specify
87the name of the view. <br>
88All master zone statements will be scanned for filenames
89ending with &quot;.signed&quot;. These zones will be checked
90if the necessary zone- and key signing keys are existent and
91fresh enough to be used in the signing process. If one or
92more out-dated keys are found, new keying material will be
93generated via the <i>dnssec-keygen(8)</i> command and the
94old keys will be marked as depreciated. So the command do
95anything needed for a zone key rollover as defined by
96[2].</p>
97
98<p style="margin-left:11%; margin-top: 1em">If the
99resigning interval is reached or any new key must be
100announced, the serial number of the zone will be incremented
101and the <i>dnssec-signzone(8)</i> command will be evoked to
102sign the zone. After that, if the option <b>&minus;r</b> is
103given, the <i>rndc(8)</i> command will be called to reload
104the zone on the nameserver.</p>
105
106<p style="margin-left:11%; margin-top: 1em">In the second
107form of the command it is possible to specify a directory
108tree with the option <b>&minus;D</b> <i>dir</i>. Every
109secure zone found in a subdirectory below <i>dir</i> will be
110signed. However, it is also possible to reduce the signing
111to those zones given as arguments. <br>
112If <b>&minus;D</b> is ommitted (and neither <b>&minus;N</b>
113nor <b>&minus;o</b><i>origin</i> is specified) the default
114directory specified in the <i>dnssec.conf</i> file by the
115parameter <i>zonedir</i> will be used as top level
116directory.</p>
117
118<h2>OPTIONS
119<a name="OPTIONS"></a>
120</h2>
121
122
123
124<p style="margin-left:11%; margin-top: 1em"><b>&minus;L</b>
125<i>file|dir</i><b>,
126&minus;&minus;logfile=</b><i>file|dir</i></p>
127
128<p style="margin-left:22%;">Specify the name of a log file
129or a directory where logfiles are created with a name like
130zkt-<i>YYYY-MM-DD</i>T<i>hhmmss</i>Z.log<i>.</i> If the
131argument is not an absolute path name and a zone directory
132is specified in the config file, this will be prepended to
133the given name. This option is also settable in the
134dnssec.conf file via the parameter <b>LogFile</b><i>.</i>
135<br>
136The default is no file logging, but error logging to syslog
137with facility <b>USER</b> at level <b>ERROR</b> is enabled
138by default. These parameters are settable via the config
139file parameter <b>SyslogFacility</b><i>,</i>
140<b>SyslogLevel</b><i>,</i> <b>LogFile</b> and
141<b>Loglevel</b><i>.</i> <br>
142The additional parameter <b>VerboseLog</b> specifies the
143verbosity (0|1|2) of messages that will be logged with level
144<b>DEBUG</b> to file and syslog.</p>
145
146<p style="margin-left:11%;"><b>&minus;V</b> <i>view</i><b>,
147&minus;&minus;view=</b><i>view</i></p>
148
149<p style="margin-left:22%;">Try to read the default
150configuration out of a file named
151<i>dnssec-&lt;view&gt;.conf .</i> Instead of specifying the
152&minus;V or --view option every time, it is also possible to
153create a hard- or softlink to the executable file with an
154additional name like <i>zkt-signer-&lt;view&gt; .</i></p>
155
156<p style="margin-left:11%;"><b>&minus;c</b> <i>file</i><b>,
157&minus;&minus;config=</b><i>file</i></p>
158
159<p style="margin-left:22%;">Read configuration values out
160of the specified file. Otherwise the default config file is
161read or build-in defaults will be used.</p>
162
163<p style="margin-left:11%;"><b>&minus;O</b>
164<i>optstr</i><b>,
165&minus;&minus;config-option=</b><i>optstr</i></p>
166
167<p style="margin-left:22%;">Set any config file option via
168the commandline. Several config file options can be
169specified via the argument string but have to be delimited
170by semicolon (or newline).</p>
171
172<p style="margin-left:11%;"><b>&minus;f</b>,
173<b>&minus;&minus;force</b></p>
174
175<p style="margin-left:22%;">Force a resigning of the zone,
176regardless if the resigning interval is reached or new keys
177must be announced.</p>
178
179<p style="margin-left:11%;"><b>&minus;n</b>,
180<b>&minus;&minus;noexec</b></p>
181
182<p style="margin-left:22%;">Don&rsquo;t execute the
183<i>dnssec-signzone(8)</i> command. Currently this option is
184of very limited usage.</p>
185
186<p style="margin-left:11%;"><b>&minus;r</b>,
187<b>&minus;&minus;reload</b></p>
188
189<p style="margin-left:22%;">Reload the zone via
190<i>rndc(8)</i> after successful signing. In a production
191environment it is recommended to use this option to be sure
192that a freshly signed zone will be immediately propagated.
193However, that&rsquo;s only feasable if named runs on the
194signing machine, which is not recommended.</p>
195
196<p style="margin-left:11%;"><b>&minus;v</b>,
197<b>&minus;&minus;verbose</b></p>
198
199<p style="margin-left:22%;">Verbose mode (recommended). A
200second <b>&minus;v</b> will be a little more verbose.</p>
201
202<p style="margin-left:11%;"><b>&minus;h</b>,
203<b>&minus;&minus;help</b></p>
204
205<p style="margin-left:22%;">Print out the online help.</p>
206
207<h2>SAMPLE USAGE
208<a name="SAMPLE USAGE"></a>
209</h2>
210
211
212<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer
213&minus;N /var/named/named.conf &minus;r &minus;v
214&minus;v</b></p>
215
216<p style="margin-left:22%;">Sign all secure zones found in
217the named.conf file and, if necessary, trigger a reload of
218the zone. Print some explanatory remarks on stdout.</p>
219
220<p style="margin-left:11%;"><b>zkt-signer &minus;D
221zonedir/example.net. &minus;f &minus;v &minus;v</b></p>
222
223<p style="margin-left:22%;">Force the signing of the zone
224found in the directory <i>zonedir/example.net .</i> Do not
225reload the zone.</p>
226
227<p style="margin-left:11%;"><b>zkt-signer &minus;D zonedir
228&minus;f &minus;v &minus;v example.net.</b></p>
229
230<p style="margin-left:22%;">Same as above.</p>
231
232<p style="margin-left:11%;"><b>zkt-signer &minus;f &minus;v
233&minus;v example.net.</b></p>
234
235<p style="margin-left:22%;">Same as above if the
236<i>dnssec.conf</i> file contains the path of the parent
237directory of the <i>example.net</i> zone.</p>
238
239<p style="margin-left:11%;"><b>zkt-signer &minus;f &minus;v
240&minus;v &minus;o example.net. zone.db</b></p>
241
242<p style="margin-left:22%;">Same as above if we are in the
243directory containing the <i>example.net</i> files.</p>
244
245<p style="margin-left:11%;"><b>zkt-signer
246&minus;&minus;config-option=&rsquo;ResignInterval 1d;
247Sigvalidity 28h; \</b></p>
248
249<p style="margin-left:22%;"><b>ZSKlifetime 2d;&rsquo;
250&minus;v &minus;v &minus;o example.net. zone.db</b> <br>
251Sign the example.net zone but override some config file
252values with parameters given on the commandline.</p>
253
254<h2>Zone setup and initial preparation
255<a name="Zone setup and initial preparation"></a>
256</h2>
257
258
259<p style="margin-left:11%; margin-top: 1em">Create a
260separate directory for every secure zone.</p>
261
262<p style="margin-left:22%;">This is useful because there
263are many additional files needed to secure a zone. Besides
264the zone file (<i>zone.db</i>), there is a signed zone file
265(<i>zone.db.signed),</i> a minimum of four files containing
266the key material, a file called <i>dnskey.db</i> with the
267current used keys, and the <i>dsset-</i> and
268<i>keyset-</i>files created by the <i>dnssec-signzone(8)</i>
269command. So in summary there is a minimum of nine files used
270per secure zone. For every additional key there are two
271extra files and every delegated subzone creates also two or
272three files.</p>
273
274<p style="margin-left:11%;">Name the directory just like
275the zone.</p>
276
277<p style="margin-left:22%;">That&rsquo;s only needed if you
278want to use the zkt-signer command in directory mode
279(<b>&minus;D</b>). Then the name of the zone will be parsed
280out of the directory name.</p>
281
282<p style="margin-left:11%;">Change the name of the zone
283file to <i>zone.db</i></p>
284
285<p style="margin-left:22%;">Otherwise you have to set the
286name via the <i>dnssec.conf</i> parameter <i>zonefile</i>,
287or you have to use the option <b>&minus;o</b> to name the
288zone and specify the zone file as argument.</p>
289
290<p style="margin-left:11%;">Add the name of the signed
291zonefile to the <i>named.conf</i> file</p>
292
293<p style="margin-left:22%;">The filename is the name of the
294zone file with the extension <i>.signed</i>. Create an empty
295file with the name <i>zone.db</i><b>.signed</b> in the zone
296directory.</p>
297
298<p style="margin-left:11%;">Include the keyfile in the
299zone.</p>
300
301<p style="margin-left:22%;">The name of the keyfile is
302settable by the <i>dnssec.conf</i> parameter <i>keyfile
303.</i> The default is <i>dnskey.db .</i></p>
304<hr>
305</body>
306</html>
307