Man page - dnst-signzone(1)

Packages contains this manual

Package:  dnst
apt-get install dnst

Manuals in package:
• dnst-signzone(1)
• dnst-keygen(1)
• dnst-notify(1)
• dnst-keyset(1)
• dnst-update(1)
• ldns-update(1)
• dnst-key2ds(1)
• ldns-key2ds(1)
• dnst-nsec3-hash(1)
• dnst(1)
• ldns-keygen(1)
• ldns-nsec3-hash(1)
• ldns-notify(1)
• ldns-signzone(1)
Documentations in package:
• dnst

Manual

DNST-SIGNZONE

NAME
SYNOPSIS
DESCRIPTION
ARGUMENTS
OPTIONS
OUTPUT FORMATTING OPTIONS
NSEC3 OPTIONS
DATES
AUTHOR
COPYRIGHT

---

NAME

dnst-signzone - Sign the zone with the given key(s)

SYNOPSIS

dnst signzone [OPTIONS] -o <ORIGIN> <ZONEFILE> <KEY>...

DESCRIPTION

dnst signzone signs the zonefile with the given key(s).

Signing a zone adds DNS Security Extensions (DNSSEC) resource records

Keys must be specified by their base name (usually K<name>+<alg>+<id> ), i.e. WITHOUT the .private or .key extension. Both .private and .key files are required.

ARGUMENTS

<ZONEFILE>

The zonefile to sign. Any existing NSEC(3) and/or RRSIG resource records will be skipped when loading the file.

<KEY>...

The keys to sign the zonefile with.

OPTIONS

-d

Do not add used keys to the resulting zonefile.

-e <DATE>

Set the expiration date of signatures to this date (see DATES ). Defaults to 4 weeks from now.

-f <FILE>

Write signed zone to file. Use -f - to output to stdout. Defaults to <ZONEFILE>.signed .

-i <DATE>

Set the inception date of signatures to this date (see DATES ). Defaults to now.

-o <DOMAIN>

Use this owner name as the apex of the zone. Mandatory.

-u

Set SOA serial to the number of seconds since Jan 1st 1970.

If this would NOT result in the SOA serial increasing it will be incremented instead.

	-n		Use NSEC3 instead of NSEC. By default, RFC 9276 best practice settings are used: SHA-1, no extra iterations, empty salt. To use different NSEC3 settings see NSEC3 options .
	-A		Sign DNSKEYs with all keys instead of the minimal set.
	-U		Sign with every unique algorithm in the provided keys.

-z <[SCHEME:]HASH>

Add a ZONEMD resource record. Accepts both mnemonics and numbers. This option can be provided more than once to add multiple ZONEMD RRs. However, only one per scheme-hash tuple will be added.
HASH supports SHA384 (1) and SHA512 (2).
SCHEME supports SIMPLE (1), the default.

	-Z		Allow adding ZONEMD RRs without signing the zone. With this option, the <KEY>... argument becomes optional and determines whether to sign the zone.
	-H		Hash only, don't sign. With this option, the normally mandatory <KEY>... argument can be omitted.

-h, --help

Print the help text (short summary with -h , long help with --help ).

OUTPUT FORMATTING OPTIONS

The following options can be used to affect the format of the output.

	-b		Add comments on DNSSEC records. Without this option only DNSKEY RRs will have their key tag annotated in the comment.
	-L		Preceed the zone output by a list that contains the NSEC3 hashes of the original ownernames.
	-O		Order NSEC3 RRs by unhashed owner name.
	-R		Order RRSIG RRs by the record type that they cover.
	-T		Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch.

NSEC3 OPTIONS

The following options can be used with -n to override the default NSEC3 settings used.
-s <STRING>

Specify the salt as a hex string. Defaults to - , meaning empty salt.

-t <NUMBER>

Set the number of extra hash iterations. Defaults to 0.

	-p		Set the opt-out flag on all NSEC3 RRs.
	-P		Set the opt-out flag on all NSEC3 RRs and skip unsigned delegations.

DATES

A date can be a UNIX timestamp as seconds since the Epoch (1970-01-01 00:00 UTC), or of the form <YYYYMMdd[hhmmss]> .

AUTHOR

NLnet Labs

COPYRIGHT

2024–2026, NLnet Labs

---