Man page - dnst-signzone(1)

Packages contas this manual

Package: dnst
apt-get install dnst

Manuals in package:

Documentations in package:

dnst

Manual

DNST-SIGNZONE(1)

dnst

DNST-SIGNZONE(1)

NAME

dnst-signzone - Sign the zone with the given key(s)

SYNOPSIS

dnst signzone [OPTIONS] -o <ORIGIN> <ZONEFILE> <KEY>...

DESCRIPTION

dnst signzone signs the zonefile with the given key(s).

Signing a zone adds DNS Security Extensions (DNSSEC) resource records

Keys must be specified by their base name (usually K<name>+<alg>+<id>), i.e. WITHOUT the .private or .key extension. Both .private and .key files are required.

ARGUMENTS

<ZONEFILE>: The zonefile to sign. Any existing NSEC(3) and/or RRSIG resource records will be skipped when loading the file.

<KEY>...: The keys to sign the zonefile with.

OPTIONS

-d: Do not add used keys to the resulting zonefile.

-e <DATE>: Set the expiration date of signatures to this date (see DATES). Defaults to 4 weeks from now.

-f <FILE>: Write signed zone to file. Use -f - to output to stdout. Defaults to <ZONEFILE>.signed.

-i <DATE>: Set the inception date of signatures to this date (see DATES). Defaults to now.

-o <DOMAIN>: Use this owner name as the apex of the zone. Mandatory.

-u: Set SOA serial to the number of seconds since Jan 1st 1970.
If this would NOT result in the SOA serial increasing it will be incremented instead.

-n: Use NSEC3 instead of NSEC. By default, RFC 9276 best practice settings are used: SHA-1, no extra iterations, empty salt. To use different NSEC3 settings see NSEC3 options.

-A: Sign DNSKEYs with all keys instead of the minimal set.

-U: Sign with every unique algorithm in the provided keys.

-z <[SCHEME:]HASH>

Add a ZONEMD resource record. Accepts both mnemonics and numbers. This option can be provided more than once to add multiple ZONEMD RRs. However, only one per scheme-hash tuple will be added.

HASH supports SHA384 (1) and SHA512 (2).
SCHEME supports SIMPLE (1), the default.

-Z: Allow adding ZONEMD RRs without signing the zone. With this option, the <KEY>... argument becomes optional and determines whether to sign the zone.

-H: Hash only, don't sign. With this option, the normally mandatory <KEY>... argument can be omitted.

-h, --help: Print the help text (short summary with -h, long help with --help).

OUTPUT FORMATTING OPTIONS

The following options can be used to affect the format of the output.

-b: Add comments on DNSSEC records. Without this option only DNSKEY RRs will have their key tag annotated in the comment.

-L: Preceed the zone output by a list that contains the NSEC3 hashes of the original ownernames.

-O: Order NSEC3 RRs by unhashed owner name.

-R: Order RRSIG RRs by the record type that they cover.

-T: Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch.

NSEC3 OPTIONS

The following options can be used with -n to override the default NSEC3 settings used.

-s <STRING>: Specify the salt as a hex string. Defaults to -, meaning empty salt.

-t <NUMBER>: Set the number of extra hash iterations. Defaults to 0.

-p: Set the opt-out flag on all NSEC3 RRs.

-P: Set the opt-out flag on all NSEC3 RRs and skip unsigned delegations.

DATES

A date can be a UNIX timestamp as seconds since the Epoch (1970-01-01 00:00 UTC), or of the form <YYYYMMdd[hhmmss]>.

AUTHOR

NLnet Labs

COPYRIGHT

2024–2026, NLnet Labs

March 5, 2026

0.2.0-alpha1