- -a
This option is used to force verification of the signatures generated by
dnssec-signzone.
By default the signature files are not verified.
- -c cycle-time
This option is used to configure the cycle period which is used for resigning
records when a previously signed zone is passed as input to
dnssec-signzone.
The cycle period is an offset from the current time (in seconds).
If a SIG record expires after the cycle period, it is retained.
Otherwise, it is considered to be expiring soon, and
dnssec-signzone
will remove it and generate a new SIG record to replace it.
- -d directory
This option is used to look for
signedkey
files in directory as the directory.
- -e end-time
This option is used to set the expiration time for the SIG records. The
expiration time specifies when the SIG records are no longer valid, not
when they are deleted from caches on name servers.
end-time
can represent an absolute or relative date.
The
YYYYMMDDHHMMSS
notation is used
to indicate an absolute date and time.
When
end-time
is
+N,
it indicates that the SIG records will expire in
N
seconds after their
start time.
- -f output-file
This option is used to override the use of the default signed zone file,
zonefile.signed
by
dnssec-signzone.
- -h
This option is used to print a short summary of the options and arguments to
dnssec-signzone.
- -i interval
When a previously signed zone is passed as input,
records may be resigned. The
interval
option
specifies the cycle interval as an offset from
the current time (in seconds). If a SIG record
expires after the cycle interval, it is retained.
Otherwise, it is considered to be expiring soon,
and it will be replaced.
The default cycle interval is one quarter of the
difference between the signature end and start
times. So if neither
end-time
nor
start-time
is
specified,
dnssec-signzone
generates signatures
that are valid for 30 days, with a cycle interval
of 7.5 days. Therefore, if any existing SIG
records are due to expire in less than 7.5 days,
they would be replaced.
- -n ncpus
This option can be used to create worker threads equal to
ncpus
to take
advantage of multiple CPUs. If no option is given,
named
will try to determine the number of CPUs present and create one thread per CPU.
- -o origin
This option specifies the zone origin. If not specified, the name of the
zone file is assumed to be the
origin.
- -p
This option instructs
dnssec-signkey
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when there are many child zone key sets to
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
- -r randomdev
This option overrides the behaviour of
dnssec-signzone
to use random numbers to seed the process
of signing the zone. If the system does not have a
/dev/random
device to generate random numbers, the
dnssec-signzone
program will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness. With this option, it will use
randomdev
as a source of random data.
- -s start-time
This option is used to specify the date and time when the generated
SIG records become valid.
start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in
YYYYMMDDHHMMSS
notation; such as,
20000530144500
denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when
start-time
is given as
+N
specifying
N
seconds from the current time.
If no
-s
option is supplied, the current date and time is used for the start
time of the SIG records.
- -t
This option is used to print the statistics at the time of completion.
- -v level
This option is used to make
dnssec-signzone
more verbose.
As the debugging/tracing level
level
increases,
dnssec-signzone
generates increasingly detailed reports about what it is doing.
The default level is zero.
