dnssigner -- nssigner - add signatures to DNS zone files


   dnssigner [signer-name default_signer] [boot-file file] [debug-file file]
             [out-dir directory] [seq-no number] [expiration-time [(+ |
             =)]time] [hide] [noaxfr] [nosign] [verify] [update-zonekey]


   Dnssigner (Sign DNS zone database) is a tool to generate signatures for
   DNS (Domain Name System) resource records.  It also generates NXT records
   for each zone.

signer-name default_signer Specifies a name of the key to use if no signer is defined using the $SIGNER directive in the boot files.

boot-file file Specifies the control file for dnssigner, which is in the same format as the BIND-4 named.boot file.

debug-file file Redirect debug output to the specified file; default is signer_out in the current directory.

out-dir directory Write signed files to thie specified directory; default is to use /tmp.

NOTE: Specify the full path to this directory; relative paths may not work.

expiration-time [(+ | =)] time Time when the signature records are to expire. Using either ``='' or no sign before the time argument (i.e., ``[=] time''), the time is interpreted as an absolute time in sec- onds when the records will expire. (NOTE: All such times are interpreted as Universal Times.) With ``+'' specified (i.e., ``+time''), the time time is interpreted as an offset into the future.

If not specified on the command line, the default expiration- time is 3600*24*30 sec (30 days).

seq-no number Force the serial number in the SOA records to the specified value. If this parameter is not set, the serial number will be set to a value based on the current time.

hide This flag will cause NXT records in zones with wildcard records to point to *.<zone> as the next host. The purpose of this flag is to hide all information about valid names in a zone.

noaxfr Turn of generation of zone transfer signature records, which validate the transfer of an entire zone.

nosign When this flag is specified, the boot files are read, NXT records are generated and zone file is written to the output directory. No SIG records are generated. This flag is useful for quickly checking the format of the data in the boot

files, and to have boot files sorted into DNSSEC order.

verify When this flag is present, dnssigner will verify all signed records and print out a confirmation message for each SIG verified. The main use of this flag is to see how long it takes to generate each signature.

update-zonekey If this flag is specified, then the zonekeys used to sign files will be updated with new records. Specify this flag if one or more of the keys have been updated. If there are no zonekeys specified in the boot files, this flag will insert them. Omitting zonekeys will cause primary nameservers to re- ject the zone.

-dlevel Debug level to use for running dnssigner; these levels are the same as those used by named(ADMN).


   Dnssigner reads BIND-4 named.boot and zone files, adds SIG and NXT
   records and writes out the records (to one file per zone, regardless of
   how many include files the original zone was in).  The files generated by
   dnssigner are ordinary textual zone files and are then normally loaded by
   named(ADMN) to serve the zone.  Dnssigner requires that the PRIVATE key(s)
   reside in the input directory.

Making manual changes to the output files is hazardous, because most changes will invalidate one or more signatures contained therein. This will cause the zone to fail to load into named(ADMN), or will cause subse- quent failures in retrieving records from the zone. It is far better to make changes in dnssigner's input files, and rerun dnssigner.

When dnssigner detects a delegation point, it creates a special file <zone_name>.PARENT which contains the RR's the parent zone signs for the child zone (NS, KEY, NXT). The intent is that the child will include this file when loading primary nameservers. Similarly, each zone file ends with the ``#include <zone_name>.PARENT'' command. The records in the .PARENT files are omitted from the SIG(AXFR) calculations as these records usually are on a different signing cycle.

The ``$SIGNER [keyname]'' directive can be used to change signers in a zone. If keyname is omitted, signing is turned off. Keys are loaded the first time the keys are accessed. Only records that are signed by the zone signer (the key that signs the SOA) are included in the SIG(AXFR) calculation. It is not generally recommended that multiple keys sign records in the same zone, unless this is useful for dynamic updates.


   No environmental variables are used.

See also

   named(ADMN),  RSAREF documentation, Internet-Draft draft-ietf-dnssec-
   secext-10.txt on Secure DNS, or its successor.


   Olafur Gudmundsson (


   The underlying crypto math is done by the RSAREF or BSAFE libraries.


"4th Berkeley Distribution October 25, 1996"
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003