dnst signzone¶

Synopsis¶

dnst signzone [OPTIONS] -o <ORIGIN> <ZONEFILE> <KEY>...

Description¶

dnst signzone signs the zonefile with the given key(s).

Signing a zone adds DNS Security Extensions (DNSSEC) resource records

Keys must be specified by their base name (usually K<name>+<alg>+<id>), i.e. WITHOUT the .private or .key extension. Both .private and .key files are required.

Arguments¶

<ZONEFILE>¶: The zonefile to sign. Any existing NSEC(3) and/or RRSIG resource records will be skipped when loading the file.

<KEY>...¶: The keys to sign the zonefile with.

Options¶

-d¶: Do not add used keys to the resulting zonefile.

-e <DATE>¶: Set the expiration date of signatures to this date (see DATES). Defaults to 4 weeks from now.

-f <FILE>¶: Write signed zone to file. Use -f - to output to stdout. Defaults to <ZONEFILE>.signed.

-i <DATE>¶: Set the inception date of signatures to this date (see DATES). Defaults to now.

-o <DOMAIN>¶: Use this owner name as the apex of the zone. Mandatory.

-u¶

Set SOA serial to the number of seconds since Jan 1st 1970.

If this would NOT result in the SOA serial increasing it will be incremented instead.

-n¶: Use NSEC3 instead of NSEC. By default, RFC 9276 best practice settings are used: SHA-1, no extra iterations, empty salt. To use different NSEC3 settings see NSEC3 options.

-A¶: Sign DNSKEYs with all keys instead of the minimal set.

-U¶: Sign with every unique algorithm in the provided keys.

-z <[SCHEME:]HASH>¶: Add a ZONEMD resource record. Accepts both mnemonics and numbers. This option can be provided more than once to add multiple ZONEMD RRs. However, only one per scheme-hash tuple will be added.

HASH supports SHA384 (1) and SHA512 (2).

SCHEME supports SIMPLE (1), the default.

-Z¶: Allow adding ZONEMD RRs without signing the zone. With this option, the <KEY>… argument becomes optional and determines whether to sign the zone.

-H¶: Hash only, don’t sign. With this option, the normally mandatory <KEY>… argument can be omitted.

-h, --help¶: Print the help text (short summary with -h, long help with --help).

Output formatting options¶

The following options can be used to affect the format of the output.

-b¶: Add comments on DNSSEC records. Without this option only DNSKEY RRs will have their key tag annotated in the comment.

-L¶: Preceed the zone output by a list that contains the NSEC3 hashes of the original ownernames.

-O¶: Order NSEC3 RRs by unhashed owner name.

-R¶: Order RRSIG RRs by the record type that they cover.

-T¶: Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch.

NSEC3 options¶

The following options can be used with -n to override the default NSEC3 settings used.

-s <STRING>¶: Specify the salt as a hex string. Defaults to -, meaning empty salt.

-t <NUMBER>¶: Set the number of extra hash iterations. Defaults to 0.

-p¶: Set the opt-out flag on all NSEC3 RRs.

-P¶: Set the opt-out flag on all NSEC3 RRs and skip unsigned delegations.

DATES¶

A date can be a UNIX timestamp as seconds since the Epoch (1970-01-01 00:00 UTC), or of the form <YYYYMMdd[hhmmss]>.