home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
SGI Freeware 1998 June
/
SGI Freeware 1998 June.iso
/
dist
/
fw_bind.idb
/
usr
/
freeware
/
catman
/
u_man
/
cat1
/
dnssigner.1.z
/
dnssigner.1
Wrap
Text File
|
1998-05-26
|
7KB
|
127 lines
DNSSIGNER(1) BSD Reference Manual DNSSIGNER(1)
NNAAMMEE
ddnnssssiiggnneerr - add signatures to DNS zone files
SSYYNNOOPPSSIISS
ddnnssssiiggnneerr [ssiiggnneerr--nnaammee _d_e_f_a_u_l_t___s_i_g_n_e_r] [bboooott--ffiillee _f_i_l_e] [ddeebbuugg--ffiillee _f_i_l_e]
[oouutt--ddiirr _d_i_r_e_c_t_o_r_y] [sseeqq--nnoo _n_u_m_b_e_r] [eexxppiirraattiioonn--ttiimmee [(++ |
==)]_t_i_m_e] [hhiiddee] [nnooaaxxffrr] [nnoossiiggnn] [vveerriiffyy] [uuppddaattee--zzoonneekkeeyy]
[--dd_l_e_v_e_l]
DDEESSCCRRIIPPTTIIOONN
DDnnssssiiggnneerr (Sign DNS zone database) is a tool to generate signatures for
DNS (Domain Name System) resource records. It also generates NXT records
for each zone.
ssiiggnneerr--nnaammee _d_e_f_a_u_l_t___s_i_g_n_e_r
Specifies a name of the key to use if no signer is defined
using the $SIGNER directive in the boot files.
bboooott--ffiillee _f_i_l_e
Specifies the control file for ddnnssssiiggnneerr, which is in the
same format as the BIND-4 _n_a_m_e_d_._b_o_o_t file.
ddeebbuugg--ffiillee _f_i_l_e
Redirect debug output to the specified _f_i_l_e; default is
_s_i_g_n_e_r___o_u_t in the current directory.
oouutt--ddiirr _d_i_r_e_c_t_o_r_y
Write signed files to thie specified _d_i_r_e_c_t_o_r_y; default is to
use _/_t_m_p.
NNOOTTEE: Specify the full path to this directory; relative paths
may not work.
eexxppiirraattiioonn--ttiimmee [(++ | ==)] _t_i_m_e
Time when the signature records are to expire. Using either
``=='' or _n_o sign before the _t_i_m_e argument (i.e., ``[==]
_t_i_m_e''), the _t_i_m_e is interpreted as an absolute time in sec-
onds when the records will expire. (NNOOTTEE: All such times
are interpreted as Universal Times.) With ``++'' specified
(i.e., ``++_t_i_m_e''), the _t_i_m_e time is interpreted as an offset
into the future.
If not specified on the command line, the default eexxppiirraattiioonn--
ttiimmee is 3600*24*30 sec (30 days).
sseeqq--nnoo _n_u_m_b_e_r
Force the serial number in the SOA records to the specified
value. If this parameter is not set, the serial number will
be set to a value based on the current time.
hhiiddee This flag will cause NXT records in zones with wildcard
records to point to *.<zone> as the next host. The purpose of
this flag is to hide all information about valid names in a
zone.
nnooaaxxffrr Turn of generation of zone transfer signature records, which
validate the transfer of an entire zone.
nnoossiiggnn When this flag is specified, the boot files are read, NXT
records are generated and zone file is written to the output
directory. No SIG records are generated. This flag is useful
for quickly checking the format of the data in the boot
files, and to have boot files sorted into DNSSEC order.
vveerriiffyy When this flag is present, ddnnssssiiggnneerr will verify all signed
records and print out a confirmation message for each SIG
verified. The main use of this flag is to see how long it
takes to generate each signature.
uuppddaattee--zzoonneekkeeyy
If this flag is specified, then the zonekeys used to sign
files will be updated with new records. Specify this flag if
one or more of the keys have been updated. If there are no
zonekeys specified in the boot files, this flag will insert
them. Omitting zonekeys will cause primary nameservers to re-
ject the zone.
--dd_l_e_v_e_l Debug level to use for running ddnnssssiiggnneerr; these levels are
the same as those used by NAMED(8)
DDEETTAAIILLSS
DDnnssssiiggnneerr reads BIND-4 _n_a_m_e_d_._b_o_o_t and zone files, adds SIG and NXT
records and writes out the records (to one file per zone, regardless of
how many include files the original zone was in). The files generated by
ddnnssssiiggnneerr are ordinary textual zone files and are then normally loaded by
NAMED(8) to serve the zone. DDnnssssiiggnneerr rreeqquuiirreess tthhaatt tthhee PPRRIIVVAATTEE kkeeyy((ss))
rreessiiddee iinn tthhee iinnppuutt ddiirreeccttoorryy.
Making manual changes to the output files is hazardous, because most
changes will invalidate one or more signatures contained therein. This
will cause the zone to fail to load into NAMED(8), or will cause subse-
quent failures in retrieving records from the zone. It is far better to
make changes in ddnnssssiiggnneerr''ss input files, and rerun ddnnssssiiggnneerr.
When ddnnssssiiggnneerr detects a delegation point, it creates a special file
_<_z_o_n_e___n_a_m_e_>_._P_A_R_E_N_T which contains the RR's the parent zone signs for the
child zone (NS, KEY, NXT). The intent is that the child will include this
file when loading primary nameservers. Similarly, each zone file ends
with the ``#include <zone_name>.PARENT'' command. The records in the
_._P_A_R_E_N_T files are omitted from the SIG(AXFR) calculations as these
records usualy are on a different signing cycle.
The ``$SIGNER [_k_e_y_n_a_m_e]'' directive can be used to change signers in a
zone. If _k_e_y_n_a_m_e is omitted, signing is turned off. Keys are loaded the
first time the keys are accessed. Only records that are signed by the
zone signer (the key that signs the SOA) are included in the SIG(AXFR)
calculation. It is not generally recommended that multiple keys sign
records in the same zone, unless this is useful for dynamic updates.
EENNVVIIRROONNMMEENNTT
No environmental variables are used.
SSEEEE AALLSSOO
NAMED(8), RSAREF documentation, Internet-Draft _d_r_a_f_t_-_i_e_t_f_-_d_n_s_s_e_c_-
_s_e_c_e_x_t_-_1_0_._t_x_t on Secure DNS, or its successor.
AAUUTTHHOORR
Olafur Gudmundsson (ogud@tis.com)
AACCKKNNOOWWLLEEDDGGMMEENNTTSS
The underlying crypto math is done by the RSAREF or BSAFE libraries.
4th Berkeley Distribution October 25, 1996 2
