zkt-signer(8)zkt-signer(8)NAMEzkt-signer — Secure DNS zone signing tool
SYNOPSYSzkt-signer [-L file] [-V view] [-c file] [-O optstr] [-fhnr] [-v [-v]]
-N named.conf [zone ...]
zkt-signer [-L file] [-V view] [-c file] [-O optstr] [-fhnr] [-v [-v]]
[-D directory] [zone ...]
zkt-signer [-L file] [-V view] [-c file] [-O optstr] [-fhnr] [-v [-v]]
-o origin [zonefile]
DESCRIPTION
The zkt-signer command is a wrapper around dnssec-signzone(8) and
dnssec-keygen(8) to sign a zone and manage the necessary zone keys. It
is able to increment the serial number before signing the zone and can
trigger named(8) to reload the signed zone file. The command controls
several secure zones and, if started in regular intervals via cron(8),
can do all that stuff automatically.
In the most useful usage scenario the command will be called with
option -N to read the secure zones out of the given named.conf file.
If you have a configuration file with views, you have to use option -V
viewname or --view viewname to specify the name of the view.
Alternately you could link the executable file to a second name like
zkt-signer-viewname and use that command to specify the name of the
view.
All master zone statements will be scanned for filenames ending with
".signed". These zones will be checked if the necessary zone- and key
signing keys are existent and fresh enough to be used in the signing
process. If one or more out-dated keys are found, new keying material
will be generated via the dnssec-keygen(8) command and the old keys
will be marked as depreciated. So the command do anything needed for a
zone key rollover as defined by [2].
If the resigning interval is reached or any new key must be announced,
the serial number of the zone will be incremented and the dnssec-
signzone(8) command will be evoked to sign the zone. After that, if
the option -r is given, the rndc(8) command will be called to reload
the zone on the nameserver.
In the second form of the command it is possible to specify a directory
tree with the option -D dir. Every secure zone found in a subdirectory
below dir will be signed. However, it is also possible to reduce the
signing to those zones given as arguments.
If -D is ommitted (and neither -N nor -oorigin is specified) the
default directory specified in the dnssec.conf file by the parameter
zonedir will be used as top level directory.
OPTIONS-L file|dir, --logfile=file|dir
Specify the name of a log file or a directory where logfiles are
created with a name like zkt-YYYY-MM-DDThhmmssZ.log. If the
argument is not an absolute path name and a zone directory is
specified in the config file, this will be prepended to the
given name. This option is also settable in the dnssec.conf
file via the parameter LogFile.
The default is no file logging, but error logging to syslog with
facility USER at level ERROR is enabled by default. These
parameters are settable via the config file parameter
SyslogFacility, SyslogLevel, LogFile and Loglevel.
The additional parameter VerboseLog specifies the verbosity
(0|1|2) of messages that will be logged with level DEBUG to file
and syslog.
-V view, --view=view
Try to read the default configuration out of a file named
dnssec-<view>.conf . Instead of specifying the -V or --view
option every time, it is also possible to create a hard- or
softlink to the executable file with an additional name like
zkt-signer-<view> .
-c file, --config=file
Read configuration values out of the specified file. Otherwise
the default config file is read or build-in defaults will be
used.
-O optstr, --config-option=optstr
Set any config file option via the commandline. Several config
file options can be specified via the argument string but have
to be delimited by semicolon (or newline).
-f, --force
Force a resigning of the zone, regardless if the resigning
interval is reached or new keys must be announced.
-n, --noexec
Don't execute the dnssec-signzone(8) command. Currently this
option is of very limited usage.
-r, --reload
Reload the zone via rndc(8) after successful signing. In a
production environment it is recommended to use this option to
be sure that a freshly signed zone will be immediately
propagated. However, that's only feasable if named runs on the
signing machine, which is not recommended.
-v, --verbose
Verbose mode (recommended). A second -v will be a little more
verbose.
-h, --help
Print out the online help.
SAMPLE USAGEzkt-signer-N /etc/namedb/named.conf -r -v -v
Sign all secure zones found in the named.conf file and, if
necessary, trigger a reload of the zone. Print some explanatory
remarks on stdout.
zkt-signer-D zonedir/example.net. -f -v -v
Force the signing of the zone found in the directory
zonedir/example.net . Do not reload the zone.
zkt-signer-D zonedir -f -v -v example.net.
Same as above.
zkt-signer-f -v -v example.net.
Same as above if the dnssec.conf file contains the path of the
parent directory of the example.net zone.
zkt-signer-f -v -v -o example.net. zone.db
Same as above if we are in the directory containing the
example.net files.
zkt-signer --config-option='ResignInterval 1d; Sigvalidity 28h; \
ZSKlifetime 2d;' -v -v -o example.net. zone.db
Sign the example.net zone but override some config file values
with parameters given on the commandline.
Zone setup and initial preparation
Create a separate directory for every secure zone.
This is useful because there are many additional files needed to
secure a zone. Besides the zone file (zone.db), there is a
signed zone file (zone.db.signed), a minimum of four files
containing the key material, a file called dnskey.db with the
current used keys, and the dsset- and keyset-files created by
the dnssec-signzone(8) command. So in summary there is a
minimum of nine files used per secure zone. For every
additional key there are two extra files and every delegated
subzone creates also two or three files.
Name the directory just like the zone.
That's only needed if you want to use the zkt-signer command in
directory mode (-D). Then the name of the zone will be parsed
out of the directory name.
Change the name of the zone file to zone.db
Otherwise you have to set the name via the dnssec.conf parameter
zonefile, or you have to use the option -o to name the zone and
specify the zone file as argument.
Add the name of the signed zonefile to the named.conf file
The filename is the name of the zone file with the extension
.signed. Create an empty file with the name zone.db.signed in
the zone directory.
Include the keyfile in the zone.
The name of the keyfile is settable by the dnssec.conf parameter
keyfile . The default is dnskey.db .
ZKT 1.1 Nov 27, 2010 zkt-signer(8)