summaryrefslogtreecommitdiff
path: root/contrib/zkt/man/zkt-signer.8
blob: 06de826df82fd8b7bee071a459207426aaeb7bfb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
.TH zkt-signer 8 "Feb 2, 2010" "ZKT 1.0" ""
\" turn off hyphenation
.\"	if n .nh
.nh
.SH NAME
zkt-signer \(em Secure DNS zone signing tool 

.SH SYNOPSYS
.na
.B zkt-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.B \-N
.I "named.conf"
.RI [ zone
.RI "" ... ]
.br
.B zkt-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.RB [ \-D
.IR "directory" ]
.RI [ zone
.RI "" ... ]
.br
.B zkt-signer
.RB [ \-L|--logfile
.IR "file" ]
.RB [ \-V|--view
.IR "view" ]
.RB [ \-c
.IR "file" ]
.RB [ \-fhnr ]
.RB [ \-v
.RB [ \-v ]]
.B \-o 
.IR "origin"
.RI [ zonefile ]

.SH DESCRIPTION
The 
.I zkt-signer
command is a wrapper around
.I dnssec-signzone(8)
and
.I dnssec-keygen(8)
to sign a zone and manage the necessary zone keys.
It is able to increment the serial number before signing the zone
and can trigger
.I named(8)
to reload the signed zone file.
The command controls several secure zones and, if started in regular
intervals via
.IR cron(8) ,
can do all that stuff automatically.
.PP
In the most useful usage scenario the command will be called with option
.B \-N 
to read the secure zones out of the given
.I named.conf
file.
If you have a configuration file with views, you have to use option
-V viewname or --view viewname to specify the name of the view.
Alternately you could link the executable file to a second name like
.I zkt-signer-viewname
and use that command to specify the name of the view.
All master zone statements will be scanned for filenames
ending with ".signed".
These zones will be checked if the necessary zone- and key signing keys
are existent and fresh enough to be used in the signing process.
If one or more  out-dated keys are found, new keying material will be generated via
the
.I dnssec-keygen(8)
command and the old keys will be marked as depreciated.
So the command do anything needed for a zone key rollover as defined by [2].
.PP
If the resigning interval is reached or any new key must be announced,
the serial number of the zone will be incremented and the
.I dnssec-signzone(8)
command will be evoked to sign the zone.
After that, if the option
.B \-r
is given, the
.I rndc(8)
command will be called to reload the zone on the
nameserver.
.PP
In the second form of the command it is possible to specify a directory
tree with the option
.B \-D
.IR dir .
Every secure zone found in a subdirectory below
.I dir
will be signed.
However, it is also possible to reduce the signing to those
zones given as arguments.
.ig
In directory mode the pre-requisite is, that the directory name is
exactly (including the trailing dot) the same as the zone name.
..
.PP
In the last form of the command, the functionality is more or less the same
as the
.I dnssec-signzone (8)
command.
The parameter specifies the zone file name and the option
.B \-o
takes the name of the zone.
.PP
If neither
.B \-N
nor
.B \-D
nor
.B \-o
is given, then the default directory specified in the
.I dnssec.conf
file by the parameter
.I zonedir
will be used as top level directory.

.SH OPTIONS
.TP
.BI \-L " file|dir" ", \-\-logfile=" file|dir
Specify the name of a log file or a directory where
logfiles are created with a name like
.fam C
.\"#  define	LOG_FNAMETMPL	"/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
.RI zkt- YYYY-MM-DD T hhmmss Z.log .
.fam T
.\" \&.
If the argument is not an absolute path name and a zone directory
is specified in the config file, this will be prepended to the given name.
This option is also settable in the dnssec.conf file via the parameter
.BI LogFile .
.br
The default is no file logging, but error logging to syslog with facility
.BI USER
at level
.BI ERROR
is enabled by default.
These parameters are settable via the config file parameter
.BI "SyslogFacility" ,
.BI "SyslogLevel" ,
.BI "LogFile"
and
.BI "Loglevel" .
.br
The additional parameter
.BI VerboseLog
specifies the verbosity (0|1|2) of messages that will be logged
with level
.BI DEBUG
to file and syslog.

.TP
.BI \-V " view" ", \-\-view=" view
Try to read the default configuration out of a file named
.I dnssec-<view>.conf .
Instead of specifying the \-V or --view option every time,
it is also possible to create a hard- or softlink to the
executable file with an additional name like 
.I zkt-signer-<view> .
.TP
.BI \-c " file" ", \-\-config=" file
Read configuration values out of the specified file.
Otherwise the default config file is read or build-in defaults
will be used.
.TP
.BI \-O " optstr" ", \-\-config-option=" optstr
Set any config file option via the commandline.
Several config file options can be specified via the argument string
but have to be delimited by semicolon (or newline).
.TP
.BR \-f ", " \-\-force
Force a resigning of the zone, regardless if the resigning interval
is reached or new keys must be announced.
.TP
.BR \-n ", " \-\-noexec
Don't execute the
.I dnssec-signzone(8)
command.
Currently this option is of very limited usage.
.TP
.BR \-r ", " \-\-reload
Reload the zone via
.I rndc(8)
after successful signing.
In a production environment it is recommended to use this option
to be sure that a freshly signed zone will be immediately propagated.
However, that's only feasable if named runs on the signing
machine, which is not recommended.
.ig
Otherwise the signed zonefile must be copied to the production
server before reloading the zone.
If this is the case, the parameter
.I propagation
in the
.I dnssec.conf
file must be set to a reasonable value.
..
.TP
.BR \-v ", " \-\-verbose
Verbose mode (recommended).
A second
.B \-v
will be a little more verbose.
.TP
.BR \-h ", " \-\-help
Print out the online help.

.SH SAMPLE USAGE
.TP 
.fam C
.B "zkt-signer \-N /var/named/named.conf \-r \-v \-v 
.fam T
Sign all secure zones found in the named.conf file and, if necessary,
trigger a reload of the zone.
Print some explanatory remarks on stdout.
.TP
.fam C
.B "zkt-signer \-D zonedir/example.net. \-f \-v \-v 
.fam T
Force the signing of the zone found in the directory
.I zonedir/example.net .
Do not reload the zone.
.TP
.fam C
.B "zkt-signer \-D zonedir \-f \-v \-v example.net.
.fam T
Same as above.
.TP
.fam C
.B "zkt-signer \-f \-v \-v example.net.
.fam T
Same as above if the
.I dnssec.conf
file contains the path of the parent directory of the
.I example.net
zone.
.TP
.fam C
.B "zkt-signer \-f \-v \-v \-o example.net. zone.db
.fam T
Same as above if we are in the directory containing the
.I example.net
files.
.TP
.fam C
.B "zkt-signer \-\-config-option='ResignInterval 1d; Sigvalidity 28h; \e
.B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
.fam T
.br
Sign the example.net zone but override some config file values with parameters
given on the commandline.

.SH Zone setup and initial preparation
.TP
Create a separate directory for every secure zone.
.br
This is useful because there are many additional files needed to
secure a zone.
Besides the zone file
.RI ( zone.db ),
there is a signed zone file
.RI ( zone.db.signed),
a minimum of four files containing the keying material,
a file called
.I dnskey.db
with the current used keys,
and the
.I dsset-
and
.IR keyset- files
created by the
.I dnssec-signzone(8)
command.
So in summary there is a minimum of nine files used per secure zone.
For every additional key there are two extra files and
every delegated subzone creates also two or three files.
.TP
Name the directory just like the zone.
.br
That's only needed if you want to use the zkt-signer command in
directory mode
.RB ( \-D ).
Then the name of the zone will be parsed out of the directory name.
.TP
Change the name of the zone file to \fIzone.db\fP
Otherwise you have to set the name via the
.I dnssec.conf
parameter
.IR zonefile ,
or you have to use the option
.B \-o
to name the zone and specify the zone file as argument.
.TP
Add the name of the signed zonefile to the \fInamed.conf\fP file
The filename is the name of the zone file with the 
extension
.IR .signed .
Create an empty file with the name
.IB zonefile .signed
in the zone directory.
.TP
Include the keyfile in the zone.
The name of the keyfile is settable by the
.I dnssec.conf
parameter
.I keyfile .
The default is
.I dnskey.db .
.br
.if t \{\
.nf
.fam C
   ...
		IN  NS		ns1.example.net.
		IN  NS		ns2.example.net.
$INCLUDE dnskey.db
   ...
.fi
.fam T
You can also run
.I zkt-conf(8)
in the secure zone directory to do this.
Try
.br
.if t \{\
.nf
.fam C
$ zkt-conf -w zone.db
.fi
.fam T
.\}
.TP
Control the format of the SOA-Record
For automatic incrementation of the serial number, the SOA-Record
must be formated, so that the serial number is on a single line and
left justified in a field of at least 10 spaces!
.if t \{\
.fam C
.fi 0
@  IN SOA  ns1.example.net. hostmaster.example.net.  (
		60        ; Serial    
		43200 ; Refresh
		1800  ; Retry
		2W    ; Expire
		7200 ); Minimum
.fi
.fam T
.\}
If you use BIND version 9.4 or later and
use the unixtime format for the serial number (which is the default since ZKT-1.0)
than this is not necessary.
See also the parameter Serialformat in 
.IR dnssec.conf .
.TP
Try to sign the zone
If the current working directory is the directory of the zone
.IR example.net ,
use the command
.fam C
.nf
.sp 0.5
    $  zkt-signer \-D .. \-v \-v example.net
        or
    $  zkt-signer \-o example.net.
.sp 0.5
.fi
.fam T
to create the initial keying material and a signed zone file.
Then try to load the file on the name server.

.SH ENVIRONMENT VARIABLES
.TP
ZKT_CONFFILE
Specifies the name of the default global configuration files.

.SH FILES
.TP
.I /var/named/dnssec.conf
Built-in default global configuration file.
The name of the default global config file is settable via
the environment variable ZKT_CONFFILE.
Use
.I zkt-conf(8)
with option
.B \-w
or
.I dnssec-zkt(8)
with option
.B \-Z
to create an initial config file.
.TP
.I /var/named/dnssec-<view>.conf
View specific global configuration file.
.TP
.I ./dnssec.conf
Local configuration file.
The file contains typically only the diff to the global site wide config file.
Use for example
.fam C
.nf
.sp 0.5
    $ zkt-conf -w -l -O "key_ttl: 5d"
.sp 0.5
.fi
.fam T
to create a local config file with a different key ttl time.
.TP
.I dnskey.db
The file contains the currently used key and zone signing keys.
It will be created by
.IR dnsssec-signer(8) .
The name of the file is settable via the dnssec configuration
file (parameter
.IR keyfile ).
.TP
.I zone.db
This is the zone file.
The name of the file is settable via the dnssec configuration
file (parameter
.IR zonefile ).

.SH BUGS
.PP
The named.conf parser is a bit rudimental and not
very well tested.

.SH AUTHORS
The man page is written by
Holger Zuleger and Mans Nilsson

.SH COPYRIGHT
Copyright (c) 2005 \- 2010 by Holger Zuleger.
Licensed under the BSD Licence. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
.\"--------------------------------------------------

.SH SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-ls(8), zkt-keygen(8) 
.br
RFC4033, RFC4034, RFC4035
.br
[1] DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
.br
(http://www.nlnetlabs.nl/dnssec_howto/)
.br
[2] RFC4641 "DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman
.br
(http://www.ietf.org/rfc/rfc4641.txt)