|-L file|dir, --logfile=file|dir|
Specify the name of a log file or a directory where
logfiles are created with a name like
If the argument is not an absolute path name and a zone directory
is specified in the config file, this will be prepended to the given name.
This option is also settable in the dnssec.conf file via the parameter
The default is no file logging, but error logging to syslog with facility USER at level ERROR is enabled by default. These parameters are settable via the config file parameter SyslogFacility, SyslogLevel, LogFile and Loglevel.
The additional parameter VerboseLog specifies the verbosity (0|1|2) of messages that will be logged with level DEBUG to file and syslog.
|-V view, --view=view|
|Try to read the default configuration out of a file named dnssec-<view>.conf . Instead of specifying the -V or --view option every time, it is also possible to create a hard- or softlink to the executable file with an additional name like zkt-signer-<view> .|
|-c file, --config=file|
|Read configuration values out of the specified file. Otherwise the default config file is read or build-in defaults will be used.|
|-O optstr, --config-option=optstr|
|Set any config file option via the commandline. Several config file options can be specified via the argument string but have to be delimited by semicolon (or newline).|
|Force a resigning of the zone, regardless if the resigning interval is reached or new keys must be announced.|
|Dont execute the dnssec-signzone(8) command. Currently this option is of very limited usage.|
|Reload the zone via rndc(8) after successful signing. In a production environment it is recommended to use this option to be sure that a freshly signed zone will be immediately propagated. However, thats only feasable if named runs on the signing machine, which is not recommended.|
|Verbose mode (recommended). A second -v will be a little more verbose.|
Print out the online help.
zkt-signer -N /etc/namedb/named.conf -r -v -v Sign all secure zones found in the named.conf file and, if necessary, trigger a reload of the zone. Print some explanatory remarks on stdout. zkt-signer -D zonedir/example.net. -f -v -v Force the signing of the zone found in the directory zonedir/example.net . Do not reload the zone. zkt-signer -D zonedir -f -v -v example.net. Same as above. zkt-signer -f -v -v example.net. Same as above if the dnssec.conf file contains the path of the parent directory of the example.net zone. zkt-signer -f -v -v -o example.net. zone.db Same as above if we are in the directory containing the example.net files. zkt-signer --config-option=ResignInterval 1d; Sigvalidity 28h; \ ZSKlifetime 2d; -v -v -o example.net. zone.db
Sign the example.net zone but override some config file values with parameters given on the commandline.
Create a separate directory for every secure zone. This is useful because there are many additional files needed to secure a zone. Besides the zone file (zone.db), there is a signed zone file (zone.db.signed), a minimum of four files containing the key material, a file called dnskey.db with the current used keys, and the dsset- and keyset-files created by the dnssec-signzone(8) command. So in summary there is a minimum of nine files used per secure zone. For every additional key there are two extra files and every delegated subzone creates also two or three files. Name the directory just like the zone. Thats only needed if you want to use the zkt-signer command in directory mode (-D). Then the name of the zone will be parsed out of the directory name. Change the name of the zone file to zone.db Otherwise you have to set the name via the dnssec.conf parameter zonefile, or you have to use the option -o to name the zone and specify the zone file as argument. Add the name of the signed zonefile to the named.conf file The filename is the name of the zone file with the extension .signed. Create an empty file with the name zone.db.signed in the zone directory. Include the keyfile in the zone. The name of the keyfile is settable by the dnssec.conf parameter keyfile . The default is dnskey.db .
... IN NS ns1.example.net. IN NS ns2.example.net. $INCLUDE dnskey.db ...You can also run zkt-conf(8) in the secure zone directory to do this. Try
$ zkt-conf -w zone.db
Control the format of the SOA-Record For automatic incrementation of the serial number, the SOA-Record must be formated, so that the serial number is on a single line and left justified in a field of at least 10 spaces!@ IN SOA ns1.example.net. hostmaster.example.net. ( 60 ; Serial 43200 ; Refresh 1800 ; Retry 2W ; Expire 7200 ); MinimumIf you use BIND version 9.4 or later and use the unixtime format for the serial number (which is the default since ZKT-1.0) this is not necessary. See also the parameter Serialformat in dnssec.conf. Try to sign the zone If the current working directory is the directory of the zone example.net, use the commandto create the initial keying material and a signed zone file. Then try to load the file on the name server.
$ zkt-signer -D .. -v -v example.net or $ zkt-signer -o example.net.
ZKT_CONFFILE Specifies the name of the default global configuration file.
/etc/namedb/dnssec.conf Built-in default global configuration file. The name of the default global config file is settable via the environment variable ZKT_CONFFILE. Use zkt-conf(8) with option -w or dnssec-zkt(8) with option -Z to create an initial config file. /etc/namedb/dnssec-<view>.conf View specific global configuration file. ./dnssec.conf Local configuration file. The file contains typically only the diff to the global site wide config file. Use for exampleto create a local config file with a different key ttl time.
$ zkt-conf -w -l -O "key_ttl: 5d"
dnskey.db The file contains the currently used key and zone signing keys. It will be created by dnsssec-signer(8) . The name of the file is settable via the dnssec configuration file (parameter keyfile). zone.db This is the zone file. The name of the file is settable via the dnssec configuration file (parameter zonefile).
The named.conf parser is a bit rudimental and not very well tested.
The man page is written by Holger Zuleger and Mans Nilsson
Copyright (c) 2005 - 2010 by Holger Zuleger. Licensed under the BSD Licence. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-ls(8), zkt-keygen(8)
RFC4033, RFC4034, RFC4035
 DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
 RFC4641 "DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman
|ZKT 1.1||ZKT-SIGNER (8)||Nov 27, 2010|