Template:Zonesigner ShortTorial

From DNSSEC-Tools
Jump to: navigation, search


{{#if:1| {{#if:1| {{#if:1| {{#if:| {{#if:| {{#if:|
DNSSEC-Tools Component
This describes zonesigner, which in the Zone Administration Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: zonesigner
Tool Type: Zone Administration Tools
Manual: Manual


Example: Example


CLI: Help


Tutorial: Tutorial


How To: How To


Download: zonesigner


Zonesigner is used for signing DNS zone files. In fact if you only use one thing from the DNSSEC-Tools package this is the most important one as it will help you Sign Your Zone. This is one of the main tools a Zone Administrator or Authoritative DNS Administrator will find useful when deploying a DNSSEC-enabled zone. It can make signing a zone as easy as typing, 'zonesigner example.com'. Zonesigner is capable of performing a large number of zone manipulations. It can sign a zone file, create and update both Zone Signing Keys (ZSKs) and Key Signing Keys (KSKs) while allowing more detailed configuration from the command line or a configuration file.

Zonesigner was designed to make many of the other signing tools easy to use and to "do the right thing by default" wherever possible. It is highly configurable, but most people will likely be happy running it without any of the extra arguments. Currently, it uses (and requires) the Bind tool kit to handle most of the tasks it performs.

Get started with zonesigner

To get started with zonesigner follow the following steps given a zone example.com, and its zone file 'zonefile'.

  • The first time, add the -genkeys argument to generate new DNSSEC keys.
  • For future runs, leave that option off since you will already have keys for your zone. See Rollerd for more details about changing keys on a regular basis.
>  zonesigner -genkeys -zone example.com ./zonefile

      if zonesigner appears hung, strike keys until the program completes
      (see the "Entropy" section in the man page for details)

zone signed successfully

                KSK (cur) 08824  -b 2048  02/12/08      (signing-set-3)
                ZSK (cur) 53265  -b 1024  02/12/08      (signing-set-1)
                ZSK (pub) 41622  -b 1024  02/12/08      (signing-set-2)

zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.

The above:

  • creates signed zone file zonefile.signed
  • it is ready for use, just configure the DNS to load it. Again, the next time the zone needs to be signed (before 4 weeks 2days has elapsed), run the same command but without the -genkeys argument.

A ready to use signed zone file, 'zonefile.signed', is generated. Created along with it are the associated Zone and Key Signing Keys (ZSKs/KSKs), keyset files, dsset file, and a zonesigner configuration file for example.com. Note that these files are generated in the same directory as the zone file that is signed. The location of these files can be adjusted through command line arguments to zonesigner.

(Even easier, if your zone file name matches the zone itself, e.g. example.com, simply running the command 'zonesigner -genkeys example.com' will generate example.com.signed.)

Zonesigner offers a large number of additional options to affect zone file signing. The key expiration times, file name and locations can all be adjusted from the command line. It will even do the various steps required for key rollovers, although it is much easier to use rollerd to execute the needed key-rolling steps automatically.


To fully use zonesigner and understand zone signing, a good grasp of how DNSSEC works is necessary. A working, signed zone file can be created by just using the default values provided by zonesigner. But it is beneficial for a zone administrator to have a general familiarity with DNSSEC. The following links are good places to start to learn about DNSSEC:

RFC 4033, RFC 4034, RFC 4035, www.dnssec.net, ISOC's DNSSSEC Theory