From DNSSEC-Tools
Jump to: navigation, search
{{#if:1| {{#if:1| {{#if:1| {{#if:1| {{#if:| {{#if:|
DNSSEC-Tools Component
This describes zonesigner, which in the Zone Administration Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: zonesigner
Tool Type: Zone Administration Tools
Manual: Manual


Example: Example


CLI: Help


Tutorial: Tutorial


How To: How To


Download: zonesigner



Zonesigner is a DNS Zone File signing script that makes the process of signing DNS zones incredibly easy. With a single call to the script you can perform all the needed operations of zonesigning in one call. Although it is designed to "just do the right thing" It is highly flexible and can be tailored to meet the needs of each deployed environment.

Getting Started

You can either keep reading, or you might be interested in watching A demonstration video on the subject.

Getting started with zonesigner is easy. Simply run it as follows the first time:

 zonesigner --genkeys

It will generate new keys for you (that's what the --genkeys option does) and place the finished and signed zone file in the file which you should serve with your name server. Next time you need to update your zone simply run the same command without the --genkeys option:


That's it! There are, of course, many other options.

See the Sign Your Zone page for a complete example with data and output results, as well as the example output web page for other example usage.

NSEC3 Support

rfc:5155 defines support for NSEC3 which prevents zone enumeration and walking. If you wish to use NSEC3 you'll need version 9.6 of the bind software or later and version 1.5 or later of the DNSSEC-Tools package. Use the --usensec3 flag to zonesigner to sign your zone with NSEC3 support.