DNSSEC-Tools being migrated -- expect broken links.
The process to convert older wiki pages to our new site is not yet complete; please be patient while we work through the moving process. -- 2018-08-11

Zonesigner

About

About. Zonesigner is a DNS Zone File signing script that makes the process of signing DNS zones incredibly easy. With a single call to the script you can perform all the needed operations of zonesigning in one call. Although it is designed to "just do the right thing" It is highly flexible and can be tailored to meet the needs of each deployed environment.

Getting Started

Getting Started. You can either keep reading, or you might be interested in watching A demonstration video on the subject. Getting started with zonesigner is easy. Simply run it as follows the first time: It will generate new keys for you (that's what the --genkeys option does) and place the finished and signed zone file in the db.example.com.signed file which you should serve with your name server. Next time you need to update your zone simply run the same command without the --genkeys option: That's it! There are, of course, many other options. See the Sign Your Zone page for a complete example with data and output results, as well as the example output web page for other example usage.

NSEC3 Support

NSEC3 Support. defines support for NSEC3 which prevents zone enumeration and walking. If you wish to use NSEC3 you'll need version 9.6 of the bind software or later and version 1.5 or later of the DNSSEC-Tools package. Use the --usensec3 flag to zonesigner to sign your zone with NSEC3 support.