Add DNS Signature (ADDDNSSIG)

The Add DNS Signature (ADDDNSSIG) command signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a keyset file for each child zone.

Restrictions:

• You must have *SECADM special authority to use this command.
• You must have execute (*X) authority to the directories in the path of the zone data file.
• You must have read (*R) authority to the zone data file.
• You must have execute (*X) authority to the directories in the path of the keyset directory.
• You must have read (*R) authority to the keyset directory files.
• You must have execute (*X) authority to the directories in the path of the signed zone output file.
• You must have read (*R) authority to the signed zone output file.
• You must have execute (*X) authority to the directories in the path of the entropy source file.
• You must have read (*R) authority to the entropy source file.
• You must have execute (*X) authority to the directories in the path of the output file.
• You must have write (*W) authority to the output file if it already exists.
• You must have read, write and execute (*RWX) authority to the output file's parent directory if the output file does not already exist.

Parameters

Zone file (ZONEDTAF)

Specifies the name of the zone data file.

This is a required parameter.

path-name

Specify the path name for the stream file which is the zone data file to be signed.

Zone keys (ZONEKEYS)

Specifies the names of key files to use to sign the zone.

Single values

*ALLPVT

All zone keys that have private key files in the current directory will be used.

Other values (up to 20 repetitions)

character-value

Specify the name of a valid key file. You can have multiple key file names for this parameter. For example, ZONEKEYS(' Kname1+alg+tag.key' ' Kname2+alg+tag ' ' Kname3+alg+tag ') is valid.

Class (CLASS)

Specifies the protocol group of the information.

*IN

The Internet class.

*CH

The CHAOS class.

*HS

The Hesiod class.

Key signing key (KSK)

Specifies the key file to be treated as a key signing key (KSK).

*NONE

No key is a KSK.

character-value

Specify the name of the key file which is the KSK.

SOA serial format (SOASRLFMT)

Specifies the SOA serial number format of the signed zone.

*KEEP

Do not modify the SOA serial number.

*INCREMENT

Increment the SOA serial number using RFC 1982 arithmetics.

*UNIXTIME

Set the SOA serial number to the number of seconds since epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.

Zone origin (ORIGIN)

Specifies the zone origin.

*NONE

The name of the zone data file is used for the origin.

character-value

Specify a valid domain name to use for the origin.

Compatibility mode (COMPMODE)

Specifies whether or not to generate a keyset file in addition to a dsset file. By default, the keyset file will not be generated.

*NO

Do not generate a keyset file.

*YES

Generate a keyset file.

Output format (OUTFMT)

Specifies the format of the output file containing the signed zone.

*TEXT

Human-readable text format.

*RAW

Binary file format.

Verify all signatures (VFYSIG)

Specifies whether or not to verify generated signatures.

*NO

Do not verify generated signatures.

*YES

Verify generated signatures.

Keyset directory (KEYSETDIR)

Specifies the directory where to look for dsset-* or keyset-* files.

*DFT

Directory /QIBM/UserData/OS400/DNS/_DYN will be searched.

path-name

Specify the path for the directory that contains the key files.

Generate child DS records (GENDSRCD)

Specifies whether or not to generate DS records for child zones from dsset-* or keyset-* files if existed. Existing DS records will be removed.

*NO

Do not generate DS records.

*YES

Generate DS records.

DNSSEC keys repository (SECKEYRPS)

Specifies the directory where to search for DNSSEC keys.

*DFT

Directory /QIBM/UserData/OS400/DNS/_DYN will be searched for the specified key files.

path-name

Specify the path for the directory that contains the key files.

Domain lookaside validation (DLV)

Specifies whether to generate a domain lookaside validation (DLV) set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.

Note: The DLV service is an alternative method by which a chain of trust may be created and verified without the need to sign the parent zone data file. The service makes use of a DLV RR, which is not currently defined by an RFC, its status is therefore experimental but one which is fully supported by the current versions of BIND. If you wish to participate in ISC's DLV registry, visit https://support.isc.org or email them at support@isc.org.

*NONE

Do not specify a DLV domain name.

character-value

Specify a valid DLV domain name.

Start time for RRSIG records (STRTIME)

Specifies the date and time when the generated RRSIG records become valid. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation(UTC time); 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.

*DFT

The default value is the current time minus 1 hour.

yyyymmddhhmmss

Specify a valid absolute time.

End time for RRSIG records (ENDTIME)

Specifies the date and time when the generated RRSIG records expire. As with STRTIME, an absolute time is indicated in YYYYMMDDHHMMSS notation(UTC time).

*DFT

Thirty days from the value specified for the Start time for RRSIG records (STRTIME) parameter will be the end time.

yyyymmddhhmmss

Specify a valid absolute time.

Signed zone output file (OUTSIGF)

Specifies the file to contain the signed zone. The default is to append '.signed' to the input file specified for the Zone file (ZONEDTAF) parameter.

*DFT

The output file will be the input file appended with the string '.signed'.

path-name

Specify the path name of the stream file to which the signed zone should be written.

Cycle interval (CYCLEITV)

Specifies, when a previously signed zone is passed as input, the interval of time before records may be resigned. The cycle interval is specified as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.

The default cycle interval is one quarter of the difference between the signature end and start times. If neither ENDTIME or STRTIME parameters are specified, this utility generates signatures that are valid for 30 days, with a cycle interval of 7.5 days (648000 seconds). Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced(new one generated by resigning).

*DFT

The cycle interval is one quarter of the difference between the signature start and end times.

integer

Specify an offset from the current time in seconds. For example, CYCLEITV(3600) is an offset of 1 hour.

Input format (INFMT)

Specifies the format of the input zone data file. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non-text format containing updates can be signed directly.

Note: The use of this option does not make much sense for non-dynamic zones.

*TEXT

Human-readable text format.

*RAW

Binary file format.

Jitter window (JITTER)

Specifies whether or not to randomize the signature expire time when signing a zone with a fixed signature lifetime, so that all RRSIG records issued at the time of signing do not expire at exactly the same time. If the zone is incrementally signed, i.e. a previously signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The jitter option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regenerated over time.

Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs do not expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.

*NONE

Do not use a jitter window.

integer

Specify the number of seconds to use as the jitter window.

Threads to use (NBRTHD)

Specifies the number of threads to use.

*CPU

One thread is started for each full CPU for the system or partition where this command is run.

1-10

Specify the number of threads to use.

Use pseudo random data (PSEUDO)

Specifies whether or not to use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.

*NO

Do not use pseudo-random data.

*YES

Use pseudo-random data.

Disable verification tests (DSBVFYTEST)

The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This parameter skips these tests.

*NO

Do not disable post sign verification tests.

*YES

Disable post sign verification tests.

Entropy source (ENTROPYSRC)

Specifies the source of entropy data to be used, which can either be the default or a stream file containing entropy data to be used instead of the default. This option may be useful when the entropy source is limited.

*DFT

The default entropy file will be used. A new entropy file is generated each time the command is invoked. The size of the default entropy file is 4096 bytes.

path-name

Specify the path for a stream file which contains entropy.

Smart signing (SMARTSIGN)

Specifies to instruct ADDDNSSIG to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.

When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules. Each successive rule takes priority over the prior ones:

If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone.

If the key's publication date is set and is in the past, the key is published in the zone.

If the key's activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone.

If the key's revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone.

If either of the key's un-publication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata.

*NO

Do not conduct smart signing.

*YES

Conduct smart signing.

Time to live (TTL)

Specifies the time to live (TTL) to be used for new DNSKEY records imported into the zone from the key repository.

If not specified, the default is the minimum TTL value from the zone's SOA record.

This option is ignored when Smart signing (SMARTSIGN) is *NO, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre-existing DNSKEY records at the zone apex, in which case new records' values will be set to match them.

*DFT

The minimum TTL value from the zone's SOA record.

integer

Specify a TTL (time-to-live) value in number of seconds.

Display statistics (STATS)

Specifies whether or not to display statistics at completion.

*NO

Do not display statistics.

*YES

Display statistics.

Update NSEC/NSEC3 chain (UPDSECCHN)

Specifies whether or not to update NSEC/NSEC3 chain when re-signing a previously signed zone. With this parameter, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this parameter, ADDDNSSIG will retain the existing chain when re-signing.

*NO

Do not Update NSEC/NSEC3 chain.

*YES

Update NSEC/NSEC3 chain.

Debug level (DBGLVL)

Specifies the debugging level to indicate how much diagnostic (debug) information this command will generate.

0

Debugging is off.

1-10

Specify a number within the range of 1-10. The amount of debug information increases as the DBGLVL value increases. 1 equals minimum debug information. 10 equals maximum debug information.

Only sign the DNSKEY RRset (SIGNRRSET)

Specifies whether or not to only sign the DNSKEY RRset with key-signing keys, and omit signatures from zone-signing keys.

*NO

Do not only sign the DNSKEY RRset.

*YES

Only sign the DNSKEY RRset.

Ignore KSK flag on key (IGNKSKFLAG)

Specifies whether or not to ignore the key signing key (KSK) flag on key when determining what to sign.

*NO

Do not ignore the KSK flag.

*YES

Ignore the KSK flag.

Hex encoded salt (ENCSALT)

Specifies the given hex encoded salt used to generate an NSEC3 chain.

*NONE

No salt is to be used.

character-value

The hex encoded salt. The salt should be composed by characters from charset '0123456789ABCDEF' and the string length of the salt should be an even number, e.g. 'AB', 'ABCD'. The salt string is case insensitive.

Iterations (ITERATIONS)

Specifies the number of iterations when generating an NSEC3 chain.

10

The default number of iterations.

number

The number of iterations.

Output file (TOSTMF)

Specifies the name of a stream file where all command output is written.

*STDOUT

All command output goes to the standard output device (normally the display).

path-name

Specify the path name for a stream file where output should be written.

Examples

ADDDNSSIG ZONEDTAF('/QIBM/UserData/OS400/DNS/NS/example.com.db')
            ZONEKEYS('Kexample.com.+005+48876.key')
            KSK('Kexample.com.+005+05926.key')
            ORIGIN('example.com.')

This command signs the zone data file '/QIBM/UserData/OS400/DNS/NS/example.ibm.com.db' with the ZSK file 'Kexample.com.+005+48876.key' and KSK file 'Kexample.com.+005+05926.key'. It will look for the key files in the '/QIBM/UserData/OS400/DNS/_DYN' directory. The files below will be generated:

/QIBM/UserData/OS400/DNS/_DYN/dsset-example.com.
/QIBM/UserData/OS400/DNS/_DYN/keyset-example.com.
    (keyset file will be generated only in compatibility mode)
/QIBM/UserData/OS400/DNS/NS/example.com.db.signed

Then to continue to deploy the DNSSEC, you need to update the configuration file, say named.conf from:

zone  "EXAMPLE.COM" {
    type master;
file "example.com.db";

to

zone  "EXAMPLE.COM" {
    type master;
    file "example.com.db.signed";

At last, reload the zone to take effect.

When the signatures in your zone are due to expire, you will have to re-sign your zone:

COPY OBJ('/QIBM/UserData/OS400/DNS/NS/example.com.db.signed')
TOOBJ('/QIBM/UserData/OS400/DNS/NS/example.com.db')
ADDDNSSIG ZONEDTAF('/QIBM/UserData/OS400/DNS/NS/example.com.db')
            ZONEKEYS('Kexample.com.+005+48876.key')
            ORIGIN('example.com.')

This example re-signs a previously signed zone with default parameters.

Note: If you want to manually add new RR record into the secure zone file, you can do it before re-sign the secure zone.

Error messages

*ESCAPE Messages

DNS0013

Error processing command parameters.

DNS0065

Option 33 of i5/OS is required, but is not installed.

TCP7124

Program &1 in library &2 type *PGM ended abnormally.