Caution: This version of this document is no longer maintained. For the latest documentation, see


DNSSEC zone-signing tool


dnssec-signzone [-a] [-c class] [-d directory] [-e end-time]
                [-f output-file] [-g] [-h] [-k key] [-l domain]
                [-i interval] [-I input-format] [-j jitter]
                [-N soa-serial-format] [-o origin]
                [-O output-format] [-p] [-r randomdev]
                [-s start-time] [-t] [-v level]
                [-z] {zonefile} [key...]

Runs on:



See in the NetBSD documentation.


The dnssec-signzone utility signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a keyset file for each child zone. For more information, see in the NetBSD documentation.

See also:

dnssec-keygen in the NetBSD documentation