ldns-signzone is used to generate a DNSSEC signed zone. When run it will create a new zonefile that contains RRSIG and NSEC resource records, as specified in RFC 4033, RFC 4034 and RFC 4035. It will add the DNSKEY(s) that is/are used to sign the zone.

Keys must be specified by their base name (i.e. without .key and .private) and both the public and private key must be present in the specified location. Multiple keys can be specified.

-e date

Set expiration date of the signatures to this date, the format can be YYYYMMDD[hhmmss], or a timestamp.

-i date

Set inception date of the signatures to this date, the format can be YYYYMMDD[hhmmss], or a timestamp.

-f file

Use this file to store the signed zone in (default <originalfile>.signed)

-o origin

Use this as the origin of the zone, if it cannot be read from the zonefile