[ldns-users] [ldns-signzone] Question on man page

Tony Finch dot at dotat.at
Tue Apr 13 15:48:46 UTC 2021

A. Schulze via ldns-users <ldns-users at lists.nlnetlabs.nl> wrote:
> Am 13.04.21 um 16:15 scrunchie François RONVAUX via ldns-users:
> > So, if the zone I want to sign with DNSSEC is "mydomain.tld", I have to use the command :
> > ldns-signzone -o tld zonefile $zsk $ksk
> no, use '-o example.org' to sign 'example.org.'

The reason for this is a general DNS thing, not specific to just DNSSEC:
an RFC 1035 DNS zone file does not have to say which zone it belongs to,
so when you tell DNS software to read a zone you have to give it both the
file name and the zone name. The -o option is called "origin" because it
sets the initial value for the standard zone file $ORIGIN directive.

(flame on)

Separating the origin from the zone file is mildly irritating for old
hands as well as confusing for those just learning the DNS.

It means you can use the same zone file for multiple domains, but I have
only ever used this hack for localhost and I wouldn't miss it if I had to
have a separate file for each zone.

(flame off)

f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Faeroes: Southwest 3 to 5. Moderate, occasionally slight later.
Showers. Good.

More information about the ldns-users mailing list