kzonesign - Man Page

DNSSEC signing utility


kzonesign [options] -c conf_file zone_name


This utility reads the zone's zone file, signs the zone according to given configuration, and writes the signed zone file back.


-c,  --config conf_file

Knot DNS configuration file (same as for knotd).

-o,  --outdir dir_name

Write the output zone file to the specified directory instead of the configured one.

-r,  --rollover

Allow key roll-overs and NSEC3 re-salt. In order to finish possible KSK submission, set the KSK's active timestamp to now (+0) using keymgr.

-t,  --time timestamp

Sign the zone (and roll the keys if necessary) as if it was at the time specified by timestamp.

-h,  --help

Print the program help.

-V,  --version

Print the program version.



A name of the zone to be signed.

Exit Values

Exit status of 0 means successful operation. Any other exit status indicates an error.

See Also

knot.conf(5), keymgr(8).


CZ.NIC Labs <>


2021-12-20 3.1.5 Knot DNS