opendkim-genzone man page

opendkim-genzone — DKIM public key zone file generation tool


opendkim-genzone [-C address] [-d domain] [-D] [-E secs] [-F] [-N ns[,...]] [-o file] [-r secs] [-R secs] [-S] [-t secs] [-T secs] [-u] [-v] [-x conffile] [dataset]


opendkim-genzone generates a file suitable for use with named(8) to publish a set of public keys.

The dataset parameter should specify a set of data as described in the opendkim(8) man page.  It can currently refer to flat files, Sleepycat databases, comma-separated lists, LDAP directories or SQL databases.  The dataset may be omitted if a configuration file (via the -x command line flag) is specified referring to a configuration file that sets a KeyTable parameter, in which case that value will be used.

The database contents should be formatted as described for the KeyTable parameter, described in the opendkim.conf(5) man page.


-C contact

Uses contact as the contact information to be used when an SOA record is generated (see -S below).  If not specified, the userid of the executing user and the local hostname will be used; if the executing user can't be determined, "hostmaster" will be used.

-d domain

Restricts output to those records for which the domain field is the specified domain.


Adds a "._domainkey" suffix to selector names in the zone file.

-E secs

When generating an SOA record (see -S below), use secs as the default record expiration time.  The default is 604800.


Adds a "._domainkey" suffix and the domainname to selector names in the zone file.

-N nslist

Specifies a comma-separated list of nameservers, which will be output in NS records before the TXT records.  The first nameserver in this list will also be used in the SOA record (if -S is also specified) as the authority hostname.

-o file

Sends output to the named file rather than standard output.

-r secs

When generating an SOA record (see -S below), use secs as the zone refresh time.  The default is 10800.

-R secs

When generating an SOA record (see -S below), use secs as the zone retry time.  The default is 1800.


Extends the logic of "-d" to include subdomains.


Asks for an SOA record to be generated at the top of the output.  The content of this output can be controlled using the -E, -r, -R, -T options.  The serial number will be generated based on the current time of day.

-t ttl

Puts a TTL (time-to-live) value of ttl on all records output.  The units are in seconds.

-T secs

When generating an SOA record (see -S below), use secs as the default record TTL time.  The default is 86400.


Produce output suitable for use as input to nsupdate(8).


Increases the verbosity of debugging output written to standard error.

-x conffile

Names an opendkim.conf(5) file to be read for LDAP-specific parameters when an LDAP dataset is given on the command line.  Not required for other dataset types. The default is /etc/opendkim.conf.


This man page covers the version of opendkim-genzone that shipped with version 2.11.0 of OpenDKIM.

See Also

nsupdate(8), opendkim(8), opendkim.conf(5)


The Trusted Domain Project