ldns-signzone: invalid option -- '-' ldns-signzone [OPTIONS] zonefile key [key [key]] signs the zone with the given key(s) -b use layout in signed zone and print comments DNSSEC records -d used keys are not added to the zone -e <date> expiration date -f <file> output zone to file (default <name>.signed) -i <date> inception date -o <domain> origin for the zone -v print version and exit -A sign DNSKEY with all keys instead of minimal -E <name> use <name> as the crypto engine for signing This can have a lot of extra options, see the manual page for more info -k <id>,<int> use key id with algorithm int from engine -K <id>,<int> use key id with algorithm int from engine as KSK if no key is given (but an external one is used through the engine support, it might be necessary to provide the right algorithm number. -n use NSEC3 instead of NSEC. If you use NSEC3, you can specify the following extra options: -a [algorithm] hashing algorithm -t [number] number of hash iterations -s [string] salt -p set the opt-out flag on all nsec3 rrs keys must be specified by their base name (usually K<name>+<alg>+<id>), i.e. WITHOUT the .private extension. If the public part of the key is not present in the zone, the DNSKEY RR will be read from the file called <base name>.key. If that does not exist, a default DNSKEY will be generated from the private key and added to the zone. A date can be a timestamp (seconds since the epoch), or of the form <YYYYMMdd[hhmmss]>

ldns-signzone: invalid option -- '-' ldns-signzone [OPTIONS] zonefile key [key [key]] signs the zone with the given key(s) -b use layout in signed zone and print comments DNSSEC records -d used keys are not added to the zone -e <date> expiration date -f <file> output zone to file (default <name>.signed) -i <date> inception date -o <domain> origin for the zone -v print version and exit -A sign DNSKEY with all keys instead of minimal -E <name> use <name> as the crypto engine for signing This can have a lot of extra options, see the manual page for more info -k <id>,<int> use key id with algorithm int from engine -K <id>,<int> use key id with algorithm int from engine as KSK if no key is given (but an external one is used through the engine support, it might be necessary to provide the right algorithm number. -n use NSEC3 instead of NSEC. If you use NSEC3, you can specify the following extra options: -a [algorithm] hashing algorithm -t [number] number of hash iterations -s [string] salt -p set the opt-out flag on all nsec3 rrs keys must be specified by their base name (usually K<name>+<alg>+<id>), i.e. WITHOUT the .private extension. If the public part of the key is not present in the zone, the DNSKEY RR will be read from the file called <base name>.key. If that does not exist, a default DNSKEY will be generated from the private key and added to the zone. A date can be a timestamp (seconds since the epoch), or of the form <YYYYMMdd[hhmmss]>