dnssec-signkey(8) [redhat man page]
DNSSEC-SIGNKEY(8) DNSSEC-SIGNKEY(8) NAME
dnssec-signkey - DNSSEC key set signing tool SYNOPSIS
dnssec-signkey [ -a ] [ -c class ] [ -s start-time ] [ -e end-time ] [ -h ] [ -p ] [ -r randomdev ] [ -v level ] keyset key... DESCRIPTION
dnssec-signkey signs a keyset. Typically the keyset will be for a child zone, and will have been generated by dnssec-makekeyset. The child zone's keyset is signed with the zone keys for its parent zone. The output file is of the form signedkey-nnnn., where nnnn is the zone name. OPTIONS
-a Verify all generated signatures. -c class Specifies the DNS class of the key sets. -s start-time Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no start-time is specified, the current time is used. -e end-time Specify the date and time when the generated SIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time realtive to the current time is indicated with now+N. If no end-time is specified, 30 days from the start time is used as a default. -h Prints a short summary of the options and arguments to dnssec-signkey. -p Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be use- ful when signing large zones or when the entropy source is limited. -r randomdev Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used. -v level Sets the debugging level. keyset The file containing the child's keyset. key The keys used to sign the child's keyset. EXAMPLE
The DNS administrator for a DNSSEC-aware .com zone would use the following command to sign the keyset file for example.com created by dnssec-makekeyset with a key generated by dnssec-keygen: dnssec-signkey keyset-example.com. Kcom.+003+51944 In this example, dnssec-signkey creates the file signedkey-example.com., which contains the example.com keys and the signatures by the .com keys. SEE ALSO
dnssec-keygen(8), dnssec-makekeyset(8), dnssec-signzone(8). AUTHOR
Internet Software Consortium BIND9 June 30, 2000 DNSSEC-SIGNKEY(8)
Check Out this Related Man Page
DNSSEC-MAKEKEYSET(8) DNSSEC-MAKEKEYSET(8) NAME
dnssec-makekeyset - DNSSEC zone signing tool SYNOPSIS
dnssec-makekeyset [ -a ] [ -s start-time ] [ -e end-time ] [ -h ] [ -p ] [ -r randomdev ] [ -tttl ] [ -v level ] key... DESCRIPTION
dnssec-makekeyset generates a key set from one or more keys created by dnssec-keygen. It creates a file containing a KEY record for each key, and self-signs the key set with each zone key. The output file is of the form keyset-nnnn., where nnnn is the zone name. OPTIONS
-a Verify all generated signatures. -s start-time Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no start-time is specified, the current time is used. -e end-time Specify the date and time when the generated SIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time realtive to the current time is indicated with now+N. If no end-time is specified, 30 days from the start time is used as a default. -h Prints a short summary of the options and arguments to dnssec-makekeyset. -p Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be use- ful when signing large zones or when the entropy source is limited. -r randomdev Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used. -t ttl Specify the TTL (time to live) of the KEY and SIG records. The default is 3600 seconds. -v level Sets the debugging level. key The list of keys to be included in the keyset file. These keys are expressed in the form Knnnn.+aaa+iiiii as generated by dnssec- keygen. EXAMPLE
The following command generates a keyset containing the DSA key for example.com generated in the dnssec-keygen man page. dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160 In this example, dnssec-makekeyset creates the file keyset-example.com.. This file contains the specified key and a self-generated signa- ture. The DNS administrator for example.com could send keyset-example.com. to the DNS administrator for .com for signing, if the .com zone is DNSSEC-aware and the administrators of the two zones have some mechanism for authenticating each other and exchanging the keys and signa- tures securely. SEE ALSO
dnssec-keygen(8), dnssec-signkey(8), BIND 9 Administrator Reference Manual, RFC 2535. AUTHOR
Internet Software Consortium BIND9 June 30, 2000 DNSSEC-MAKEKEYSET(8)