NAME
dnssec-signkey — DNSSEC keyset signing tool
SYNOPSIS
dnssec-signkey
[-a]
[-c
class]
[-e
end-time]
[-h]
[-p]
[-r
randomdev]
[-s
start-time]
[-v
level]
keyset
keyfile ...
DESCRIPTION
dnssec-signkey
is used to sign a key set for a child zone. Typically this would
be provided by a
.keyset
file generated by the
dnssec-makekeyset
utility.
This provides a mechanism for a DNSSEC-aware zone to sign the keys of
any DNSSEC-aware child zones. The child zone's key set gets
signed with the zone keys for its parent
zone.
keyset
will be the pathname of the child zone's
.keyset
file.
Each
keyfile
argument will be a key identification string as reported by
dnssec-keygen
for the parent zone.
This allows the child's keys to be signed by more than one
parent zone key.
Options
- -a
This option verifies all generated signatures.
- -c class
This option specifies the DNS class of the key sets. Currently only IN class is supported.
- -e end-time
This option specifies the date and time when the generated-SIG
records expire.
end-time
represents either an absolute or relative date.
The
YYYYMMDDHHMMSS
notation is used to indicate an absolute date
and time.
When
end-time
is
+N,
it indicates that the SIG records will expire in
N
seconds after their
start date.
If
end-time
is written as
now+N,
the SIG records will expire in
N
seconds after the current time. If
no
end-time
is specified, 30
days from the start time is used as a default.
- -h
This
option makes
dnssec-signkey
print a summary of its command line options
and arguments.
- -p
This option instructs
dnssec-signkey
to use pseudo-random data when signing the keys.
This is faster, but
less secure than using genuinely random data for signing.
This option may be useful when there are many child zone key sets to
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
- -r randomdev
This option overrides the behavior of
dnssec-signkey
to use random numbers to seed the process
of generating keys when the system does not have a
/dev/random
device to generate random numbers. The
dnssec-signkey
program will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness. With this option, it will use
randomdev
as a source of random data.
- -s start-time
This option specifies the date and time when the generated
SIG records become valid.
start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in
YYYYMMDDHHMMSS
notation; for example,
20000530144500
denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when
start-time
is given as
+N
specifying
N
seconds from the current time. If
no
start-time
is specified, the current time is used.
- -v level
This option can be used to make
dnssec-signkey
more verbose.
As the debugging/tracing level
increases,
dnssec-signkey
generates increasingly detailed reports about what it is doing.
The default level is zero.
When
dnssec-signkey
completes successfully, it generates a file called
nnnn.signedkey
containing the signed keys for child zone
nnnn.
The keys from the
keyset
file would have been signed by the parent zone's key or keys which were
supplied as
keyfile
arguments.
This file should be sent to the DNS administrator of the child zone.
They arrange for its contents to be incorporated into the zone file
when it next gets signed with
dnssec-signzone.
A copy of the generated
signedkey
file should be kept by the parent zone's DNS administrator, since
it will be needed when signing the parent zone.
EXAMPLE
The DNS administrator for a DNSSEC-aware
.com
zone would use the following command to make
dnssec-signkey
sign the
.keyset
file for
example.com
created in the example shown in the man page for
dnssec-makekeyset:
dnssec-signkey example.com.keyset Kcom.+003+51944
where
Kcom.+003+51944
was a key file identifier that was produced when
dnssec-keygen
generated a key for the
.com
zone.
dnssec-signkey
will produce a file called
example.com.signedkey
which has the keys for
example.com
signed by the
com
zone's zone key.
Printable version
