dnssec-signkey.1 (2010 09)
d
dnssec-signkey(1) dnssec-signkey(1)
NAME
dnssec-signkey - DNSSEC keyset signing tool
SYNOPSIS
dnssec-signkey
[-a][-c class ][-e end-time ][
-h][-p][-r randomdev][-s start-time ]
[
-v level ] keyset keyfile ...
DESCRIPTION
dnssec-signkey
is used to sign a key set for a child zone. Typically this would be provided by a
.keyset file generated by the dnssec-makekeyset
utility. This provides a mechanism for a
DNSSEC-aware zone to sign the keys of any DNSSEC-aware child zones. The child zone’s key set gets
signed with the zone keys for its parent zone.
keyset will be the pathname of the child zone’s
.keyset file.
Each keyfile argument will be a key identification string as reported by
dnssec-keygen
for the parent
zone. This allows the child’s keys to be signed by more than one parent zone key.
Options
-a This option verifies all generated signatures.
-c class This option specifies the DNS class of the key sets. Currently only IN class is sup-
ported.
-e end-time This option specifies the date and time when the generated-SIG records expire.
end-time represents either an absolute or relative date. The
YYYYMMDDHHMMSS notation is used to indicate an absolute date and time.
When end-time is
+N, it indicates that the SIG records will expire in N seconds
after their start date. If end-time is written as now+N, the SIG records will expire
in N seconds after the current time. If no end-time is specified, 30 days from the
start time is used as a default.
-h This option makes dnssec-signkey
print a summary of its command line
options and arguments.
-p This option instructs dnssec-signkey
to use pseudo-random data when signing
the keys.
This is faster, but less secure than using genuinely random data for signing. This
option may be useful when there are many child zone key sets to sign or if the
entropy source is limited. It could also be used for short-lived keys and signatures
that don’t require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
-r randomdev This option overrides the behavior of dnssec-signkey
to use random numbers to
seed the process of generating keys when the system does not have a
/dev/random device to generate random numbers. The dnssec-signkey pro-
gram will prompt for keyboard input and use the time intervals between keystrokes
to provide randomness. With this option, it will use randomdev as a source of ran-
dom data.
-s start-time This option specifies the date and time when the generated SIG records become
valid. start-time can either be an absolute or relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation;
for example,
20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when start-time is given as
+N specifying N
seconds from the current time. If no start-time is specified, the current time is
used.
-v level This option can be used to make dnssec-signkey more verbose. As the
debugging/tracing level increases, dnssec-signkey generates increasingly
detailed reports about what it is doing. The default level is zero.
When
dnssec-signkey completes successfully, it generates a file called nnnn.signedkey containing
the signed keys for child zone nnnn. The keys from the keyset file would have been signed by the
parent zone’s key or keys which were supplied as keyfile arguments. This file should be sent to the
DNS administrator of the child zone. They arrange for its contents to be incorporated into the zone file
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1