HP-UX Reference (11i v1 05/09) - 1 User Commands A-M (vol 1)
d
dnssec-signkey(1) dnssec-signkey(1)
NAME
dnssec-signkey - DNSSEC keyset signing tool
SYNOPSIS
dnssec-signkey
[-h][-p][-r randomdev][
-v level] keyset keyfile ...
DESCRIPTION
dnssec-signkey
is used to sign a key set for a child zone. Typically this would be provided by a
.keyset file generated by the dnssec-makekeyset
utility. This provides a mechanism for a
DNSSEC-aware zone to sign the keys of any DNSSEC-aware child zones. The child zone’s key set gets
signed with the zone keys for its parent zone.
keyset will be the pathname of the child zone’s
.keyset file.
Each keyfile argument will be a key identification string as reported by
dnssec-keygen
for the parent
zone. This allows the child’s keys to be signed by more than one parent zone key.
Options
-h This option makes dnssec-signkey
print a summary of its command line options
and arguments.
-p This option instructs dnssec-signkey
to use pseudo-random data when signing
the keys.
This is faster, but less secure than using genuinely random data for signing. This
option may be useful when there are many child zone key sets to sign or if the entropy
source is limited. It could also be used for short-lived keys and signatures that don’t
require as much protection against cryptanalysis, such as when the key will be dis-
carded long before it could be compromised.
-r randomdev
This option overrides the behaviour of dnssec-signkey
to use random numbers to
seed the process of generating keys when the system does not have a
/dev/random
device to generate random numbers. The dnssec-signkey
program will prompt
for keyboard input and use the time intervals between keystrokes to provide random-
ness. With this option, it will use randomdev as a source of random data.
-v level This option can be used to make dnssec-signkey
more verbose. As the
debugging/tracing level increases,
dnssec-signkey generates increasingly
detailed reports about what it is doing. The default level is zero.
When
dnssec-signkey completes successfully, it generates a file called nnnn
.signedkey containing
the signed keys for child zone nnnn. The keys from the
keyset file would have been signed by the parent
zone’s key or keys which were supplied as keyfile arguments. This file should be sent to the DNS
administrator of the child zone. They arrange for its contents to be incorporated into the zone file when it
next gets signed with
dnssec-signzone
. A copy of the generated signedkey file should be kept by
the parent zone’s DNS administrator, since it will be needed when signing the parent zone.
EXAMPLE
The DNS administrator for a DNSSEC-aware
.com zone would use the following command to make
dnssec-signkey sign the .keyset file for example.com created in the example shown in the man
page for dnssec-makekeyset:
dnssec-signkey example.com.keyset Kcom.+003+51944
where Kcom.+003+51944 was a key file identifier that was produced when dnssec-keygen
gen-
erated a key for the
.com zone.
dnssec-signkey will produce a file called example.com.signedkey
which has the keys for
example.com signed by the com zone’s zone key.
FILES
/dev/random
SEE ALSO
dnssec-keygen(1), dnssec-makekeyset(1), dnssec-signzone(1), RFC2535.
HP-UX 11i Version 1: September 2005 − 1 − Hewlett-Packard Company Section 1−−189