HP-UX Reference (11i v2 03/08) - 1 User Commands A-M (vol 1)
d
dnssec-signzone(1) dnssec-signzone(1)
-o origin This option specifies the zone origin. If not specified, the name of the zone file is assumed
to be the origin.
-p This option instructs dnssec-signkey
to use pseudo-random data when signing the
keys. This is faster, but less secure, than using genuinely random data for signing. This
option may be useful when there are many child zone key sets to sign or if the entropy
source is limited. It could also be used for short-lived keys and signatures that don’t
require as much protection against cryptanalysis, such as when the key will be discarded
long before it could be compromised.
-r randomdev
This option overrides the behaviour of dnssec-signzone
to use random numbers to
seed the process of signing the zone. If the system does not have a
/dev/random device
to generate random numbers, the
dnssec-signzone
program will prompt for key-
board input and use the time intervals between keystrokes to provide randomness. With
this option, it will use randomdev as a source of random data.
-s start-time
This option is used to specify the date and time when the generated SIG records become
valid. start-time can either be an absolute or relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; such
as,
20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when start-time is given as
+N specifying N seconds from
the current time.
If no
-s option is supplied, the current date and time is used for the start time of the SIG
records.
-t This option is used to print the statistics at the time of completion.
-v level This option is used to make dnssec-signzone
more verbose. As the
debugging/tracing level level increases,
dnssec-signzone generates increasingly
detailed reports about what it is doing. The default level is zero.
EXAMPLE
The example below shows how
dnssec-signzone
could be used to sign the example.com zone with
the key that was generated in the example given in the man page for
dnssec-keygen
. The zone file for
this zone is
example.com, which is the same as the origin, so there is no need to use the
-o option to
set the origin. This zone file contains the key set for
example.com that was created by
dnssec-
makekeyset
. The zone’s keys are either appended to the zone file or incorporated using a
$INCLUDE
statement. If there was a .signedkey file from the parent zone; i.e., example.com.signedkey
,it
should be present in the current directory. This allows the parent zone’s signature to be included in the
signed version of the
example.com zone.
dnssec-signzone example.com Kexample.com.+003+26160
dnssec-signzone will create a file called example.com.signed
, the signed version of the
example.com zone. This file can then be referenced in a
zone{} statement in /etc/named.conf so
that it can be loaded by the name server.
FILES
/dev/random
SEE ALSO
dnssec-keygen(1), dnssec-makekeyset(1), dnssec-signkey(1), RFC2535.
Section 1−−190 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: August 2003