Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
$Id: dnssec-signkey.8,v 1.9 2000/08/01 01:18:51 tale Exp $
.Dd Jun 30, 2000 .Dt DNSSEC-SIGNKEY 8 .Os BIND9 9 .Sh NAME .Nm dnssec-signkey .Nd DNSSEC keyset signing tool .Sh SYNOPSIS .Nm dnssec-signkey .Op Fl h .Op Fl p .Op Fl r Ar randomdev .Op Fl v Ar level .Ar keyset .Ar keyfile ... .Sh DESCRIPTION .Nm dnssec-signkey is used to sign a key set for a child zone. Typically this would be provided by a .Ar keyset file generated by .Xr dnssec-makekeyset 8 . This provides a mechanism for a DNSSEC-aware zone to sign the keys of any DNSSEC-aware child zones. The child zone's key set gets signed with the zone keys for its parent zone. .Ar keyset will be the pathname of the child zone's .Ar keyset file. Each .Ar keyfile argument will be a key identification string as reported by .Xr dnssec-keygen 8 for the parent zone. This allows the child's keys to be signed by more than one parent zone key.
p The .Fl h option makes .Nm dnssec-signkey print a short summary of its command line options and arguments.
p .Nm dnssec-signkey may need random numbers in the process of generating keys. If the system does not have a
a /dev/random device that can be used for generating random numbers, .Nm dnssec-signkey will prompt for keyboard input and use the time intervals between keystrokes to provide randomness. The .Fl r option overrides this behaviour, making .Nm dnssec-signkey use .Ar randomdev as a source of random data.
p The .Fl p option instructs .Nm dnssec-signkey to use pseudo-random data when signing the keys. This is faster, but less secure, than using genuinely random data for signing. This option may be useful when there are many child zone keysets to sign or if the entropy source is limited. It could also be used for short-lived keys and signatures that don't require as much protection against cryptanalysis, such as when the key will be discarded long before it could be compromised.
p The .Fl v option can be used to make .Nm dnssec-signkey more verbose. As the debugging/tracing level .Ar level increases, .Nm dnssec-signkey generates increasingly detailed reports about what it is doing. The default level is zero.
p When .Nm dnssec-signkey completes successfully, it generates a file called .Ar signedkey-nnnn. containing the signed keys for child zone .Ar nnnn . The keys from the .Ar keyset file will have been signed by the parent zone's key or keys which were supplied as .Ar keyfile arguments. This file should be sent to the DNS administrator of the child zone. They arrange for its contents to be incorporated into the zone file when it next gets signed with .Xr dnssec-signzone 8 . A copy of the generated .Ar signedkey file should be kept by the parent zone's DNS administrator, since it will be needed when signing the parent zone. .Sh EXAMPLE The DNS administrator for a DNSSEC-aware .Dv .com zone would use the following command to make .Nm dnssec-signkey sign the .Ar keyset file for .Dv example.com created in the example shown in the man page for .Xr dnssec-makekeyset 8 :
p .Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
p where .Dv Kcom.+003+51944 was a key file identifier that was produced when .Xr dnssec-keygen 8 generated a key for the .Dv .com zone.
p .Nm dnssec-signkey will produce a file called .Dv signedkey-example.com. which has the keys for .Dv example.com signed by the .Dv com zone's zone key. .Sh FILES
a /dev/random .Sh SEE ALSO .Xr RFC2535, .Xr dnssec-keygen 8 , .Xr dnssec-makekeyset 8 , .Xr dnssec-signzone 8 .