dnssec-signkey.docbook revision dafcb997e390efa4423883dafd100c975c4095d6
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2001, 2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: dnssec-signkey.docbook,v 1.4 2004/03/05 04:57:41 marka Exp $ -->
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refentrytitle><application>dnssec-signkey</application></refentrytitle>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refnamediv>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <refname><application>dnssec-signkey</application></refname>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <refpurpose>DNSSEC key set signing tool</refpurpose>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refsynopsisdiv>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </cmdsynopsis>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refsynopsisdiv>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <command>dnssec-signkey</command> signs a keyset. Typically
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User the keyset will be for a child zone, and will have been generated
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User by <command>dnssec-makekeyset</command>. The child zone's keyset
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User is signed with the zone keys for its parent zone. The output file
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User is of the form <filename>signedkey-nnnn.</filename>, where
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Verify all generated signatures.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <term>-c <replaceable class="parameter">class</replaceable></term>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Specifies the DNS class of the key sets.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-s <replaceable class="parameter">start-time</replaceable></term>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Specify the date and time when the generated SIG records
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt become valid. This can be either an absolute or relative
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt time. An absolute start time is indicated by a number
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt 14:45:00 UTC on May 30th, 2000. A relative start time is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt indicated by +N, which is N seconds from the current time.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If no <option>start-time</option> is specified, the current
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time is used.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <term>-e <replaceable class="parameter">end-time</replaceable></term>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Specify the date and time when the generated SIG records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein expire. As with <option>start-time</option>, an absolute
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein time is indicated in YYYYMMDDHHMMSS notation. A time relative
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews to the start time is indicated with +N, which is N seconds from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the start time. A time relative to the current time is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User indicated with now+N. If no <option>end-time</option> is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User specified, 30 days from the start time is used as a default.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Prints a short summary of the options and arguments to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use pseudo-random data when signing the zone. This is faster,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein but less secure, than using real random data. This option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may be useful when signing large zones or when the entropy
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein source is limited.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-r <replaceable class="parameter">randomdev</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the source of randomness. If the operating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein system does not provide a <filename>/dev/random</filename>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or equivalent device, the default source of randomness
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is keyboard input. <filename>randomdev</filename> specifies
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the name of a character device or file containing random
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein data to be used instead of the default. The special value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <filename>keyboard</filename> indicates that keyboard
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein input should be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-v <replaceable class="parameter">level</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the debugging level.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The file containing the child's keyset.
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The keys used to sign the child's keyset.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The DNS administrator for a DNSSEC-aware <userinput>.com</userinput>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone would use the following command to sign the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <filename>keyset</filename> file for <userinput>example.com</userinput>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein created by <command>dnssec-makekeyset</command> with a key generated
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater <userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput>
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater In this example, <command>dnssec-signkey</command> creates
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater the file <filename>signedkey-example.com.</filename>, which
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater contains the <userinput>example.com</userinput> keys and the
afb33f777af856f8c3382604a7a8ffdfe2b512c5Automatic Updater signatures by the <userinput>.com</userinput> keys.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <citerefentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </citerefentry>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <citerefentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </citerefentry>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <citerefentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </citerefentry>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <corpauthor>Internet Software Consortium</corpauthor>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Local variables:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - mode: sgml