bin/dnssec/dnssec-signkey.html

	dnssec-signkey.html revision 0b062f4990db5cc6db2fe3398926f71b92a67407
286N/A<!--
286N/A - Copyright (C) 2000, 2001  Internet Software Consortium.
286N/A -
286N/A - Permission to use, copy, modify, and distribute this software for any
286N/A - purpose with or without fee is hereby granted, provided that the above
286N/A - copyright notice and this permission notice appear in all copies.
286N/A -
286N/A - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
286N/A - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
286N/A - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
286N/A - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
286N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
286N/A - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
286N/A - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
286N/A - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
286N/A-->
286N/A<HTML
286N/A><HEAD
286N/A><TITLE
286N/A>dnssec-signkey</TITLE
286N/A><META
286N/ANAME="GENERATOR"
286N/ACONTENT="Modular DocBook HTML Stylesheet Version 1.61
286N/A"></HEAD
286N/A><BODY
286N/ACLASS="REFENTRY"
286N/ABGCOLOR="#FFFFFF"
286N/ATEXT="#000000"
286N/ALINK="#0000FF"
286N/AVLINK="#840084"
286N/AALINK="#0000FF"
286N/A><H1
286N/A><A
286N/ANAME="AEN1"
286N/A><SPAN
286N/ACLASS="APPLICATION"
286N/A>dnssec-signkey</SPAN
286N/A></A
286N/A></H1
286N/A><DIV
286N/ACLASS="REFNAMEDIV"
286N/A><A
286N/ANAME="AEN9"
286N/A></A
286N/A><H2
286N/A>Name</H2
286N/A><SPAN
286N/ACLASS="APPLICATION"
286N/A>dnssec-signkey</SPAN
286N/A>&nbsp;--&nbsp;DNSSEC key set signing tool</DIV
286N/A><DIV
286N/ACLASS="REFSYNOPSISDIV"
286N/A><A
286N/ANAME="AEN13"
286N/A></A
286N/A><H2
286N/A>Synopsis</H2
286N/A><P
286N/A><B
286N/ACLASS="COMMAND"
286N/A>dnssec-signkey</B
286N/A>  [<TT
286N/ACLASS="OPTION"
286N/A>-a</TT
286N/A>] [<TT
286N/ACLASS="OPTION"
286N/A>-c <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>class</I
286N/A></TT
286N/A></TT
286N/A>] [<TT
286N/ACLASS="OPTION"
286N/A>-s <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>start-time</I
286N/A></TT
286N/A></TT
286N/A>] [<TT
286N/ACLASS="OPTION"
286N/A>-e <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>end-time</I
286N/A></TT
286N/A></TT
286N/A>] [<TT
286N/ACLASS="OPTION"
286N/A>-h</TT
286N/A>] [<TT
286N/ACLASS="OPTION"
286N/A>-p</TT
286N/A>] [<TT
286N/ACLASS="OPTION"
286N/A>-r <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>randomdev</I
286N/A></TT
286N/A></TT
286N/A>] [<TT
286N/ACLASS="OPTION"
286N/A>-v <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>level</I
286N/A></TT
286N/A></TT
286N/A>] {keyset} {key...}</P
286N/A></DIV
286N/A><DIV
286N/ACLASS="REFSECT1"
286N/A><A
286N/ANAME="AEN39"
286N/A></A
286N/A><H2
286N/A>DESCRIPTION</H2
286N/A><P
286N/A>        <B
286N/ACLASS="COMMAND"
286N/A>dnssec-signkey</B
286N/A> signs a keyset.  Typically
286N/A	the keyset will be for a child zone, and will have been generated
286N/A	by <B
286N/ACLASS="COMMAND"
286N/A>dnssec-makekeyset</B
286N/A>.  The child zone's keyset
286N/A	is signed with the zone keys for its parent zone.  The output file
286N/A	is of the form <TT
286N/ACLASS="FILENAME"
286N/A>signedkey-nnnn.</TT
286N/A>, where
286N/A	<TT
286N/ACLASS="FILENAME"
286N/A>nnnn</TT
286N/A> is the zone name.
286N/A    </P
286N/A></DIV
286N/A><DIV
286N/ACLASS="REFSECT1"
286N/A><A
286N/ANAME="AEN46"
286N/A></A
286N/A><H2
286N/A>OPTIONS</H2
286N/A><P
286N/A></P
286N/A><DIV
286N/ACLASS="VARIABLELIST"
286N/A><DL
286N/A><DT
286N/A>-a</DT
286N/A><DD
286N/A><P
286N/A>	      Verify all generated signatures.
286N/A	  </P
286N/A></DD
286N/A><DT
286N/A>-c <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>class</I
286N/A></TT
286N/A></DT
286N/A><DD
286N/A><P
286N/A>	       Specifies the DNS class of the key sets.
286N/A	  </P
286N/A></DD
286N/A><DT
286N/A>-s <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>start-time</I
286N/A></TT
286N/A></DT
286N/A><DD
286N/A><P
286N/A>	       Specify the date and time when the generated SIG records
286N/A	       become valid.  This can be either an absolute or relative
286N/A	       time.  An absolute start time is indicated by a number
286N/A	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
286N/A	       14:45:00 UTC on May 30th, 2000.  A relative start time is
286N/A	       indicated by +N, which is N seconds from the current time.
286N/A	       If no <TT
286N/ACLASS="OPTION"
286N/A>start-time</TT
286N/A> is specified, the current
286N/A	       time is used.
286N/A	  </P
286N/A></DD
286N/A><DT
286N/A>-e <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>end-time</I
286N/A></TT
286N/A></DT
286N/A><DD
286N/A><P
286N/A>	       Specify the date and time when the generated SIG records
286N/A	       expire.  As with <TT
286N/ACLASS="OPTION"
286N/A>start-time</TT
286N/A>, an absolute
286N/A	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
286N/A	       to the start time is indicated with +N, which is N seconds from
286N/A	       the start time.  A time realtive to the current time is
286N/A	       indicated with now+N.  If no <TT
286N/ACLASS="OPTION"
286N/A>end-time</TT
286N/A> is
286N/A	       specified, 30 days from the start time is used as a default.
286N/A	  </P
286N/A></DD
286N/A><DT
286N/A>-h</DT
286N/A><DD
286N/A><P
286N/A>	       Prints a short summary of the options and arguments to
286N/A	       <B
286N/ACLASS="COMMAND"
286N/A>dnssec-signkey</B
286N/A>.
286N/A	  </P
286N/A></DD
286N/A><DT
286N/A>-p</DT
286N/A><DD
286N/A><P
286N/A>	       Use pseudo-random data when signing the zone.  This is faster,
286N/A	       but less secure, than using real random data.  This option
286N/A	       may be useful when signing large zones or when the entropy
286N/A	       source is limited.
286N/A	  </P
286N/A></DD
286N/A><DT
286N/A>-r <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>randomdev</I
286N/A></TT
286N/A></DT
286N/A><DD
286N/A><P
286N/A>	       Specifies the source of randomness.  If the operating
286N/A	       system does not provide a <TT
286N/ACLASS="FILENAME"
286N/A>/dev/random</TT
286N/A>
286N/A	       or equivalent device, the default source of randomness
286N/A	       is keyboard input.  <TT
286N/ACLASS="FILENAME"
286N/A>randomdev</TT
286N/A> specifies
286N/A	       the name of a character device or file containing random
286N/A	       data to be used instead of the default.  The special value
286N/A	       <TT
286N/ACLASS="FILENAME"
286N/A>keyboard</TT
286N/A> indicates that keyboard
286N/A	       input should be used.
286N/A	  </P
286N/A></DD
286N/A><DT
286N/A>-v <TT
286N/ACLASS="REPLACEABLE"
286N/A><I
286N/A>level</I
286N/A></TT
286N/A></DT
286N/A><DD
286N/A><P
286N/A>	       Sets the debugging level.
286N/A	  </P
286N/A></DD
286N/A><DT
286N/A>keyset</DT
286N/A><DD
286N/A><P
286N/A>	        The file containing the child's keyset.
286N/A	  </P
286N/A></DD
286N/A><DT
286N/A>key</DT
286N/A><DD
286N/A><P
286N/A>	        The keys used to sign the child's keyset.
286N/A	  </P
286N/A></DD
286N/A></DL
286N/A></DIV
286N/A></DIV
286N/A><DIV
286N/ACLASS="REFSECT1"
286N/A><A
286N/ANAME="AEN101"
286N/A></A
286N/A><H2
286N/A>EXAMPLE</H2
286N/A><P
286N/A>        The DNS administrator for a DNSSEC-aware <TT
286N/ACLASS="USERINPUT"
286N/A><B
286N/A>.com</B
286N/A></TT
286N/A>
286N/A	zone would use the following command to sign the
286N/A	<TT
286N/ACLASS="FILENAME"
286N/A>keyset</TT
286N/A> file for <TT
286N/ACLASS="USERINPUT"
286N/A><B
286N/A>example.com</B
286N/A></TT
286N/A>
286N/A	created by <B
286N/ACLASS="COMMAND"
286N/A>dnssec-makekeyset</B
286N/A> with a key generated
286N/A	by <B
286N/ACLASS="COMMAND"
286N/A>dnssec-keygen</B
286N/A>:
286N/A    </P
286N/A><P
286N/A>        <TT
286N/ACLASS="USERINPUT"
286N/A><B
286N/A>dnssec-signkey keyset-example.com. Kcom.+003+51944</B
286N/A></TT
286N/A>
286N/A    </P
286N/A><P
286N/A>        In this example, <B
286N/ACLASS="COMMAND"
286N/A>dnssec-signkey</B
286N/A> creates
286N/A	the file <TT
286N/ACLASS="FILENAME"
286N/A>signedkey-example.com.</TT
286N/A>, which
286N/A	contains the <TT
286N/ACLASS="USERINPUT"
286N/A><B
286N/A>example.com</B
286N/A></TT
286N/A> keys and the
286N/A	signatures by the <TT
286N/ACLASS="USERINPUT"
286N/A><B
286N/A>.com</B
286N/A></TT
286N/A> keys.
286N/A    </P
286N/A></DIV
286N/A><DIV
286N/ACLASS="REFSECT1"
286N/A><A
286N/ANAME="AEN116"
286N/A></A
286N/A><H2
286N/A>SEE ALSO</H2
286N/A><P
286N/A>      <SPAN
286N/ACLASS="CITEREFENTRY"
286N/A><SPAN
286N/ACLASS="REFENTRYTITLE"
286N/A>dnssec-keygen</SPAN
286N/A>(8)</SPAN
286N/A>,
286N/A      <SPAN
286N/ACLASS="CITEREFENTRY"
286N/A><SPAN
286N/ACLASS="REFENTRYTITLE"
286N/A>dnssec-makekeyset</SPAN
286N/A>(8)</SPAN
286N/A>,
286N/A      <SPAN
286N/ACLASS="CITEREFENTRY"
286N/A><SPAN
286N/ACLASS="REFENTRYTITLE"
286N/A>dnssec-signzone</SPAN
286N/A>(8)</SPAN
286N/A>.
286N/A    </P
286N/A></DIV
286N/A><DIV
286N/ACLASS="REFSECT1"
286N/A><A
286N/ANAME="AEN128"
286N/A></A
286N/A><H2
286N/A>AUTHOR</H2
286N/A><P
286N/A>        Internet Software Consortium
286N/A    </P
286N/A></DIV
286N/A></BODY
286N/A></HTML
286N/A>