bin/dnssec/dnssec-signkey.html

	dnssec-signkey.html revision c651f15b30f1dae5cc2f00878fb5da5b3a35a468
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai<!--
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai -
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai - Permission to use, copy, modify, and distribute this software for any
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai - purpose with or without fee is hereby granted, provided that the above
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai - copyright notice and this permission notice appear in all copies.
77f5d24250296732876cd61c7c43b8443e652565Satyen Desai -
77f5d24250296732876cd61c7c43b8443e652565Satyen Desai - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai - PERFORMANCE OF THIS SOFTWARE.
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai-->
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai<!-- $Id: dnssec-signkey.html,v 1.6 2005/04/07 03:49:56 marka Exp $ -->
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai
0e232b16e640a3801393ca223d42fd1e0e9e83c3Satyen Desai<HTML
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><HEAD
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><TITLE
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai>dnssec-signkey</TITLE
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai><META
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen DesaiNAME="GENERATOR"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiCONTENT="Modular DocBook HTML Stylesheet Version 1.61
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai"></HEAD
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai><BODY
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen DesaiCLASS="REFENTRY"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithBGCOLOR="#FFFFFF"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithTEXT="#000000"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithLINK="#0000FF"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithVLINK="#840084"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithALINK="#0000FF"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith><H1
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith><A
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiNAME="AEN1"
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai><SPAN
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiCLASS="APPLICATION"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai>dnssec-signkey</SPAN
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai></A
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai></H1
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><DIV
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiCLASS="REFNAMEDIV"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><A
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiNAME="AEN9"
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai></A
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai><H2
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>Name</H2
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith><SPAN
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithCLASS="APPLICATION"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>dnssec-signkey</SPAN
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>&nbsp;--&nbsp;DNSSEC key set signing tool</DIV
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith><DIV
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithCLASS="REFSYNOPSISDIV"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith><A
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiNAME="AEN13"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai></A
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><H2
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai>Synopsis</H2
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai><P
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><B
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen DesaiCLASS="COMMAND"
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai>dnssec-signkey</B
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai>  [<TT
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen DesaiCLASS="OPTION"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai>-a</TT
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai>] [<TT
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen DesaiCLASS="OPTION"
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai>-c <TT
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiCLASS="REPLACEABLE"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith><I
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>class</I
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith></TT
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith></TT
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>] [<TT
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithCLASS="OPTION"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>-s <TT
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithCLASS="REPLACEABLE"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith><I
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>start-time</I
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith></TT
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith></TT
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>] [<TT
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke SmithCLASS="OPTION"
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>-e <TT
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen DesaiCLASS="REPLACEABLE"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><I
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai>end-time</I
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai></TT
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai></TT
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai>] [<TT
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen DesaiCLASS="OPTION"
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai>-h</TT
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen Desai>] [<TT
165d58fdb5129cfef36afcb5a3a2b4e59f64cf35Satyen DesaiCLASS="OPTION"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai>-p</TT
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai>] [<TT
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiCLASS="OPTION"
77f5d24250296732876cd61c7c43b8443e652565Satyen Desai>-r <TT
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiCLASS="REPLACEABLE"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><I
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai>randomdev</I
77f5d24250296732876cd61c7c43b8443e652565Satyen Desai></TT
77f5d24250296732876cd61c7c43b8443e652565Satyen Desai></TT
77f5d24250296732876cd61c7c43b8443e652565Satyen Desai>] [<TT
77f5d24250296732876cd61c7c43b8443e652565Satyen DesaiCLASS="OPTION"
77f5d24250296732876cd61c7c43b8443e652565Satyen Desai>-v <TT
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiCLASS="REPLACEABLE"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><I
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai>level</I
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai></TT
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai></TT
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai>] {keyset} {key...}</P
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai></DIV
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><DIV
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiCLASS="REFSECT1"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><A
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen DesaiNAME="AEN39"
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai></A
757a02c8aa3074da5af65401e06946e17c4d8a7dSatyen Desai><H2
dcde9f9fdb7cdb40d391c49e82df809afef42c01Luke Smith>DESCRIPTION</H2
><P
>        <B
CLASS="COMMAND"
>dnssec-signkey</B
> signs a keyset.  Typically
	the keyset will be for a child zone, and will have been generated
	by <B
CLASS="COMMAND"
>dnssec-makekeyset</B
>.  The child zone's keyset
	is signed with the zone keys for its parent zone.  The output file
	is of the form <TT
CLASS="FILENAME"
>signedkey-nnnn.</TT
>, where
	<TT
CLASS="FILENAME"
>nnnn</TT
> is the zone name.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN46"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-a</DT
><DD
><P
>	      Verify all generated signatures.
	  </P
></DD
><DT
>-c <TT
CLASS="REPLACEABLE"
><I
>class</I
></TT
></DT
><DD
><P
>	       Specifies the DNS class of the key sets.
	  </P
></DD
><DT
>-s <TT
CLASS="REPLACEABLE"
><I
>start-time</I
></TT
></DT
><DD
><P
>	       Specify the date and time when the generated SIG records
	       become valid.  This can be either an absolute or relative
	       time.  An absolute start time is indicated by a number
	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
	       14:45:00 UTC on May 30th, 2000.  A relative start time is
	       indicated by +N, which is N seconds from the current time.
	       If no <TT
CLASS="OPTION"
>start-time</TT
> is specified, the current
	       time is used.
	  </P
></DD
><DT
>-e <TT
CLASS="REPLACEABLE"
><I
>end-time</I
></TT
></DT
><DD
><P
>	       Specify the date and time when the generated SIG records
	       expire.  As with <TT
CLASS="OPTION"
>start-time</TT
>, an absolute
	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
	       to the start time is indicated with +N, which is N seconds from
	       the start time.  A time realtive to the current time is
	       indicated with now+N.  If no <TT
CLASS="OPTION"
>end-time</TT
> is
	       specified, 30 days from the start time is used as a default.
	  </P
></DD
><DT
>-h</DT
><DD
><P
>	       Prints a short summary of the options and arguments to
	       <B
CLASS="COMMAND"
>dnssec-signkey</B
>.
	  </P
></DD
><DT
>-p</DT
><DD
><P
>	       Use pseudo-random data when signing the zone.  This is faster,
	       but less secure, than using real random data.  This option
	       may be useful when signing large zones or when the entropy
	       source is limited.
	  </P
></DD
><DT
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></DT
><DD
><P
>	       Specifies the source of randomness.  If the operating
	       system does not provide a <TT
CLASS="FILENAME"
>/dev/random</TT
>
	       or equivalent device, the default source of randomness
	       is keyboard input.  <TT
CLASS="FILENAME"
>randomdev</TT
> specifies
	       the name of a character device or file containing random
	       data to be used instead of the default.  The special value
	       <TT
CLASS="FILENAME"
>keyboard</TT
> indicates that keyboard
	       input should be used.
	  </P
></DD
><DT
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></DT
><DD
><P
>	       Sets the debugging level.
	  </P
></DD
><DT
>keyset</DT
><DD
><P
>	        The file containing the child's keyset.
	  </P
></DD
><DT
>key</DT
><DD
><P
>	        The keys used to sign the child's keyset.
	  </P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN101"
></A
><H2
>EXAMPLE</H2
><P
>        The DNS administrator for a DNSSEC-aware <TT
CLASS="USERINPUT"
><B
>.com</B
></TT
>
	zone would use the following command to sign the
	<TT
CLASS="FILENAME"
>keyset</TT
> file for <TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
>
	created by <B
CLASS="COMMAND"
>dnssec-makekeyset</B
> with a key generated
	by <B
CLASS="COMMAND"
>dnssec-keygen</B
>:
    </P
><P
>        <TT
CLASS="USERINPUT"
><B
>dnssec-signkey keyset-example.com. Kcom.+003+51944</B
></TT
>
    </P
><P
>        In this example, <B
CLASS="COMMAND"
>dnssec-signkey</B
> creates
	the file <TT
CLASS="FILENAME"
>signedkey-example.com.</TT
>, which
	contains the <TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
> keys and the
	signatures by the <TT
CLASS="USERINPUT"
><B
>.com</B
></TT
> keys.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN116"
></A
><H2
>SEE ALSO</H2
><P
>      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-keygen</SPAN
>(8)</SPAN
>,
      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-makekeyset</SPAN
>(8)</SPAN
>,
      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-signzone</SPAN
>(8)</SPAN
>.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN128"
></A
><H2
>AUTHOR</H2
><P
>        Internet Software Consortium
    </P
></DIV
></BODY
></HTML
>