Copyright (C) 2000 Internet Software Consortium.
Permission to use, copy, modify, and distribute this document for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
$Id: dnssec-signkey.8,v 1.1 2000/06/27 21:50:27 jim Exp $
.Dd Jun 30, 2000 .Dt DNSSEC-SIGNKEY 8 .Os BIND9 9 .Sh NAME .Nm dnssec-signkey .Nd DNSSEC keyset signing tool .Sh SYNOPSIS .Nm dnssec-signkey .Op Fl h .Op Fl p .Op Fl r Ar randomdev .Op Fl v Ar level .Ar keyset .Ar keyfile ... .Sh DESCRIPTION .Nm dnssec-signkey is used to sign a key set for a child zone. Typically this would be provided by a .Ar .keyset file generated by .Xr dnssec-makekeyset 8 . This provides a mechanism for a DNSSEC-aware zone to sign the keys of any DNSSEC-aware child zones. The child zone's key set gets signed with the zone keys for its parent zone. .Ar keyset will be the pathname of the child zone's .Ar .keyset file. Each .Ar keyfile argument will be a key identification string as reported by .Xr dnssec-keygen 8 for the parent zone. This allows the child's keys to be signed by more than 1 parent zone key if these exist.
p The .Ar p option instructs .Nm dnssec-signkey to use pseudo-random data when signing the keys which is faster, but less secure, than using genuinely random data for signing. This option may be useful when there are many child zone keysets to sign and CPU resources are limited. It could also be used for short-lived keys and signatures that don't require strengthening against cryptanalysis: for instance when the key will be discarded long before it could be compromised.
p An alternate file for obtaining random data can be used with the .Ar r option. .Ar filename is the name of the file to use. If no .Ar r option is used and the default file for random data
a /dev/random does not exist, .Nm dnssec-signkey will prompt for input from the keyboard. The time between keystrokes will be measured and used to derive random data.
p The .Ar v option can be used to make .Nm dnssec-signkey more verbose. As the debugging/tracing level .Ar level increases, .Nm dnssec-signkey generates increasingly detailed reports about what it is doing. The default level is zero.
p An option of .Ar h makes .Nm dnssec-signkey print a short summary of its command line options and arguments.
p When .Nm dnssec-signkey completes successfully, it generates a file called .Ar nnnn.signedkey containing the signed keys for child zone .Ar nnnn . The keys from the .Ar keyset file will have been signed by the parent zone's key or keys which were supplied as .Ar keyfile arguments. This file should be sent to the DNS administrator of the child zone. They arrange for its contents to be incorporated into the zone file when it next gets signed with .Xr dnssec-signzone 8 . A copy of the generated .Ar signedkey file should be kept by the parent zone's DNS administrator. .Sh EXAMPLE The DNS administrator for a DNSSEC-aware .Dv .com zone would use the following command to make .Nm dnssec-signkey sign the .Ar .keyset file for .Dv example.com created in the example shown in the man page for .Nm dnssec-makekeyset : .Dl # dnssec-signkey example.com.keyset Kcom.+003+51944
p where .Dv Kcom.+003+51944 was a key file identifier that was produced when .Nm dnssec-keygen generated a key for the .Dv .com zone.
p .Nm dnssec-signkey will produce a file called .Dv example.com.signedkey which has the keys for .Dv example.com signed by the .Dv com zone's zone key. .Sh FILES
a /dev/random .Sh SEE ALSO .Xr RFC2065, .Xr dnssec-keygen 8 , .Xr dnssec-makekeyset 8 , .Xr dnssec-signzone 8 .