NAME [Toc] [Back]
dnssec-signkey - DNSSEC keyset signing tool
SYNOPSIS [Toc] [Back]
dnssec-signkey [-a] [-c class] [-e end-time] [-h] [-p]
[-r randomdev] [-s start-time] [-v level] keyset keyfile ...
DESCRIPTION [Toc] [Back]
dnssec-signkey is used to sign a key set for a child zone. Typically
this would be provided by a .keyset file generated by the dnssec-
makekeyset utility. This provides a mechanism for a DNSSEC-aware zone
to sign the keys of any DNSSEC-aware child zones. The child zone's
key set gets signed with the zone keys for its parent zone.
keyset will be the pathname of the child zone's .keyset file.
Each keyfile argument will be a key identification string as reported
by dnssec-keygen for the parent zone. This allows the child's keys to
be signed by more than one parent zone key.
Options [Toc] [Back]
-a This option verifies all generated signatures.
-c class This option specifies the DNS class of the key
sets. Currently only IN class is supported.
-e end-time This option specifies the date and time when the
generated-SIG records expire. end-time represents
either an absolute or relative date. The
YYYYMMDDHHMMSS notation is used to indicate an
absolute date and time.
When end-time is +N, it indicates that the SIG
records will expire in N seconds after their start
date. If end-time is written as now+N, the SIG
records will expire in N seconds after the current
time. If no end-time is specified, 30 days from
the start time is used as a default.
-h This option makes dnssec-signkey print a summary
of its command line options and arguments.
-p This option instructs dnssec-signkey to use
pseudo-random data when signing the keys.
This is faster, but less secure than using
genuinely random data for signing. This option
may be useful when there are many child zone key
sets to sign or if the entropy source is limited.
It could also be used for short-lived keys and
signatures that don't require as much protection
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
against cryptanalysis, such as when the key will
be discarded long before it could be compromised.
-r randomdev This option overrides the behavior of dnssec-
signkey to use random numbers to seed the process
of generating keys when the system does not have a
/dev/random device to generate random numbers.
The dnssec-signkey program will prompt for
keyboard input and use the time intervals between
keystrokes to provide randomness. With this
option, it will use randomdev as a source of
-s start-time This option specifies the date and time when the
generated SIG records become valid. start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in
YYYYMMDDHHMMSS notation; for example,
20000530144500 denotes 14:45:00 UTC on May 30th,
A relative start time is supplied when start-time
is given as +N specifying N seconds from the
current time. If no start-time is specified, the
current time is used.
-v level This option can be used to make dnssec-signkey
more verbose. As the debugging/tracing level
increases, dnssec-signkey generates increasingly
detailed reports about what it is doing. The
default level is zero.
When dnssec-signkey completes successfully, it generates a file called
nnnn.signedkey containing the signed keys for child zone nnnn. The
keys from the keyset file would have been signed by the parent zone's
key or keys which were supplied as keyfile arguments. This file
should be sent to the DNS administrator of the child zone. They
arrange for its contents to be incorporated into the zone file when it
next gets signed with dnssec-signzone. A copy of the generated
signedkey file should be kept by the parent zone's DNS administrator,
since it will be needed when signing the parent zone.
EXAMPLE [Toc] [Back]
The DNS administrator for a DNSSEC-aware .com zone would use the
following command to make dnssec-signkey sign the .keyset file for
example.com created in the example shown in the man page for dnssec-
dnssec-signkey example.com.keyset Kcom.+003+51944
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003
where Kcom.+003+51944 was a key file identifier that was produced when
dnssec-keygen generated a key for the .com zone.
dnssec-signkey will produce a file called example.com.signedkey which
has the keys for example.com signed by the com zone's zone key.
FILES [Toc] [Back]
SEE ALSO [Toc] [Back]
dnssec-keygen(1), dnssec-makekeyset(1), dnssec-signzone(1), RFC2535.
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003 [ Back ]