*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->HP-UX 11i man pages -> dnssec-signkey (1)              


 dnssec-signkey(1)                                         dnssec-signkey(1)

 NAME    [Toc]    [Back]
      dnssec-signkey - DNSSEC keyset signing tool

 SYNOPSIS    [Toc]    [Back]
      dnssec-signkey [-a] [-c class] [-e end-time] [-h] [-p]
           [-r randomdev] [-s start-time] [-v level] keyset keyfile ...

 DESCRIPTION    [Toc]    [Back]
      dnssec-signkey is used to sign a key set for a child zone. Typically
      this would be provided by a .keyset file generated by the dnssec-
      makekeyset utility.  This provides a mechanism for a DNSSEC-aware zone
      to sign the keys of any DNSSEC-aware child zones.  The child zone's
      key set gets signed with the zone keys for its parent zone.

      keyset will be the pathname of the child zone's .keyset file.

      Each keyfile argument will be a key identification string as reported
      by dnssec-keygen for the parent zone.  This allows the child's keys to
      be signed by more than one parent zone key.

    Options    [Toc]    [Back]
           -a             This option verifies all generated signatures.

           -c class       This option specifies the DNS class of the key
                          sets. Currently only IN class is supported.

           -e end-time    This option specifies the date and time when the
                          generated-SIG records expire.  end-time represents
                          either an absolute or relative date.  The
                          YYYYMMDDHHMMSS notation is used to indicate an
                          absolute date and time.

                          When end-time is +N, it indicates that the SIG
                          records will expire in N seconds after their start
                          date.  If end-time is written as now+N, the SIG
                          records will expire in N seconds after the current
                          time. If no end-time is specified, 30 days from
                          the start time is used as a default.

           -h             This option makes dnssec-signkey print a summary
                          of its command line options and arguments.

           -p             This option instructs dnssec-signkey to use
                          pseudo-random data when signing the keys.

                          This is faster, but less secure than using
                          genuinely random data for signing.  This option
                          may be useful when there are many child zone key
                          sets to sign or if the entropy source is limited.
                          It could also be used for short-lived keys and
                          signatures that don't require as much protection

 Hewlett-Packard Company            - 1 -   HP-UX 11i Version 2: August 2003

 dnssec-signkey(1)                                         dnssec-signkey(1)

                          against cryptanalysis, such as when the key will
                          be discarded long before it could be compromised.

           -r randomdev   This option overrides the behavior of dnssec-
                          signkey to use random numbers to seed the process
                          of generating keys when the system does not have a
                          /dev/random device to generate random numbers.
                          The dnssec-signkey program will prompt for
                          keyboard input and use the time intervals between
                          keystrokes to provide randomness.  With this
                          option, it will use randomdev as a source of
                          random data.

           -s start-time  This option specifies the date and time when the
                          generated SIG records become valid.  start-time
                          can either be an absolute or relative date.

                          An absolute start time is indicated by a number in
                          YYYYMMDDHHMMSS notation; for example,
                          20000530144500 denotes 14:45:00 UTC on May 30th,

                          A relative start time is supplied when start-time
                          is given as +N specifying N seconds from the
                          current time. If no start-time is specified, the
                          current time is used.

           -v level       This option can be used to make dnssec-signkey
                          more verbose.  As the debugging/tracing level
                          increases, dnssec-signkey generates increasingly
                          detailed reports about what it is doing.  The
                          default level is zero.

      When dnssec-signkey completes successfully, it generates a file called
      nnnn.signedkey containing the signed keys for child zone nnnn.  The
      keys from the keyset file would have been signed by the parent zone's
      key or keys which were supplied as keyfile arguments.  This file
      should be sent to the DNS administrator of the child zone.  They
      arrange for its contents to be incorporated into the zone file when it
      next gets signed with dnssec-signzone.  A copy of the generated
      signedkey file should be kept by the parent zone's DNS administrator,
      since it will be needed when signing the parent zone.

 EXAMPLE    [Toc]    [Back]
      The DNS administrator for a DNSSEC-aware .com zone would use the
      following command to make dnssec-signkey sign the .keyset file for
      example.com created in the example shown in the man page for dnssec-

            dnssec-signkey example.com.keyset Kcom.+003+51944

 Hewlett-Packard Company            - 2 -   HP-UX 11i Version 2: August 2003

 dnssec-signkey(1)                                         dnssec-signkey(1)

      where Kcom.+003+51944 was a key file identifier that was produced when
      dnssec-keygen generated a key for the .com zone.

      dnssec-signkey will produce a file called example.com.signedkey which
      has the keys for example.com signed by the com zone's zone key.

 FILES    [Toc]    [Back]

 SEE ALSO    [Toc]    [Back]
      dnssec-keygen(1), dnssec-makekeyset(1), dnssec-signzone(1), RFC2535.

 Hewlett-Packard Company            - 3 -   HP-UX 11i Version 2: August 2003
[ Back ]
 Similar pages
Name OS Title
dnssec-signzone HP-UX DNSSEC zone signing tool
dnssec-keygen HP-UX key generation tool for DNSSEC
dnssec-makekeyset HP-UX used to produce a set of DNSSEC keys
EVP_SignUpdate OpenBSD EVP signing functions
EVP_SignInit OpenBSD EVP signing functions
EVP_SignFinal OpenBSD EVP signing functions
EVP_PKEY_size OpenBSD EVP signing functions
EVP_SignFinal Tru64 EVP signing functions
EVP_SignInit Tru64 EVP signing functions
EVP_SignUpdate Tru64 EVP signing functions
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service